dcrat | 9ed8d863b2e97e161cb9bf8d55a6de344e937abc7ee4f9b389d4b68856958166

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-09-2024 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e90c1219aac375230e375f3d641f6b1edb2968acb41d542528ad744714c9b35.exe
Size

2.0MB
MD5

b5de23814a83134fca7ce2dbc450af36
SHA1

b5592ad63cbc1706a66dbf7d4c9d833572ab1ecc
SHA256

9e90c1219aac375230e375f3d641f6b1edb2968acb41d542528ad744714c9b35
SHA512

775b910fa2918ff3a49d75beb93b51a2f09ab7cf679dab6b1046b261962b2e35d0b326bea528d195fde52259ff1692b46659b9a64cc930e5f097d4abe5752c87
SSDEEP

49152:MnOpOCv0Z29PyAey5pV/ohTXY2H2mS5auQi0dGf1ecKxClrpHZ:tON+v5p2TXvWfUeEIR

Score

10^/10

dcrat njrat umbral xworm discovery evasion execution infostealer persistence privilege_escalation rat stealer trojan

Malware Config

Extracted

Family

xworm

21.ip.gl.ply.gg:29567

Attributes

Install_directory
%Temp%
install_file
runtimebroken.exe

Signatures

DcRat 60 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		3588	schtasks.exe
		3080	schtasks.exe
		4452	schtasks.exe
		5056	schtasks.exe
		1512	schtasks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtimebroken = "C:\\Users\\Admin\\AppData\\Local\\Temp\\runtimebroken.exe"		XClient.exe
		1560	schtasks.exe
		1468	schtasks.exe
		3708	schtasks.exe
		2548	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language		9e90c1219aac375230e375f3d641f6b1edb2968acb41d542528ad744714c9b35.exe
		2220	schtasks.exe
		4712	schtasks.exe
		4332	schtasks.exe
		5024	schtasks.exe
		1916	schtasks.exe
		3776	schtasks.exe
		2196	schtasks.exe
		1352	schtasks.exe
		2428	schtasks.exe
		2160	schtasks.exe
		2232	schtasks.exe
		4768	schtasks.exe
		3880	schtasks.exe
		3604	schtasks.exe
		3408	schtasks.exe
		828	schtasks.exe
		244	schtasks.exe
		3592	schtasks.exe
		4796	schtasks.exe
		1336	schtasks.exe
		1368	schtasks.exe
		2244	schtasks.exe
		3160	schtasks.exe
		2940	schtasks.exe
		1928	schtasks.exe
		2472	schtasks.exe
		3312	schtasks.exe
		1544	schtasks.exe
		760	schtasks.exe
		1652	schtasks.exe
		2740	schtasks.exe
		4336	schtasks.exe
		3164	schtasks.exe
		1776	schtasks.exe
		2100	schtasks.exe
		3904	schtasks.exe
		4880	schtasks.exe
		1600	schtasks.exe
		4380	schtasks.exe
		3960	schtasks.exe
		4856	schtasks.exe
		2260	schtasks.exe
		3348	schtasks.exe
		3508	schtasks.exe
		2044	schtasks.exe
		4244	schtasks.exe
		3208	schtasks.exe
		1264	schtasks.exe
		624	schtasks.exe

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00090000000234b1-4.dat	family_umbral
behavioral2/memory/4696-25-0x000002AE6BA10000-0x000002AE6BA50000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00070000000234bc-16.dat	family_xworm
behavioral2/memory/2964-46-0x00000000009D0000-0x00000000009EA000-memory.dmp	family_xworm

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3904	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3880	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3348	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3604	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3160	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3208	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3408	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	244	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3592	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3312	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3960	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3776	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2892	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2892	schtasks.exe	91

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x00070000000234bf-57.dat	dcrat
behavioral2/files/0x00070000000234c2-130.dat	dcrat
behavioral2/memory/4000-132-0x0000000000E30000-0x0000000000FAA000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1404	powershell.exe
1460	powershell.exe
3928	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	dUmbral.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1772	netsh.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	XClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	nbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	surrogatewin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	9e90c1219aac375230e375f3d641f6b1edb2968acb41d542528ad744714c9b35.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	DCRatBuild.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runtimebroken.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runtimebroken.lnk	XClient.exe

