Analysis
-
max time kernel
76s -
max time network
84s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 12:03
Behavioral task
behavioral1
Sample
DCRatBuild.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
DCRatBuild.exe
Resource
win10v2004-20240508-en
Errors
General
-
Target
DCRatBuild.exe
-
Size
1.1MB
-
MD5
69119a27d94728deb85e51c343ca0173
-
SHA1
f93da03f3678056d611196d1c837146277fc68dc
-
SHA256
f54df54335eb1edb832f6a501d095b0d2011c32a81f061397e04908efab35b3e
-
SHA512
ce7887a1abaac570a45344efa9793650c39134b89a1aaad5e1cbe8e71985e6515871622334b5da4cad520e865a4c7605e0587bb4174d54fbf129035eb5cd1e6c
-
SSDEEP
24576:U2G/nvxW3Ww0tzm2QaiULPxZWv7q6cZIrDgVmAk:UbA30BQaVZrmH
Malware Config
Signatures
-
DcRat 50 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeserverwin.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeDCRatBuild.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1748 schtasks.exe 4496 schtasks.exe 2676 schtasks.exe 4948 schtasks.exe 2020 schtasks.exe 4336 schtasks.exe 3480 schtasks.exe 1144 schtasks.exe 1116 schtasks.exe 2796 schtasks.exe 1744 schtasks.exe 1836 schtasks.exe 3736 schtasks.exe 2452 schtasks.exe 4444 schtasks.exe 4672 schtasks.exe 4632 schtasks.exe 2160 schtasks.exe 2572 schtasks.exe 1092 schtasks.exe 3224 schtasks.exe 2272 schtasks.exe 4276 schtasks.exe 2832 schtasks.exe 1088 schtasks.exe 2020 schtasks.exe 2936 schtasks.exe 3408 schtasks.exe 4676 schtasks.exe 3568 schtasks.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\124.0.2478.80\7a0fd90576e088 serverwin.exe 1196 schtasks.exe 5000 schtasks.exe 1548 schtasks.exe 1852 schtasks.exe 3272 schtasks.exe 3244 schtasks.exe 2060 schtasks.exe 3988 schtasks.exe 1656 schtasks.exe 3492 schtasks.exe 380 schtasks.exe 1492 schtasks.exe 1300 schtasks.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation DCRatBuild.exe 5112 schtasks.exe 4812 schtasks.exe 1088 schtasks.exe 1504 schtasks.exe 4452 schtasks.exe -
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4632 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1852 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4444 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1836 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1088 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1196 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5000 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1548 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3272 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3988 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3492 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 380 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3736 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2160 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3244 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4496 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1504 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4336 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5112 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3408 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2272 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1116 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4812 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3568 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2452 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4276 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4948 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3480 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4672 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2060 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3224 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1300 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4676 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4452 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1088 1220 schtasks.exe -
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
Processes:
taskmgr.exedescription pid process target process PID 4484 created 1248 4484 taskmgr.exe chrome.exe PID 4484 created 1248 4484 taskmgr.exe chrome.exe -
Processes:
resource yara_rule C:\PortserverWin\serverwin.exe dcrat behavioral2/memory/3728-13-0x00000000002A0000-0x0000000000376000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
DCRatBuild.exeWScript.exeserverwin.exeserverwin.exelsass.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation DCRatBuild.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation serverwin.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation serverwin.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation lsass.exe -
