dcrat | 65063fcd5a9010a706580e11f6abf886a45fa6dd15743bdc41a49b1f9ac5761a

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2025 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8fd8ab8d6bffd83d24ec8c669958653.exe
Size

1.5MB
MD5

b8fd8ab8d6bffd83d24ec8c669958653
SHA1

7cf5979b3d3aa0a10d595f9a9db286b689a2d167
SHA256

65063fcd5a9010a706580e11f6abf886a45fa6dd15743bdc41a49b1f9ac5761a
SHA512

b258de30aebe40dd80112011827e23c569c776e90c79fb4d00ac25760c4ce9344d6f5104d9f79d78ea8884fb53b25ced0a12f1df5d4a232057686422611afb4a
SSDEEP

24576:U2G/nvxW3Ww0t6kS6gR4zPK3r0Y2bpq5vbf4w8IzRII4Wa6gSqJ8S:UbA306DRcIruWf7RII2vS+r

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	32	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3256	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3200	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3820	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4440	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3140	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4280	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4136	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2692	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2692	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023c9f-10.dat	dcrat
behavioral2/memory/4696-13-0x0000000000460000-0x0000000000596000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	serverperf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	b8fd8ab8d6bffd83d24ec8c669958653.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	sihost.exe

Executes dropped EXE 14 IoCs

pid	Process
4696	serverperf.exe
4592	sihost.exe
556	sihost.exe
2384	sihost.exe
3008	sihost.exe
2212	sihost.exe
2672	sihost.exe
1656	sihost.exe
468	sihost.exe
3100	sihost.exe
1128	sihost.exe
3588	sihost.exe
1988	sihost.exe
2776	sihost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
53	pastebin.com
39	pastebin.com
43	pastebin.com
51	pastebin.com
52	pastebin.com
42	pastebin.com
49	pastebin.com
50	pastebin.com
54	pastebin.com
19	pastebin.com
20	pastebin.com
24	pastebin.com
38	pastebin.com