Executes dropped EXE 10 IoCs

pid	Process
4696	dUmbral.exe
2964	XClient.exe
3096	sheetr.exe
3060	nbClient.exe
3024	DCRatBuild.exe
1680	WindowsServices.exe
4000	surrogatewin.exe
932	fontdrvhost.exe
4608	runtimebroken.exe
4392	runtimebroken.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtimebroken = "C:\\Users\\Admin\\AppData\\Local\\Temp\\runtimebroken.exe"	XClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d21edb049c65ebaba2de22a974b4ef03 = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsServices.exe\" .."	WindowsServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\d21edb049c65ebaba2de22a974b4ef03 = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsServices.exe\" .."	WindowsServices.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
21	discord.com
22	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\04c1e7795967e4	surrogatewin.exe
File created	C:\Program Files\Windows NT\TableTextService\5940a34987c991	surrogatewin.exe
File created	C:\Program Files (x86)\Windows Sidebar\conhost.exe	surrogatewin.exe
File created	C:\Program Files\Common Files\microsoft shared\Source Engine\ebf1f9fa8afd6d	surrogatewin.exe
File created	C:\Program Files (x86)\WindowsPowerShell\66fc9ff0ee96c2	surrogatewin.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\TrustedInstaller.exe	surrogatewin.exe
File created	C:\Program Files\Windows NT\TableTextService\dllhost.exe	surrogatewin.exe
File created	C:\Program Files (x86)\Windows Sidebar\088424020bedd6	surrogatewin.exe
File created	C:\Program Files\Common Files\microsoft shared\Source Engine\cmd.exe	surrogatewin.exe
File created	C:\Program Files (x86)\WindowsPowerShell\sihost.exe	surrogatewin.exe
File created	C:\Program Files\Windows Portable Devices\conhost.exe	surrogatewin.exe
File created	C:\Program Files\Windows Portable Devices\088424020bedd6	surrogatewin.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\de-DE\conhost.exe	surrogatewin.exe
File created	C:\Windows\de-DE\088424020bedd6	surrogatewin.exe
File created	C:\Windows\apppatch\ja-JP\cmd.exe	surrogatewin.exe
File created	C:\Windows\apppatch\ja-JP\ebf1f9fa8afd6d	surrogatewin.exe
File created	C:\Windows\Offline Web Pages\5b884080fd4f94	surrogatewin.exe
File created	C:\Windows\GameBarPresenceWriter\cmd.exe	surrogatewin.exe
File created	C:\Windows\GameBarPresenceWriter\ebf1f9fa8afd6d	surrogatewin.exe
File created	C:\Windows\Offline Web Pages\fontdrvhost.exe	surrogatewin.exe
File created	C:\Windows\Resources\Themes\aero\it-IT\Idle.exe	surrogatewin.exe
File created	C:\Windows\Resources\Themes\aero\it-IT\6ccacd8608530f	surrogatewin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e90c1219aac375230e375f3d641f6b1edb2968acb41d542528ad744714c9b35.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsServices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
208	cmd.exe
4832	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
116	wmic.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	DCRatBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	surrogatewin.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4832	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 58 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1916	schtasks.exe
3904	schtasks.exe
2260	schtasks.exe
4712	schtasks.exe
2244	schtasks.exe
3880	schtasks.exe
3160	schtasks.exe
4336	schtasks.exe
4768	schtasks.exe
2740	schtasks.exe
1600	schtasks.exe
2232	schtasks.exe
244	schtasks.exe
4880	schtasks.exe
760	schtasks.exe
5056	schtasks.exe
3776	schtasks.exe
2428	schtasks.exe
4452	schtasks.exe
3312	schtasks.exe
2100	schtasks.exe
3708	schtasks.exe
3604	schtasks.exe
5024	schtasks.exe
1468	schtasks.exe