Executes dropped EXE 3 IoCs
Processes:
serverwin.exeserverwin.exelsass.exepid process 3728 serverwin.exe 3752 serverwin.exe 548 lsass.exe -
Drops file in Program Files directory 12 IoCs
Processes:
serverwin.exechrome.exeserverwin.exechrome.exechrome.exedescription ioc process File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\csrss.exe serverwin.exe File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\886983d96e3d3e serverwin.exe File opened for modification C:\Program Files\Google\Chrome\Application\debug.log chrome.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\124.0.2478.80\explorer.exe serverwin.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\124.0.2478.80\explorer.exe serverwin.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\124.0.2478.80\7a0fd90576e088 serverwin.exe File created C:\Program Files\Windows Multimedia Platform\lsass.exe serverwin.exe File created C:\Program Files\Windows Multimedia Platform\6203df4a6bafc7 serverwin.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\debug.log chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\debug.log chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\debug.log chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\debug.log chrome.exe -
Drops file in Windows directory 4 IoCs
Processes:
serverwin.exedescription ioc process File created C:\Windows\Speech\msedge.exe serverwin.exe File created C:\Windows\Speech\61a52ddc9dd915 serverwin.exe File created C:\Windows\Offline Web Pages\msedge.exe serverwin.exe File created C:\Windows\Offline Web Pages\61a52ddc9dd915 serverwin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 17 IoCs
Processes:
LogonUI.exechrome.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "137" LogonUI.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133634450743254249" chrome.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe -
Modifies registry class 1 IoCs
Processes:
DCRatBuild.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings DCRatBuild.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4452 schtasks.exe 4632 schtasks.exe 1852 schtasks.exe 3272 schtasks.exe 1656 schtasks.exe 4496 schtasks.exe 2676 schtasks.exe 1548 schtasks.exe 4336 schtasks.exe 3480 schtasks.exe 2060 schtasks.exe 3224 schtasks.exe 4676 schtasks.exe 4948 schtasks.exe 1092 schtasks.exe 4444 schtasks.exe 1144 schtasks.exe 5000 schtasks.exe 3244 schtasks.exe 4812 schtasks.exe 2452 schtasks.exe 4672 schtasks.exe 1836 schtasks.exe 2796 schtasks.exe 1748 schtasks.exe 3736 schtasks.exe 1300 schtasks.exe 2020 schtasks.exe 2272 schtasks.exe 3568 schtasks.exe 2020 schtasks.exe 1196 schtasks.exe 3988 schtasks.exe 3492 schtasks.exe 380 schtasks.exe 2572 schtasks.exe 4276 schtasks.exe 2936 schtasks.exe 1088 schtasks.exe 1088 schtasks.exe 1744 schtasks.exe 2160 schtasks.exe 5112 schtasks.exe 1504 schtasks.exe 3408 schtasks.exe 1116 schtasks.exe 2832 schtasks.exe 1492 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
serverwin.exeserverwin.exelsass.exetaskmgr.exechrome.exepid process 3728 serverwin.exe 3728 serverwin.exe 3728 serverwin.exe 3728 serverwin.exe 3728 serverwin.exe 3728 serverwin.exe 3752 serverwin.exe 3752 serverwin.exe 3752 serverwin.exe 3752 serverwin.exe 3752 serverwin.exe 3752 serverwin.exe 3752 serverwin.exe 3752 serverwin.exe 3752 serverwin.exe 3752 serverwin.exe 3752 serverwin.exe 3752 serverwin.exe 3752 serverwin.exe 3752 serverwin.exe 3752 serverwin.exe 3752 serverwin.exe 3752 serverwin.exe 3752 serverwin.exe 3752 serverwin.exe 548 lsass.exe 548 lsass.exe 548 lsass.exe 548 lsass.exe 548 lsass.exe 548 lsass.exe 548 lsass.exe 548 lsass.exe 548 lsass.exe 548 lsass.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 1248 chrome.exe 1248 chrome.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
chrome.exepid process 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
serverwin.exeserverwin.exelsass.exetaskmgr.exechrome.exeshutdown.exedescription pid process Token: SeDebugPrivilege 3728 serverwin.exe Token: SeDebugPrivilege 3752 serverwin.exe Token: SeDebugPrivilege 548 lsass.exe Token: SeDebugPrivilege 4484 taskmgr.exe Token: SeSystemProfilePrivilege 4484 taskmgr.exe Token: SeCreateGlobalPrivilege 4484 taskmgr.exe Token: SeShutdownPrivilege 1248 chrome.exe Token: SeCreatePagefilePrivilege 1248 chrome.exe Token: SeShutdownPrivilege 1248 chrome.exe Token: SeCreatePagefilePrivilege 1248 chrome.exe Token: SeShutdownPrivilege 1248 chrome.exe Token: SeCreatePagefilePrivilege 1248 chrome.exe Token: SeShutdownPrivilege 1248 chrome.exe Token: SeCreatePagefilePrivilege 1248 chrome.exe Token: SeShutdownPrivilege 1248 chrome.exe Token: SeCreatePagefilePrivilege 1248 chrome.exe Token: SeShutdownPrivilege 1248 chrome.exe Token: SeCreatePagefilePrivilege 1248 chrome.exe Token: SeShutdownPrivilege 1248 chrome.exe Token: SeCreatePagefilePrivilege 1248 chrome.exe Token: SeShutdownPrivilege 1248 chrome.exe Token: SeCreatePagefilePrivilege 1248 chrome.exe Token: SeShutdownPrivilege 1248 chrome.exe Token: SeCreatePagefilePrivilege 1248 chrome.exe Token: SeShutdownPrivilege 1248 chrome.exe Token: SeCreatePagefilePrivilege 1248 chrome.exe Token: SeShutdownPrivilege 1248 chrome.exe Token: SeCreatePagefilePrivilege 1248 chrome.exe Token: SeShutdownPrivilege 1248 chrome.exe Token: SeCreatePagefilePrivilege 1248 chrome.exe Token: SeShutdownPrivilege 1248 chrome.exe Token: SeCreatePagefilePrivilege 1248 chrome.exe Token: SeShutdownPrivilege 3752 shutdown.exe Token: SeRemoteShutdownPrivilege 3752 shutdown.exe Token: 33 4484 taskmgr.exe Token: SeIncBasePriorityPrivilege 4484 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exechrome.exepid process 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 1248 chrome.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exechrome.exepid process 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 1248 chrome.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 804 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
DCRatBuild.exeWScript.execmd.exeserverwin.exeserverwin.exechrome.exedescription pid process target process PID 2892 wrote to memory of 4864 2892 DCRatBuild.exe WScript.exe PID 2892 wrote to memory of 4864 2892 DCRatBuild.exe WScript.exe PID 2892 wrote to memory of 4864 2892 DCRatBuild.exe WScript.exe PID 4864 wrote to memory of 3600 4864 WScript.exe cmd.exe PID 4864 wrote to memory of 3600 4864 WScript.exe cmd.exe PID 4864 wrote to memory of 3600 4864 WScript.exe cmd.exe PID 3600 wrote to memory of 3728 3600 cmd.exe serverwin.exe PID 3600 wrote to memory of 3728 3600 cmd.exe serverwin.exe PID 3728 wrote to memory of 3752 3728 serverwin.exe serverwin.exe PID 3728 wrote to memory of 3752 3728 serverwin.exe serverwin.exe PID 3752 wrote to memory of 548 3752 serverwin.exe lsass.exe PID 3752 wrote to memory of 548 3752 serverwin.exe lsass.exe PID 1248 wrote to memory of 1276 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 1276 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 396 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 396 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 396 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 396 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 396 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 396 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 396 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 396 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 396 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 396 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 396 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 396 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 396 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 396 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 396 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 396 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 396 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 396 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 396 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 396 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 396 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 396 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 396 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 396 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 396 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 396 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 396 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 396 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 396 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 396 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 396 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 4912 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 4912 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 3708 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 3708 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 3708 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 3708 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 3708 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 3708 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 3708 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 3708 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 3708 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 3708 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 3708 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 3708 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 3708 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 3708 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 3708 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 3708 1248 chrome.exe chrome.exe PID 1248 wrote to memory of 3708 1248 chrome.exe chrome.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"1⤵