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\Idle.exe	serverperf.exe
File opened for modification	C:\Windows\System32\Idle.exe	serverperf.exe
File created	C:\Windows\System32\6ccacd8608530f	serverperf.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\TableTextService\ea1d8f6d871115	serverperf.exe
File created	C:\Program Files (x86)\Windows Portable Devices\5940a34987c991	serverperf.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\Registry.exe	serverperf.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\ee2ad38f3d4382	serverperf.exe
File created	C:\Program Files (x86)\Internet Explorer\explorer.exe	serverperf.exe
File created	C:\Program Files (x86)\Internet Explorer\7a0fd90576e088	serverperf.exe
File created	C:\Program Files (x86)\Windows Portable Devices\dwm.exe	serverperf.exe
File created	C:\Program Files\Google\ee2ad38f3d4382	serverperf.exe
File created	C:\Program Files\Windows NT\TableTextService\upfc.exe	serverperf.exe
File created	C:\Program Files (x86)\Windows Portable Devices\dllhost.exe	serverperf.exe
File created	C:\Program Files (x86)\Windows Portable Devices\6cb0b6c459d5d3	serverperf.exe
File created	C:\Program Files\Google\Registry.exe	serverperf.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\TAPI\explorer.exe	serverperf.exe
File created	C:\Windows\TAPI\7a0fd90576e088	serverperf.exe
File created	C:\Windows\TAPI\sihost.exe	serverperf.exe
File created	C:\Windows\TAPI\66fc9ff0ee96c2	serverperf.exe
File created	C:\Windows\WaaS\services\smss.exe	serverperf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8fd8ab8d6bffd83d24ec8c669958653.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	b8fd8ab8d6bffd83d24ec8c669958653.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	sihost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4280	schtasks.exe
4976	schtasks.exe
2368	schtasks.exe
3256	schtasks.exe
1100	schtasks.exe
4860	schtasks.exe
3008	schtasks.exe
2820	schtasks.exe
900	schtasks.exe
5048	schtasks.exe
3588	schtasks.exe
4872	schtasks.exe
3200	schtasks.exe
5036	schtasks.exe
1032	schtasks.exe
1828	schtasks.exe
2940	schtasks.exe
3820	schtasks.exe
4528	schtasks.exe
2600	schtasks.exe
544	schtasks.exe
1696	schtasks.exe
5052	schtasks.exe
2420	schtasks.exe
1492	schtasks.exe
2676	schtasks.exe
668	schtasks.exe
1548	schtasks.exe
32	schtasks.exe
2892	schtasks.exe
1744	schtasks.exe
2756	schtasks.exe
4360	schtasks.exe
2040	schtasks.exe
4140	schtasks.exe
952	schtasks.exe
5000	schtasks.exe
1972	schtasks.exe
4404	schtasks.exe
2136	schtasks.exe
1404	schtasks.exe
4440	schtasks.exe
3140	schtasks.exe
4136	schtasks.exe
2064	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
4696	serverperf.exe
4696	serverperf.exe
4696	serverperf.exe
4696	serverperf.exe
4696	serverperf.exe
4696	serverperf.exe
4696	serverperf.exe
4696	serverperf.exe
4696	serverperf.exe
4696	serverperf.exe
4696	serverperf.exe
4696	serverperf.exe
4696	serverperf.exe
4696	serverperf.exe
4696	serverperf.exe
4696	serverperf.exe
4696	serverperf.exe
4696	serverperf.exe
4696	serverperf.exe
4696	serverperf.exe
4592	sihost.exe
556	sihost.exe
2384	sihost.exe
3008	sihost.exe
2212	sihost.exe
2672	sihost.exe
1656	sihost.exe
468	sihost.exe
3100	sihost.exe
1128	sihost.exe
3588	sihost.exe
1988	sihost.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	4696	serverperf.exe
Token: SeDebugPrivilege	4592	sihost.exe
Token: SeDebugPrivilege	556	sihost.exe
Token: SeDebugPrivilege	2384	sihost.exe
Token: SeDebugPrivilege	3008	sihost.exe
Token: SeDebugPrivilege	2212	sihost.exe
Token: SeDebugPrivilege	2672	sihost.exe
Token: SeDebugPrivilege	1656	sihost.exe