2472	schtasks.exe
3960	schtasks.exe
1352	schtasks.exe
3348	schtasks.exe
1544	schtasks.exe
4856	schtasks.exe
2940	schtasks.exe
624	schtasks.exe
3208	schtasks.exe
828	schtasks.exe
1776	schtasks.exe
3592	schtasks.exe
4244	schtasks.exe
1560	schtasks.exe
1928	schtasks.exe
1368	schtasks.exe
3508	schtasks.exe
1336	schtasks.exe
3588	schtasks.exe
1264	schtasks.exe
4380	schtasks.exe
4332	schtasks.exe
2160	schtasks.exe
4796	schtasks.exe
2548	schtasks.exe
2196	schtasks.exe
2220	schtasks.exe
3164	schtasks.exe
3080	schtasks.exe
1512	schtasks.exe
2044	schtasks.exe
3408	schtasks.exe
1652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4696	dUmbral.exe
3928	powershell.exe
3928	powershell.exe
1404	powershell.exe
1404	powershell.exe
1460	powershell.exe
1460	powershell.exe
2964	XClient.exe
4000	surrogatewin.exe
4000	surrogatewin.exe
4000	surrogatewin.exe
4000	surrogatewin.exe
4000	surrogatewin.exe
932	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2964	XClient.exe
Token: SeDebugPrivilege	4696	dUmbral.exe
Token: SeIncreaseQuotaPrivilege	3576	wmic.exe
Token: SeSecurityPrivilege	3576	wmic.exe
Token: SeTakeOwnershipPrivilege	3576	wmic.exe
Token: SeLoadDriverPrivilege	3576	wmic.exe
Token: SeSystemProfilePrivilege	3576	wmic.exe
Token: SeSystemtimePrivilege	3576	wmic.exe
Token: SeProfSingleProcessPrivilege	3576	wmic.exe
Token: SeIncBasePriorityPrivilege	3576	wmic.exe
Token: SeCreatePagefilePrivilege	3576	wmic.exe
Token: SeBackupPrivilege	3576	wmic.exe
Token: SeRestorePrivilege	3576	wmic.exe
Token: SeShutdownPrivilege	3576	wmic.exe
Token: SeDebugPrivilege	3576	wmic.exe
Token: SeSystemEnvironmentPrivilege	3576	wmic.exe
Token: SeRemoteShutdownPrivilege	3576	wmic.exe
Token: SeUndockPrivilege	3576	wmic.exe
Token: SeManageVolumePrivilege	3576	wmic.exe
Token: 33	3576	wmic.exe
Token: 34	3576	wmic.exe
Token: 35	3576	wmic.exe
Token: 36	3576	wmic.exe
Token: SeIncreaseQuotaPrivilege	3576	wmic.exe
Token: SeSecurityPrivilege	3576	wmic.exe
Token: SeTakeOwnershipPrivilege	3576	wmic.exe
Token: SeLoadDriverPrivilege	3576	wmic.exe
Token: SeSystemProfilePrivilege	3576	wmic.exe
Token: SeSystemtimePrivilege	3576	wmic.exe
Token: SeProfSingleProcessPrivilege	3576	wmic.exe
Token: SeIncBasePriorityPrivilege	3576	wmic.exe
Token: SeCreatePagefilePrivilege	3576	wmic.exe
Token: SeBackupPrivilege	3576	wmic.exe
Token: SeRestorePrivilege	3576	wmic.exe
Token: SeShutdownPrivilege	3576	wmic.exe
Token: SeDebugPrivilege	3576	wmic.exe
Token: SeSystemEnvironmentPrivilege	3576	wmic.exe
Token: SeRemoteShutdownPrivilege	3576	wmic.exe
Token: SeUndockPrivilege	3576	wmic.exe
Token: SeManageVolumePrivilege	3576	wmic.exe
Token: 33	3576	wmic.exe
Token: 34	3576	wmic.exe
Token: 35	3576	wmic.exe
Token: 36	3576	wmic.exe
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeIncreaseQuotaPrivilege	3184	wmic.exe
Token: SeSecurityPrivilege	3184	wmic.exe
Token: SeTakeOwnershipPrivilege	3184	wmic.exe
Token: SeLoadDriverPrivilege	3184	wmic.exe
Token: SeSystemProfilePrivilege	3184	wmic.exe
Token: SeSystemtimePrivilege	3184	wmic.exe
Token: SeProfSingleProcessPrivilege	3184	wmic.exe
Token: SeIncBasePriorityPrivilege	3184	wmic.exe
Token: SeCreatePagefilePrivilege	3184	wmic.exe
Token: SeBackupPrivilege	3184	wmic.exe
Token: SeRestorePrivilege	3184	wmic.exe
Token: SeShutdownPrivilege	3184	wmic.exe
Token: SeDebugPrivilege	3184	wmic.exe
Token: SeSystemEnvironmentPrivilege	3184	wmic.exe
Token: SeRemoteShutdownPrivilege	3184	wmic.exe
Token: SeUndockPrivilege	3184	wmic.exe
Token: SeManageVolumePrivilege	3184	wmic.exe
Token: 33	3184	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2964	XClient.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 4696	1960	9e90c1219aac375230e375f3d641f6b1edb2968acb41d542528ad744714c9b35.exe	86