- DcRat
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\PortserverWin\hbvALF5ANwO637LJ.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\PortserverWin\XYXAwlDcaTvxZITkmh1OkrpHr.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\PortserverWin\serverwin.exe"C:\PortserverWin\serverwin.exe"4⤵
- DcRat
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\PortserverWin\serverwin.exe"C:\PortserverWin\serverwin.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Program Files\Windows Multimedia Platform\lsass.exe"C:\Program Files\Windows Multimedia Platform\lsass.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:548 -
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" /s /t 07⤵
- Suspicious use of AdjustPrivilegeToken
PID:3752
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4120,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=4208 /prefetch:81⤵PID:1120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\EdgeCore\124.0.2478.80\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeCore\124.0.2478.80\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\EdgeCore\124.0.2478.80\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\PortserverWin\SearchApp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\PortserverWin\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\PortserverWin\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\PortserverWin\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\PortserverWin\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\PortserverWin\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Local Settings\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Local Settings\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\PortserverWin\taskhostw.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\PortserverWin\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\PortserverWin\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\PortserverWin\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\PortserverWin\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\PortserverWin\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\PortserverWin\msedge.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\PortserverWin\msedge.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\PortserverWin\msedge.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\Windows\Speech\msedge.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\Speech\msedge.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Windows\Speech\msedge.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\PortserverWin\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\PortserverWin\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\PortserverWin\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Libraries\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 11 /tr "'C:\Windows\Offline Web Pages\msedge.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\msedge.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\Windows\Offline Web Pages\msedge.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4484
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x120,0x124,0x128,0xf8,0x12c,0x7ffe9542ab58,0x7ffe9542ab68,0x7ffe9542ab782⤵PID:1276
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1868 --field-trial-handle=1944,i,11971448462675227680,65564308198792409,131072 /prefetch:22⤵PID:396
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=1944,i,11971448462675227680,65564308198792409,131072 /prefetch:82⤵PID:4912
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2260 --field-trial-handle=1944,i,11971448462675227680,65564308198792409,131072 /prefetch:82⤵PID:3708
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3120 --field-trial-handle=1944,i,11971448462675227680,65564308198792409,131072 /prefetch:12⤵PID:3952
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3140 --field-trial-handle=1944,i,11971448462675227680,65564308198792409,131072 /prefetch:12⤵PID:4072
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4300 --field-trial-handle=1944,i,11971448462675227680,65564308198792409,131072 /prefetch:12⤵PID:5128
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4332 --field-trial-handle=1944,i,11971448462675227680,65564308198792409,131072 /prefetch:82⤵PID:5172