Token: SeDebugPrivilege	468	sihost.exe
Token: SeDebugPrivilege	3100	sihost.exe
Token: SeDebugPrivilege	1128	sihost.exe
Token: SeDebugPrivilege	3588	sihost.exe
Token: SeDebugPrivilege	1988	sihost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 728 wrote to memory of 3348	728	b8fd8ab8d6bffd83d24ec8c669958653.exe	82
PID 728 wrote to memory of 3348	728	b8fd8ab8d6bffd83d24ec8c669958653.exe	82
PID 728 wrote to memory of 3348	728	b8fd8ab8d6bffd83d24ec8c669958653.exe	82
PID 3348 wrote to memory of 4444	3348	WScript.exe	83
PID 3348 wrote to memory of 4444	3348	WScript.exe	83
PID 3348 wrote to memory of 4444	3348	WScript.exe	83
PID 4444 wrote to memory of 4696	4444	cmd.exe	85
PID 4444 wrote to memory of 4696	4444	cmd.exe	85
PID 4696 wrote to memory of 4592	4696	serverperf.exe	132
PID 4696 wrote to memory of 4592	4696	serverperf.exe	132
PID 4592 wrote to memory of 112	4592	sihost.exe	139
PID 4592 wrote to memory of 112	4592	sihost.exe	139
PID 112 wrote to memory of 3748	112	cmd.exe	141
PID 112 wrote to memory of 3748	112	cmd.exe	141
PID 112 wrote to memory of 556	112	cmd.exe	142
PID 112 wrote to memory of 556	112	cmd.exe	142
PID 556 wrote to memory of 700	556	sihost.exe	143
PID 556 wrote to memory of 700	556	sihost.exe	143
PID 700 wrote to memory of 1708	700	cmd.exe	145
PID 700 wrote to memory of 1708	700	cmd.exe	145
PID 700 wrote to memory of 2384	700	cmd.exe	147
PID 700 wrote to memory of 2384	700	cmd.exe	147
PID 2384 wrote to memory of 2412	2384	sihost.exe	149
PID 2384 wrote to memory of 2412	2384	sihost.exe	149
PID 2412 wrote to memory of 216	2412	cmd.exe	151
PID 2412 wrote to memory of 216	2412	cmd.exe	151
PID 2412 wrote to memory of 3008	2412	cmd.exe	152
PID 2412 wrote to memory of 3008	2412	cmd.exe	152
PID 3008 wrote to memory of 4652	3008	sihost.exe	153
PID 3008 wrote to memory of 4652	3008	sihost.exe	153
PID 4652 wrote to memory of 3140	4652	cmd.exe	155
PID 4652 wrote to memory of 3140	4652	cmd.exe	155
PID 4652 wrote to memory of 2212	4652	cmd.exe	156
PID 4652 wrote to memory of 2212	4652	cmd.exe	156
PID 2212 wrote to memory of 1696	2212	sihost.exe	157
PID 2212 wrote to memory of 1696	2212	sihost.exe	157
PID 1696 wrote to memory of 1852	1696	cmd.exe	159
PID 1696 wrote to memory of 1852	1696	cmd.exe	159
PID 1696 wrote to memory of 2672	1696	cmd.exe	160
PID 1696 wrote to memory of 2672	1696	cmd.exe	160
PID 2672 wrote to memory of 860	2672	sihost.exe	161
PID 2672 wrote to memory of 860	2672	sihost.exe	161
PID 860 wrote to memory of 2196	860	cmd.exe	163
PID 860 wrote to memory of 2196	860	cmd.exe	163
PID 860 wrote to memory of 1656	860	cmd.exe	164
PID 860 wrote to memory of 1656	860	cmd.exe	164
PID 1656 wrote to memory of 1496	1656	sihost.exe	165
PID 1656 wrote to memory of 1496	1656	sihost.exe	165
PID 1496 wrote to memory of 3120	1496	cmd.exe	167
PID 1496 wrote to memory of 3120	1496	cmd.exe	167
PID 1496 wrote to memory of 468	1496	cmd.exe	168
PID 1496 wrote to memory of 468	1496	cmd.exe	168
PID 468 wrote to memory of 1744	468	sihost.exe	169
PID 468 wrote to memory of 1744	468	sihost.exe	169
PID 1744 wrote to memory of 4352	1744	cmd.exe	171
PID 1744 wrote to memory of 4352	1744	cmd.exe	171
PID 1744 wrote to memory of 3100	1744	cmd.exe	172
PID 1744 wrote to memory of 3100	1744	cmd.exe	172
PID 3100 wrote to memory of 3836	3100	sihost.exe	173
PID 3100 wrote to memory of 3836	3100	sihost.exe	173
PID 3836 wrote to memory of 2216	3836	cmd.exe	175
PID 3836 wrote to memory of 2216	3836	cmd.exe	175
PID 3836 wrote to memory of 1128	3836	cmd.exe	176
PID 3836 wrote to memory of 1128	3836	cmd.exe	176