PID 1960 wrote to memory of 4696	1960	9e90c1219aac375230e375f3d641f6b1edb2968acb41d542528ad744714c9b35.exe	86
PID 1960 wrote to memory of 2964	1960	9e90c1219aac375230e375f3d641f6b1edb2968acb41d542528ad744714c9b35.exe	87
PID 1960 wrote to memory of 2964	1960	9e90c1219aac375230e375f3d641f6b1edb2968acb41d542528ad744714c9b35.exe	87
PID 1960 wrote to memory of 3096	1960	9e90c1219aac375230e375f3d641f6b1edb2968acb41d542528ad744714c9b35.exe	88
PID 1960 wrote to memory of 3096	1960	9e90c1219aac375230e375f3d641f6b1edb2968acb41d542528ad744714c9b35.exe	88
PID 1960 wrote to memory of 3060	1960	9e90c1219aac375230e375f3d641f6b1edb2968acb41d542528ad744714c9b35.exe	89
PID 1960 wrote to memory of 3060	1960	9e90c1219aac375230e375f3d641f6b1edb2968acb41d542528ad744714c9b35.exe	89
PID 1960 wrote to memory of 3060	1960	9e90c1219aac375230e375f3d641f6b1edb2968acb41d542528ad744714c9b35.exe	89
PID 1960 wrote to memory of 3024	1960	9e90c1219aac375230e375f3d641f6b1edb2968acb41d542528ad744714c9b35.exe	90
PID 1960 wrote to memory of 3024	1960	9e90c1219aac375230e375f3d641f6b1edb2968acb41d542528ad744714c9b35.exe	90
PID 1960 wrote to memory of 3024	1960	9e90c1219aac375230e375f3d641f6b1edb2968acb41d542528ad744714c9b35.exe	90
PID 4696 wrote to memory of 3576	4696	dUmbral.exe	92
PID 4696 wrote to memory of 3576	4696	dUmbral.exe	92
PID 3024 wrote to memory of 2740	3024	DCRatBuild.exe	94
PID 3024 wrote to memory of 2740	3024	DCRatBuild.exe	94
PID 3024 wrote to memory of 2740	3024	DCRatBuild.exe	94
PID 4696 wrote to memory of 2636	4696	dUmbral.exe	95
PID 4696 wrote to memory of 2636	4696	dUmbral.exe	95
PID 4696 wrote to memory of 3928	4696	dUmbral.exe	97
PID 4696 wrote to memory of 3928	4696	dUmbral.exe	97
PID 4696 wrote to memory of 1404	4696	dUmbral.exe	99
PID 4696 wrote to memory of 1404	4696	dUmbral.exe	99
PID 4696 wrote to memory of 3184	4696	dUmbral.exe	103
PID 4696 wrote to memory of 3184	4696	dUmbral.exe	103
PID 4696 wrote to memory of 3508	4696	dUmbral.exe	105
PID 4696 wrote to memory of 3508	4696	dUmbral.exe	105
PID 4696 wrote to memory of 3956	4696	dUmbral.exe	107
PID 4696 wrote to memory of 3956	4696	dUmbral.exe	107
PID 4696 wrote to memory of 1460	4696	dUmbral.exe	109
PID 4696 wrote to memory of 1460	4696	dUmbral.exe	109
PID 2964 wrote to memory of 4244	2964	XClient.exe	111
PID 2964 wrote to memory of 4244	2964	XClient.exe	111
PID 4696 wrote to memory of 116	4696	dUmbral.exe	114
PID 4696 wrote to memory of 116	4696	dUmbral.exe	114
PID 4696 wrote to memory of 208	4696	dUmbral.exe	116
PID 4696 wrote to memory of 208	4696	dUmbral.exe	116
PID 208 wrote to memory of 4832	208	cmd.exe	118
PID 208 wrote to memory of 4832	208	cmd.exe	118
PID 3060 wrote to memory of 1680	3060	nbClient.exe	119
PID 3060 wrote to memory of 1680	3060	nbClient.exe	119
PID 3060 wrote to memory of 1680	3060	nbClient.exe	119
PID 2740 wrote to memory of 4760	2740	WScript.exe	121
PID 2740 wrote to memory of 4760	2740	WScript.exe	121
PID 2740 wrote to memory of 4760	2740	WScript.exe	121
PID 4760 wrote to memory of 4000	4760	cmd.exe	123
PID 4760 wrote to memory of 4000	4760	cmd.exe	123
PID 4000 wrote to memory of 1960	4000	surrogatewin.exe	181
PID 4000 wrote to memory of 1960	4000	surrogatewin.exe	181
PID 1960 wrote to memory of 2156	1960	cmd.exe	183
PID 1960 wrote to memory of 2156	1960	cmd.exe	183
PID 1680 wrote to memory of 1772	1680	WindowsServices.exe	186
PID 1680 wrote to memory of 1772	1680	WindowsServices.exe	186
PID 1680 wrote to memory of 1772	1680	WindowsServices.exe	186
PID 1960 wrote to memory of 932	1960	cmd.exe	188
PID 1960 wrote to memory of 932	1960	cmd.exe	188

