dcrat | 35916e8b40ec27b8f3a931566a94f5a464dc9e5783c7fca1bdd194e7193bf0d7

Analysis

max time kernel
102s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7508b07903325957294ebdcb89bd5b3.exe
Size

1.1MB
MD5

d7508b07903325957294ebdcb89bd5b3
SHA1

b6280b6c5e4b601ba3182520eca834aecd1ae1fc
SHA256

4fe2546f5efe48febc2db59093ceef7b1c3db73e3b11ba026bfd8c4444b2af8e
SHA512

e79cd38b556481bd3da6fcde5e924c2c0161a7e26ba635d02f393a424cf675b63e61948c7162abc06c487ae661ff431062236327be9b68be90e6ace7bfd23808
SSDEEP

12288:p49I/nL8TnKZPVHR3E/bS2vkRNJLXseJQdErvNKj6SKm+eAIhu181d6rsPH:pngTKZ5RU/xG7zsEyEve6SZ+dIe8usv

Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	3928	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	728	3928	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	3928	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	3928	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	3928	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	3928	schtasks.exe	88

UAC bypass 3 TTPs 6 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d7508b07903325957294ebdcb89bd5b3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d7508b07903325957294ebdcb89bd5b3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d7508b07903325957294ebdcb89bd5b3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral32/memory/1456-1-0x0000000000300000-0x0000000000416000-memory.dmp	dcrat
behavioral32/files/0x0007000000024291-16.dat	dcrat
behavioral32/files/0x000700000002429a-33.dat	dcrat
behavioral32/files/0x0011000000024263-77.dat	dcrat
behavioral32/memory/3092-184-0x0000000000ED0000-0x0000000000FE6000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1220	powershell.exe
1488	powershell.exe
1080	powershell.exe
1368	powershell.exe
4368	powershell.exe
1144	powershell.exe
5420	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	d7508b07903325957294ebdcb89bd5b3.exe