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b8fd8ab8d6bffd83d24ec8c669958653.exe
"C:\Users\Admin\AppData\Local\Temp\b8fd8ab8d6bffd83d24ec8c669958653.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:728
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\refhostperf\YDUzd2DburnkxzGba.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\refhostperf\24yvIrFqc9yigx6x0kwB7b7gqXz7Pn.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4444
  - - C:\refhostperf\serverperf.exe
      "C:\refhostperf\serverperf.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4696
    - - C:\Windows\TAPI\sihost.exe
        
        "C:\Windows\TAPI\sihost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4592
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3748
        
        C:\Windows\TAPI\sihost.exe
        
        "C:\Windows\TAPI\sihost.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BikqvEHWfW.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:700
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1708
        
        C:\Windows\TAPI\sihost.exe
        
        "C:\Windows\TAPI\sihost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LW19r029AS.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:216
        
        C:\Windows\TAPI\sihost.exe
        
        "C:\Windows\TAPI\sihost.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eG7Plib0M1.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:3140
        
        C:\Windows\TAPI\sihost.exe
        
        "C:\Windows\TAPI\sihost.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PJw82jcrZC.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1852
        
        C:\Windows\TAPI\sihost.exe
        
        "C:\Windows\TAPI\sihost.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uugdhbmYnk.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2196
        
        C:\Windows\TAPI\sihost.exe
        
        "C:\Windows\TAPI\sihost.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5fBkFKqKat.bat"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:3120
        
        C:\Windows\TAPI\sihost.exe
        
        "C:\Windows\TAPI\sihost.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i32OxRBhll.bat"
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:4352
        
        C:\Windows\TAPI\sihost.exe
        
        "C:\Windows\TAPI\sihost.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kz4ReWEb5Y.bat"
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:3836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2216
        
        C:\Windows\TAPI\sihost.exe
        
        "C:\Windows\TAPI\sihost.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat"
        24⤵
        
        PID:3928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:4652
        
        C:\Windows\TAPI\sihost.exe
        
        "C:\Windows\TAPI\sihost.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l4DYpxlgJN.bat"
        26⤵
        
        PID:4532
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:4296
        
        C:\Windows\TAPI\sihost.exe
        
        "C:\Windows\TAPI\sihost.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qtVTp5BaF9.bat"
        28⤵
        
        PID:2852
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:3212
        
        C:\Windows\TAPI\sihost.exe
        
        "C:\Windows\TAPI\sihost.exe"
        29⤵
        Executes dropped EXE
        
        PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\System32\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\System32\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:32

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\System32\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Google\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\TableTextService\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\TAPI\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\TAPI\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\TAPI\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\refhostperf\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\refhostperf\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\refhostperf\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Windows\TAPI\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\TAPI\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Windows\TAPI\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\refhostperf\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\refhostperf\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\refhostperf\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\5fBkFKqKat.bat

Filesize
191B

MD5
66424afddf92d83ae3f6fe0db4cf1cdc

SHA1
0d76fd12db596180c075603e8121dc44eb4ee573

SHA256
6f3526b010c15973d677f545698e05e386f0b04c688c259a1d210af986b8bb64

SHA512
fa427002f619e1b5193357ac9aacd9a77bbb4f2878fd2d0a456dbcfc394cb30b57fd66cfb7de8b76ff41cf08b44ff0fd4639c0ba2a0cfd8e822f94cce45d21ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\BikqvEHWfW.bat

Filesize
191B

MD5
cedc2e108441bb2f0e816f307e63f3a0

SHA1
64599cb9bf2fcb8aaf7d25c7fa2d2dcd6318ece7

SHA256
71fd3afb7d290ec969c4f1f49b65a907e73435809b8de99152129869125e7f1d

SHA512
91278ecc8061f1c5cf8b76bee95aa3e7040be794d51867e762295a3bbf3ef3d558d3928a8b93b60866e47f0f0c1f678e76eac86e4fa0eac66f2ee76c0673129a

Download Submit
C:\Users\Admin\AppData\Local\Temp\LW19r029AS.bat

Filesize
191B

MD5
4178dd54665524b3890a3dc3f881f92d

SHA1
7e7f201eb9cdbc333c2cad571b598369bd00a476

SHA256
85d100b836b8d6395234a38572944e755536f3e3003f40a899657660ffb244ba

SHA512
ff370614f941d04d4188236951586a7b7a08c64aa276222c9835531d9e474a221376d453fbf9d8bc3373b8abbe900ddb9afd090982eeb9f70b77495e1d155b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\PJw82jcrZC.bat