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2636	attrib.exe

C:\Users\Admin\AppData\Local\Temp\9e90c1219aac375230e375f3d641f6b1edb2968acb41d542528ad744714c9b35.exe
"C:\Users\Admin\AppData\Local\Temp\9e90c1219aac375230e375f3d641f6b1edb2968acb41d542528ad744714c9b35.exe"
1⤵
- DcRat
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Users\Admin\AppData\Local\Temp\dUmbral.exe
  "C:\Users\Admin\AppData\Local\Temp\dUmbral.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3576
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dUmbral.exe"
    3⤵
    - Views/modifies file attributes
    PID:2636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dUmbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1404
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3184
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:3508
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:3956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1460
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:116
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dUmbral.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:208
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4832
- C:\Users\Admin\AppData\Local\Temp\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
  2⤵
  - DcRat
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "runtimebroken" /tr "C:\Users\Admin\AppData\Local\Temp\runtimebroken.exe"
    3⤵
    - DcRat
    - Scheduled Task/Job: Scheduled Task
    PID:4244
- C:\Users\Admin\AppData\Local\Temp\sheetr.exe
  "C:\Users\Admin\AppData\Local\Temp\sheetr.exe"
  2⤵
  - Executes dropped EXE
  PID:3096
- C:\Users\Admin\AppData\Local\Temp\nbClient.exe
  "C:\Users\Admin\AppData\Local\Temp\nbClient.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Users\Admin\AppData\Roaming\WindowsServices.exe
    "C:\Users\Admin\AppData\Roaming\WindowsServices.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\WindowsServices.exe" "WindowsServices.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:1772
- C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
  "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bridgehypercomponentref\5wuflk5eGDg0JiUtQB.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bridgehypercomponentref\zjek1GJ52LhRCMyRfAhZF9WxGZ.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4760
    - - C:\Users\Admin\AppData\Local\Temp\bridgehypercomponentref\surrogatewin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bridgehypercomponentref\surrogatewin.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4000
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Qf8QHV2QCf.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2156
        
        C:\Windows\Offline Web Pages\fontdrvhost.exe
        
        "C:\Windows\Offline Web Pages\fontdrvhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Windows\GameBarPresenceWriter\cmd.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\GameBarPresenceWriter\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\de-DE\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\de-DE\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\de-DE\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\TrustedInstaller.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\ssh\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\ssh\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\ssh\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\SearchApp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\OneDrive\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\OneDrive\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\OneDrive\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\SendTo\SppExtComObj.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default\SendTo\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Users\Default\SendTo\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\3D Objects\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\3D Objects\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\3D Objects\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\apppatch\ja-JP\cmd.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\apppatch\ja-JP\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\apppatch\ja-JP\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\Offline Web Pages\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\Offline Web Pages\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\Themes\aero\it-IT\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\aero\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\Themes\aero\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Saved Games\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Saved Games\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\microsoft shared\Source Engine\cmd.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\Source Engine\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\microsoft shared\Source Engine\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\sihost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Users\Admin\AppData\Local\Temp\runtimebroken.exe
C:\Users\Admin\AppData\Local\Temp\runtimebroken.exe
1⤵
- Executes dropped EXE
PID:4608