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4644 --field-trial-handle=1944,i,11971448462675227680,65564308198792409,131072 /prefetch:82⤵PID:5180
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 --field-trial-handle=1944,i,11971448462675227680,65564308198792409,131072 /prefetch:82⤵PID:5420
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4764 --field-trial-handle=1944,i,11971448462675227680,65564308198792409,131072 /prefetch:82⤵PID:5488
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4580 --field-trial-handle=1944,i,11971448462675227680,65564308198792409,131072 /prefetch:82⤵PID:5536
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=1944,i,11971448462675227680,65564308198792409,131072 /prefetch:82⤵
- Drops file in Program Files directory
PID:5700 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1888 --field-trial-handle=1944,i,11971448462675227680,65564308198792409,131072 /prefetch:22⤵
- Drops file in Program Files directory
PID:5812 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3956 --field-trial-handle=1944,i,11971448462675227680,65564308198792409,131072 /prefetch:82⤵
- Drops file in Program Files directory
PID:5880
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:2032
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\e937ebf6b0a440a3b435226593782774 /t 4360 /p 12481⤵PID:4952
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa38f7855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:804
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PortserverWin\XYXAwlDcaTvxZITkmh1OkrpHr.batFilesize
32B
MD5f97003508c4a7da05b8dd7ec2eb5d19d
SHA157c69807156d660c0394caf53af6d7edb10419ae
SHA2560065d6587056351f930803b1030b2d1b210e41a4a731f3d0e4f55d903a0b80e0
SHA51286c8a7697d0593dc48bd1343af8c114e85fa422380ae7cfcbd549d4b740e7aff4faf23d0ff06d1c7e4b6a1b0f3eafe15ddfbc451d42815ec23b4ee7e6437124d
-
C:\PortserverWin\hbvALF5ANwO637LJ.vbeFilesize
215B
MD5ac7f40d86252e33f7eaa68237c8ef92e
SHA13cca1a9e29e8ab5a3a72ac9c8eac2c482a0da30b
SHA25690cd9a07fcbef6f39445d04035adbdcde5f1cc91e7f7f084516efbc5ba95c3ca
SHA5121d66fedbc2b1d882b007d4b36c3ffef1c5d550c60ceb14c7517b48e08deb2f7e868fdd419d6545e07fe4a859ff088746f8a6892b9e99a8d2216f7c3a4bc2c694
-
C:\PortserverWin\serverwin.exeFilesize
828KB
MD5eee8aebed57ea1fb9fb307a967e6892a
SHA1047a0c84eeba395bf99e99872ad56bb35416bb2b
SHA2561d5d6374bc49780c31381696ad42a24369b398a2a85580196c031067f97e621d
SHA512411d5d02d40de7ec4eb4679cc1047df0987060676bbd721efe099c6babbaead2dccdd68a394afe930c96bb34f40c0512ae4ca224c152f02721072cc14c04004d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0Filesize
44KB
MD5c33487dbfbcd56ed1abbd8474854abfa
SHA124567b9dd8db9ba8df90e39140b517611a363d46
SHA2560667afe58e06cd33647019351f0531f17f1144fa7513018ce58d43bd36352191
SHA51281f95f2247afb2b56fb56aa9f9fd81c89e44bb523c1cc865927d9e6f49b049ccffa45ebcd6bf8661a32fa3912916c53df6cc1c57dc268f15cc1495f458466540
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1Filesize
264KB
MD55b74936d4cd2113f9ac53293dfcbf272
SHA113645e0f19b336fa8a39bc4d37c53931aa52b0c1
SHA25687c0d602bb4d97985e83aeaddb301f7d0bf8efd97e0ac8519b5aa5aa75cd41f9
SHA5126a7c36c2a3686b7ab9018c74a8a19099ab5706c1de46e617b581242dc23020026bed212f428540d854fd4001b7a075dcb96b1c1cce71d2daf44ec73a83c40d7b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_2Filesize
1.0MB
MD5011e4aca502eff80e9b69ba422e1dc72
SHA1be09cade14d8ebb3a8f5e7f0bace2efac4c75dba
SHA256da52c160a1e6e0d2a6a3be6c40de0359229d3ff38cddf01723c635c38874ed95
SHA5129ace6cc51c9eade6f8dc516043ab0a20c05c80e7f2166dec86d07b1a341ec011a966ed8613890d33e807d3955f6b21fa4b139f287e9016e199ed6377e533c554
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3Filesize
4.0MB
MD575a01a04e0e7f88fa8e12318b02eb958
SHA111a284f3b71d933602da82d9bfa4f2f851b4e8b4
SHA25638c578c7567f13f1e3e8b11d58ce53b88e6a4863586008ac6c6e08880a8d5dc5
SHA512dd2d1d2bf30b13ba574a0d2d3482133af2c9df3a5da0e534e8dcc3e5185898c80ac56d9e99f2b1f52c5e9c38e6527db752636637b9aa76698188558c0a6be492
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005Filesize
34KB
MD567936a4ce6ab9cc1e2adfbc9b23c3d95
SHA118e71ccafe31e399c81d0c3e887d8c00f02b4871
SHA256b8cccde73423469ceb4e79658e960c72c4817e187f39365bec4f0677275dc5eb
SHA512c7f9b155ad637b01b0c35ce66f00b638d0512df6abe00ee2fc713eb4efd76792d9c25d38be5ee51d844060f48cf98b6bb9d5b86f1d39d08eff261122ad9fd7ed
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006Filesize
59KB
MD5caaa5222d179a24ca5540080c7018b99
SHA11f415a7a73a12a4c16f25709504f4e4e4beae9dd
SHA256b729255f2e984a20fa0f0eb07e08368cf468fd17ff27a7d1dbb4042ec261d8cf
SHA51271b4f878aa154ba4a8523c2e36faa8dbe3cfafa082b18796d8b69539dee9506253b9e55fc9b71cc2c9027d22ae08587b0e2ddadbc8d3395dbb73584d1ca1ebcc