Filesize
191B

MD5
482535312f9ebc29210ff25c887781b2

SHA1
2d5f530c826e0f6310c25a730a20a82710e0e954

SHA256
34809d28d28a986d580a9a16dab3521b805620c9edd017cee32ccd6f4fbe2320

SHA512
9919d1f5ae13e5bba5611ea5a416ca26c9f26bbf8ca31975c7fb6d5806800f3d9850bdcc4372a6aec9b39ca79f6c0f0e9fc2f482da5d9ec18e3dc89fa9bff0ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat

Filesize
191B

MD5
5863501256de13b399998a021b862e63

SHA1
6d56d9ec856cca0b2b122a5c0317da929d88fc6a

SHA256
ea8ccd4563b7aea636adfe7ca8969e1f5b62a15d9294090b7aaa2365b327b742

SHA512
ba09eab9612d1a244a015e9ab95f9302cb8b7004ad7e84334e1224f4e4e313b118b464218de4789aa35e4052a61d36f9eb7ac0dd896fba4f565f0d63127ae668

Download Submit
C:\Users\Admin\AppData\Local\Temp\eG7Plib0M1.bat

Filesize
191B

MD5
eaf93b1fb1d8261ca9eb279cdcbf5939

SHA1
dfef39177cb5c9f712a402dfdc21d2d82c85dd93

SHA256
2cc8d3605532cb527861cc816a605a2789eea8fe6ce007763acda5c8d85c1012

SHA512
83b4cc17f6fcb3858f591adde4857889dcb69817c03d49444badee5e9c91184a48962367ac59bbd187020900fcf7f5b0f6993f957623c3baff6480224da57700

Download Submit
C:\Users\Admin\AppData\Local\Temp\i32OxRBhll.bat

Filesize
191B

MD5
443de3dde70a09e000afbd2fde51d85c

SHA1
84c3fe599fea02bd63b3a79336a15fc3cb3b3e32

SHA256
34ee0484b49598de194478317e8cce79494666154d9df4fafdefd55891157413

SHA512
0e1226cba3a8a60997075013dc0a8b7220f818b07dd709e11e581d6cf6272662ffcede55c11fce874a3ecf388b209b43b0a7726bf533fcde5fdec09a0f3a1f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kz4ReWEb5Y.bat

Filesize
191B

MD5
8199629d6d1ef49acb92a34186cee3cf

SHA1
e7a39973b6056f4704916064011c84f0b6a0f8d9

SHA256
b6816bdf8a8b5c9c1813117f96570bf443cef31eed1391e3a098bb41dd3fc20e

SHA512
3586c311a1228a6f6f113395116793b95b251593e8032f4a37a0405cd2f903e4f7e63b7235a3dfeef8021214749a62e79bc4970723bfde1199be0a49e8a44c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\l4DYpxlgJN.bat

Filesize
191B

MD5
f27f6da25e19bc108b43adb30b6132d0

SHA1
173aa93ef7c066363493758e4ed582a2261b9066

SHA256
7169a3afa5ec6638475b1ffa15c4af72dc128d2b861ee12613269893d36c6047

SHA512
3a70e567686774805fd2a78d105ec4ff9ad20444ba6272c42ed655503bd19215fda0b05f7889b0cdf0c168c4a4b86c84e945a63ee29925d2d46223230894b4f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qtVTp5BaF9.bat