C:\Users\Admin\AppData\Local\Temp\runtimebroken.exe
C:\Users\Admin\AppData\Local\Temp\runtimebroken.exe
1⤵
- Executes dropped EXE
PID:4392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\runtimebroken.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
0b8cb2e6dd5794b6a56a4bdbbd430fd7

SHA1
2b08e348c3489c6a35761af073018e3784c12074

SHA256
bcce0d44e33747e4c39df9afbd0a4e98a47ded0188375e4dfdd94cafbb366e1f

SHA512
15ce3b588aa80899f69b0313c7e188d886bddbd09783ca732ac33f9ae8e4e017a72b6f98919f581383a4582732575e5faedb0dea87e01cf2b657424945fdf4d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

Filesize
1.7MB

MD5
4296d05b7cbc2a5434fcbce0b223207a

SHA1
b9722fc0b88992a694ba9fda339589290e43c02e

SHA256
c8e0942be2254be75620a9985347888f94a848a238f6c1558848b42bc1d381f1

SHA512
0413160847169ebf9ddaa5081d1f5a0a6c04428186a8265151c81bd8ecc01dc4a80631de21a40acf03d53b90919331d6a15450476baeaa2f0b70a0857c464f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qf8QHV2QCf.bat

Filesize
209B

MD5
b192bbc098b294220a0a5f905a6efd78

SHA1
4d9ad2bb745b99c9f576a9b233ef2c9e8a02a1a8

SHA256
e00bf0fdf02a8aec968692247ccb39575c2cd8049ce18c9ae1a654b1c38782dd

SHA512
ff4cb0556a3f1066a43f814270de6abcecc4e6f41aae0da485dcb60879ca81bf700e048316db6b698836d09d6e59660eec260fb2d4b181a983c24940e47b4a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
75KB

MD5
462b4ff944b4c0a49a599bbf9b14ef07

SHA1
ca336da45ccfabe9768a91a1e86a3addd42855ac

SHA256
69c75fcc62bba3cdbfad6e0851fa249eb7ae0fbe1c50b16507dbb0573a2d6ae7

SHA512
64ca6271d23c0875abbecdf84d24d1b95387f54fd7e94396b537a32d0c400efe26af293f7aac519111bf2a7c87cd8b1bc57ee7f7bf12baa5f1fdf2991dd7986c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1ysnahsl.wul.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bridgehypercomponentref\5wuflk5eGDg0JiUtQB.vbe

Filesize
230B

MD5
fb88e36782a5f55e36e02ff67da91cea

SHA1
a0fc273d88ade34a1da708ad049cc6ff0d94a940

SHA256
786d99584ff3356774ebbeb9cf60c0e926ef26fc8b673d771f774b7494fb11f6

SHA512
bc80fcc246a047f289cf714d13ff5a5ec00eae0583c597b666b06c9a5240c6b30f85415efc318af2e6406da98d37b4b344cc2c9f9e264948a822f3ad65a25f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\bridgehypercomponentref\surrogatewin.exe

Filesize
1.4MB

MD5
20e7cb182292241f014bf6db7f6d66cb

SHA1
a79831502d62923c432e6af1a57922110a51cfb9

SHA256
6de0eaace2e3dbab84cffb0bca1f4a6ceffff3f365d5c22e76ebe36adbd3bfc7

SHA512
6c0d2c73e219cc256c4ef03a00afedd9183442ccdb5d2758eae9f537ac0df1118b287170ec7fabab16785eac256216e481576383d144b5a160ff6978a765697e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bridgehypercomponentref\zjek1GJ52LhRCMyRfAhZF9WxGZ.bat

Filesize
49B

MD5
62da6e82dd863cf101ddefb852179c91

SHA1
3746be98f65363f882ade790b0c01be1b567eb94

SHA256
7aead51c224afd6a0cf70e0ce00d776de2689818a5b2725539f184feadf84dcf

SHA512
15862e2179b250fdf1f1d7c98c2d7859076d733598675ded5e0def5aa36c44062acae71c22a52ce500329da1dc5e3860d474bb9dca60d6b476bf2005fefc4d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\dUmbral.exe