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007Filesize
40KB
MD5aa12ea792026e66caab5841d4d0b9bab
SHA147beeba1239050999e8c98ded40f02ce82a78d3f
SHA25665fe153a832452e97f5d484440a7047e314d3a83cb61ad2508fed48a820e1de1
SHA5120b2b1bb8851c60c9d4ab1d039b990a4de5799c97c50b45f64e36a21849c14e785f69196f674ac225b1419d7f501338054074cab6203d041361a4fa1ed8802b27
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
810B
MD50f488c7a14a1c7c43f9d92ebcf8a6b9b
SHA1eb90656e471c4e99bb8e8d2fac7ea26324aee199
SHA256f82b81e45d517266533e20ca12abd18f854498ead1040ba2217900d990a21f71
SHA512805be9f7c0e7868c5f760c04c02ace4f03f63968bbffc0d8aece752f179046e952b3c2ff808b368a7ef7ab3729865c551655b2b4d5a6d35b86eaf8e0138b6737
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
356B
MD59fa40de303da3c90b3dfe2c86f565537
SHA1910cf6c5d0d89074e0c57e7dba0d1ffdfd26a240
SHA2562fd55312bad78c63cdf6b4ebfae9d8e7c92c9c713e74f43399411bdc291ef8f1
SHA512a2ba8345f8b75a94590b1c3afc90c85b441b10ea1d176d5210505fa5b14efcd76bc0cac8436dcf4cbaa315704c2dec129d4767b70dd3112409b017d6f8889645
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD57cae792de3adcb3b2ce82fdd3c2f3033
SHA1cc5b07a7868cc9f9c92b0f08c3e5b305814606cb
SHA256bae05549a8a8686b434faefaf9a6bc4aa4c02db8205c87e06997f201a8d29666
SHA5127f131b3741693035fc9557fb2178a6dffe6f9c621b7947c0d5683f637e166a6a720a2ef0ed2bf3fe896a16f924916215fed137b231ac40be643d4cfa3e2c127d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
16KB
MD561c324ad299c8df87f6e3e04499e3b3a
SHA1dae8df412afdab597e73391c652460fd519f54f4
SHA256ae8d8d004e5f997bdaa01fffd79586f3bdcde7535469f244d7a9a93ebdae87e9
SHA5124344f251fb71911baba15bba2d76dae6fc598d4d9d4ac1961521bf23010e7781db657c3c63d6328ef6f4e0810cf80d2d80fc0fcbd53428f354d673ec2424d749
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0Filesize
44KB
MD576ffc65931b85614e357878de04ef35d
SHA1e6381faed4134e60505abc0f0cbe3ec2f5dc0518
SHA256c3dfef62b84bd5e292c35c73019be9f0ea14dc7a9b9cae6fdad3b0900d9ea1c9
SHA512df482955f1824d8569fce0d8b5cef51c53ad4beda3f01c20d37a9e5368adcac104a56aa3fb6e9ad45d64deab45d7dbdebaac544d373de51f7b7501bf1346920e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1Filesize
264KB
MD5d401f1dd65cbc8c9e946f942ac538f64
SHA137dd5034afc2da322a80f32f8f938e2ea5182f25
SHA256f465a0ed8fb2152353d29125a8d05fe18d3e7baad815111b5653e0879413626d
SHA5122d2c8cd8aa342aa62653822a9ba4f49cfc085f852a50d6f3389d7ec76737a76078e12d768070a3f4a7b00c607871b05c3971306efe39bdf9788e3995a5158478
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3Filesize
4.0MB
MD55ff8f8987906c1a7271ff7d9db09824e
SHA1d4ae9dc7afc8689a09708b71a6bcd0df112f195e
SHA25619fea9161a1d71c6c2476aaba0586c64cf6cc5b29db8c1836e0146f24269c071
SHA512b2f45874a3de891e7b5a359d550036c339094a032349217774a993f3d612b05852c76c38c4d3cf7cdc9922f83088e937f2bc7c3d8c6474d3f28b6e1ec71ee915
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
270KB
MD5fd0bfbd2c887a9a359c7011e214a22f2
SHA115c386f60a91a1e4737a0de05797f2cefe1c8d30
SHA25697c0b751212e336ff6ed8ca786cd2688c69c916e6237abb7242d3582a8f4a3c5
SHA51207fcd6f5f0d3ab2eb963f09ae97c4c762993560fcc169a7636ca8cb648ae14249e9be6187b47c9cae152fc995b72994f12b676f99544d891b238acb8a643e101
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
270KB
MD56c783f9cc9b25cd6be57068767728849
SHA1fc55e0ae7dd2c9995d5f0707ac3033c88a7fffe3
SHA2560f7648c71c26274302dbac733f5d8082b53320ee79fa2d19cf217c53699d3d95
SHA512ad9bf26ccb9b0f37e45127176b608f8afef690451ee7658204f8febde08d1b719bfacd776a5478f652e851b6a03bf1d458662162cd23063b36e75de91a24f695
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\serverwin.exe.logFilesize
1KB
MD57f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA5128a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125
-
\??\pipe\crashpad_1248_YCXVTEBEVBGTRDPQMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/3728-13-0x00000000002A0000-0x0000000000376000-memory.dmpFilesize
856KB
-
memory/3728-12-0x00007FFE9ED43000-0x00007FFE9ED45000-memory.dmpFilesize
8KB
-
memory/4484-66-0x000001F447260000-0x000001F447261000-memory.dmpFilesize
4KB
-
memory/4484-67-0x000001F447260000-0x000001F447261000-memory.dmpFilesize
4KB
-
memory/4484-68-0x000001F447260000-0x000001F447261000-memory.dmpFilesize
4KB
-
memory/4484-69-0x000001F447260000-0x000001F447261000-memory.dmpFilesize
4KB
-
memory/4484-70-0x000001F447260000-0x000001F447261000-memory.dmpFilesize
4KB
-
memory/4484-71-0x000001F447260000-0x000001F447261000-memory.dmpFilesize
4KB
-
memory/4484-65-0x000001F447260000-0x000001F447261000-memory.dmpFilesize
4KB
-
memory/4484-59-0x000001F447260000-0x000001F447261000-memory.dmpFilesize
4KB
-
memory/4484-60-0x000001F447260000-0x000001F447261000-memory.dmpFilesize
4KB
-
memory/4484-61-0x000001F447260000-0x000001F447261000-memory.dmpFilesize
4KB