Filesize
191B

MD5
749cad3805a81103948d0c3b9661c930

SHA1
2a6c10232a25f8c4a0693017b86694955a21eb8e

SHA256
a05be2d1668f6ee6233fce1ea66ae7f8902771cd6c8b5159d10d06ab18703483

SHA512
2c347e1df065afe8e477ef2740d4116fa2b183185264d2db8f24300caaffda403b5f363ee166742d7b126f57b8d491ac066c5e348c8fc76675cc98def8d90b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat

Filesize
191B

MD5
a31cec715a9f7230378ccce9610742cc

SHA1
ef45168915b8d4f4bef17be4367ee276e9c019f9

SHA256
e35445050ebbf38f866acaa0b4cf322e028bde23843f501bfdfdbd332f6ada2f

SHA512
bf9730df424f31701a684af4b6e4afe798722a584bfe0da950c33e8faddb83875a3a82d9d0aeb22e75bd1b38f07bfae69f27b88ab7f3eadee165164e809b99c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uugdhbmYnk.bat

Filesize
191B

MD5
d9299962d1b39e4ae75bbf6ac0fc6b95

SHA1
19d6e50ad8f586404692b283c169fe5cf7b2d65a

SHA256
645bc573170f1b5f3336e585a0113d260780e0117fd39cdb47c69bc8c0e28d8b

SHA512
f4aa8cb066b7e0a881437a103bf1a393fa55598e13c55e8f1fa0f6fa04e0dcd971f0de4d17b81aefd3617b8f5b1627331262b2b65a178d546e5edea7971f0488

Download Submit
C:\refhostperf\24yvIrFqc9yigx6x0kwB7b7gqXz7Pn.bat

Filesize
31B

MD5
659397b18711665774947ed6189e91ae

SHA1
73006ef2a02a72132f180e873324e8a6e4c593df

SHA256
a939eb9c97b5aad7a4aa9cc522e93a81399fffc03b7536f603175a90d3fc6130

SHA512
f68315f1f2aad292176dc1f845da4fa4acb59bedf4f446130edc73481bf6bcc2e765258fbc558b1b3b3a08590e25e6937e9046adf4f00eb2afbb172646298c30

Download Submit
C:\refhostperf\YDUzd2DburnkxzGba.vbe

Filesize
218B

MD5
693da7c1e4c7e39bb88041ca03bbf61e

SHA1
87ff5e77258e4ff5833a04ce4168d287510d32d6

SHA256
3ea997020623cbd40f68cff156f5ede16b0a4c2418b07ee5dacf64770a7fff99

SHA512
f64a9f10099e9cc009160ead27a6c6420a78a7265ffeb754fc3819f418bc02ccea0be2c3b24dd9849b90a7423e850ae4fb5253958ccd5cc92867e094508da837

Download Submit
C:\refhostperf\serverperf.exe

Filesize
1.2MB

MD5
7fec3eebd710313f7b35254d792228fc

SHA1
e55a429782c6f78e6fc8c80d6fb71a85ce1d01aa

SHA256
3d32ef71bff87e2ac881484cea6b82bd52090a7252c8719f11fb73bb8f63a405

SHA512
83932d7ac29af18c3a0f1424d2cd3e2a1810e908c828377f5c0d6e72240820c3778378c9c3f0c7b86ca94a8265d9c7c0e2b9460de288f07b62c98cd89d699af4

Download Submit
memory/4696-17-0x0000000000E60000-0x0000000000E6E000-memory.dmp

Filesize
56KB

Download
memory/4696-16-0x00000000026E0000-0x00000000026F6000-memory.dmp

Filesize
88KB

Download
memory/4696-15-0x000000001B870000-0x000000001B8C0000-memory.dmp

Filesize
320KB

Download
memory/4696-14-0x0000000000E80000-0x0000000000E9C000-memory.dmp

Filesize
112KB

Download
memory/4696-13-0x0000000000460000-0x0000000000596000-memory.dmp

Filesize
1.2MB

Download
memory/4696-12-0x00007FFFAC133000-0x00007FFFAC135000-memory.dmp

Filesize
8KB

Download