Filesize
232KB

MD5
4867d27de23cded5f2229c322bf6f3fe

SHA1
04cd16ac5d6a2f5b7bc1db8cdefd128d0f6c2fe1

SHA256
94357a5e0e0d52490a07fffd0a8940f7ffdf25acb16602d83120fc99722f88eb

SHA512
b7ced6d7a420c55813388755d765a015cb65c6393cdeffaff4be6cb7c00845434161a3282ce7d316800da42766d9c309487dc2e96b74340f47b20032632f8909

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbClient.exe

Filesize
159KB

MD5
e549fad14348aca3370ada071cec4caa

SHA1
294999dde4423250a1a71d7f2645712b6c2506a5

SHA256
252b5235a50cc20edad06dc4e1f9befbac3f446a7f2b61994655430c9b89484f

SHA512
6addaf79cb078f34076d9b0a55ed672dc54f0d756d237a0c3eaed218ab037a1f888fda10515b356c39db492aa21ad7f10de7f694ffd42aa2b4d45bd7d15b98ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\sheetr.exe

Filesize
516KB

MD5
bb854fb457e4782e20586b2e873cc76e

SHA1
057f10ed64625edb33d95f6100096f9637ee1b15

SHA256
0785e1f0d682986903eed2d98b82c1e9eef3cf6592d584bf5024f54f50c83c42

SHA512
d90d1a26cc0d8e064e7f642f34b306b7cd299f5b6dd160d61e016d8448241c4ae0ce9382d477f8301c2205a2bd31a187f7ea5fdc4f149086b031bed715460524

Download Submit
memory/2964-46-0x00000000009D0000-0x00000000009EA000-memory.dmp

Filesize
104KB

Download
memory/2964-145-0x00007FFCC6D40000-0x00007FFCC7801000-memory.dmp

Filesize
10.8MB

Download
memory/2964-56-0x00007FFCC6D40000-0x00007FFCC7801000-memory.dmp

Filesize
10.8MB

Download
memory/3096-61-0x00007FFCC6D40000-0x00007FFCC7801000-memory.dmp

Filesize
10.8MB

Download
memory/3096-58-0x00007FFCC6D40000-0x00007FFCC7801000-memory.dmp

Filesize
10.8MB

Download
memory/3096-45-0x0000000000A00000-0x0000000000A88000-memory.dmp

Filesize
544KB

Download
memory/3928-79-0x000001D65FF60000-0x000001D65FF82000-memory.dmp

Filesize
136KB

Download
memory/4000-135-0x000000001BBD0000-0x000000001BBE6000-memory.dmp

Filesize
88KB

Download
memory/4000-138-0x000000001BC00000-0x000000001BC12000-memory.dmp

Filesize
72KB

Download
memory/4000-142-0x000000001C220000-0x000000001C22C000-memory.dmp

Filesize
48KB

Download
memory/4000-132-0x0000000000E30000-0x0000000000FAA000-memory.dmp

Filesize
1.5MB

Download
memory/4000-133-0x000000001BBB0000-0x000000001BBCC000-memory.dmp

Filesize
112KB

Download
memory/4000-134-0x000000001BC20000-0x000000001BC70000-memory.dmp

Filesize
320KB

Download
memory/4000-141-0x000000001BC70000-0x000000001BC7E000-memory.dmp

Filesize
56KB

Download
memory/4000-137-0x000000001BBF0000-0x000000001BBFC000-memory.dmp

Filesize
48KB

Download
memory/4000-136-0x00000000031B0000-0x00000000031B8000-memory.dmp

Filesize
32KB

Download
memory/4000-140-0x000000001BC10000-0x000000001BC1C000-memory.dmp

Filesize
48KB

Download
memory/4000-139-0x000000001CA30000-0x000000001CF58000-memory.dmp

Filesize
5.2MB

Download
memory/4696-100-0x000002AE6D710000-0x000002AE6D72E000-memory.dmp

Filesize
120KB

Download
memory/4696-97-0x000002AE6D6D0000-0x000002AE6D6E2000-memory.dmp

Filesize
72KB

Download
memory/4696-99-0x000002AE6E1F0000-0x000002AE6E266000-memory.dmp

Filesize
472KB

Download
memory/4696-96-0x000002AE6D6A0000-0x000002AE6D6AA000-memory.dmp

Filesize
40KB

Download
memory/4696-25-0x000002AE6BA10000-0x000002AE6BA50000-memory.dmp

Filesize
256KB

Download
memory/4696-21-0x00007FFCC6D43000-0x00007FFCC6D45000-memory.dmp

Filesize
8KB

Download