Executes dropped EXE 1 IoCs

pid	Process
3092	backgroundTaskHost.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\ProgramData\\Documents\\fontdrvhost.exe\""	d7508b07903325957294ebdcb89bd5b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default\\Videos\\Idle.exe\""	d7508b07903325957294ebdcb89bd5b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\backgroundTaskHost.exe\""	d7508b07903325957294ebdcb89bd5b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartUI\\StartMenuExperienceHost.exe\""	d7508b07903325957294ebdcb89bd5b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\SystemSettings.Handlers\\taskhostw.exe\""	d7508b07903325957294ebdcb89bd5b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\en-US\\smss.exe\""	d7508b07903325957294ebdcb89bd5b3.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d7508b07903325957294ebdcb89bd5b3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d7508b07903325957294ebdcb89bd5b3.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\System32\SystemSettings.Handlers\taskhostw.exe	d7508b07903325957294ebdcb89bd5b3.exe
File opened for modification	C:\Windows\System32\SystemSettings.Handlers\taskhostw.exe	d7508b07903325957294ebdcb89bd5b3.exe
File created	C:\Windows\System32\SystemSettings.Handlers\ea9f0e6c9e2dcd	d7508b07903325957294ebdcb89bd5b3.exe
File opened for modification	C:\Windows\System32\SystemSettings.Handlers\RCX566F.tmp	d7508b07903325957294ebdcb89bd5b3.exe
File opened for modification	C:\Windows\System32\SystemSettings.Handlers\RCX56FC.tmp	d7508b07903325957294ebdcb89bd5b3.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Multimedia Platform\backgroundTaskHost.exe	d7508b07903325957294ebdcb89bd5b3.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\eddb19405b7ce1	d7508b07903325957294ebdcb89bd5b3.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCX5FCD.tmp	d7508b07903325957294ebdcb89bd5b3.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCX605B.tmp	d7508b07903325957294ebdcb89bd5b3.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\backgroundTaskHost.exe	d7508b07903325957294ebdcb89bd5b3.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\en-US\smss.exe	d7508b07903325957294ebdcb89bd5b3.exe
File created	C:\Windows\en-US\69ddcba757bf72	d7508b07903325957294ebdcb89bd5b3.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI\55b276f4edf653	d7508b07903325957294ebdcb89bd5b3.exe
File opened for modification	C:\Windows\en-US\smss.exe	d7508b07903325957294ebdcb89bd5b3.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI\RCX626F.tmp	d7508b07903325957294ebdcb89bd5b3.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI\RCX6270.tmp	d7508b07903325957294ebdcb89bd5b3.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI\StartMenuExperienceHost.exe	d7508b07903325957294ebdcb89bd5b3.exe
File opened for modification	C:\Windows\en-US\RCX5920.tmp	d7508b07903325957294ebdcb89bd5b3.exe
File opened for modification	C:\Windows\en-US\RCX5921.tmp	d7508b07903325957294ebdcb89bd5b3.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI\StartMenuExperienceHost.exe	d7508b07903325957294ebdcb89bd5b3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	d7508b07903325957294ebdcb89bd5b3.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4320	schtasks.exe
728	schtasks.exe
4572	schtasks.exe
4536	schtasks.exe
4664	schtasks.exe
4692	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1456	d7508b07903325957294ebdcb89bd5b3.exe
1456	d7508b07903325957294ebdcb89bd5b3.exe
1456	d7508b07903325957294ebdcb89bd5b3.exe
1220	powershell.exe
1220	powershell.exe
1080	powershell.exe
1080	powershell.exe
1144	powershell.exe
1144	powershell.exe
1488	powershell.exe
1488	powershell.exe
1368	powershell.exe
1368	powershell.exe
4368	powershell.exe
4368	powershell.exe
5420	powershell.exe
5420	powershell.exe
5420	powershell.exe
1368	powershell.exe
1220	powershell.exe
1080	powershell.exe
1144	powershell.exe
1488	powershell.exe
4368	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1456	d7508b07903325957294ebdcb89bd5b3.exe
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	5420	powershell.exe
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeDebugPrivilege	3092	backgroundTaskHost.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 1220	1456	d7508b07903325957294ebdcb89bd5b3.exe	98
PID 1456 wrote to memory of 1220	1456	d7508b07903325957294ebdcb89bd5b3.exe	98
PID 1456 wrote to memory of 5420	1456	d7508b07903325957294ebdcb89bd5b3.exe	99
PID 1456 wrote to memory of 5420	1456	d7508b07903325957294ebdcb89bd5b3.exe	99
PID 1456 wrote to memory of 1144	1456	d7508b07903325957294ebdcb89bd5b3.exe	100
PID 1456 wrote to memory of 1144	1456	d7508b07903325957294ebdcb89bd5b3.exe	100
PID 1456 wrote to memory of 4368	1456	d7508b07903325957294ebdcb89bd5b3.exe	101
PID 1456 wrote to memory of 4368	1456	d7508b07903325957294ebdcb89bd5b3.exe	101
PID 1456 wrote to memory of 1368	1456	d7508b07903325957294ebdcb89bd5b3.exe	103
PID 1456 wrote to memory of 1368	1456	d7508b07903325957294ebdcb89bd5b3.exe	103
PID 1456 wrote to memory of 1080	1456	d7508b07903325957294ebdcb89bd5b3.exe	104
PID 1456 wrote to memory of 1080	1456	d7508b07903325957294ebdcb89bd5b3.exe	104
PID 1456 wrote to memory of 1488	1456	d7508b07903325957294ebdcb89bd5b3.exe	105
PID 1456 wrote to memory of 1488	1456	d7508b07903325957294ebdcb89bd5b3.exe	105
PID 1456 wrote to memory of 244	1456	d7508b07903325957294ebdcb89bd5b3.exe	112
PID 1456 wrote to memory of 244	1456	d7508b07903325957294ebdcb89bd5b3.exe	112
PID 244 wrote to memory of 740	244	cmd.exe	114
PID 244 wrote to memory of 740	244	cmd.exe	114
PID 244 wrote to memory of 3092	244	cmd.exe	117
PID 244 wrote to memory of 3092	244	cmd.exe	117

System policy modification 1 TTPs 6 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d7508b07903325957294ebdcb89bd5b3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d7508b07903325957294ebdcb89bd5b3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d7508b07903325957294ebdcb89bd5b3.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d7508b07903325957294ebdcb89bd5b3.exe
"C:\Users\Admin\AppData\Local\Temp\d7508b07903325957294ebdcb89bd5b3.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d7508b07903325957294ebdcb89bd5b3.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\SystemSettings.Handlers\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Documents\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Videos\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1488
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hpgeZ6SzYc.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:244
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:740
- - C:\Program Files (x86)\Windows Multimedia Platform\backgroundTaskHost.exe
    "C:\Program Files (x86)\Windows Multimedia Platform\backgroundTaskHost.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:3092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\SystemSettings.Handlers\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\ProgramData\Documents\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Videos\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Multimedia Platform\backgroundTaskHost.exe

Filesize
1.1MB

MD5
d7508b07903325957294ebdcb89bd5b3

SHA1
b6280b6c5e4b601ba3182520eca834aecd1ae1fc

SHA256
4fe2546f5efe48febc2db59093ceef7b1c3db73e3b11ba026bfd8c4444b2af8e

SHA512
e79cd38b556481bd3da6fcde5e924c2c0161a7e26ba635d02f393a424cf675b63e61948c7162abc06c487ae661ff431062236327be9b68be90e6ace7bfd23808

Download Submit
C:\Program Files (x86)\Windows Multimedia Platform\backgroundTaskHost.exe

Filesize
1.1MB

MD5
06f6f42d1fa97a08ece2264d33a5a2fe

SHA1
1e08f2d67cf7447be8f778fba12ab8d15d20e778

SHA256
6ee910a8e16c49b5eab45caee5b2f9d82e5a6ae6e775bc6680cf8bc3da39b575

SHA512
af0e61bc5b9e0326862f6886670a03103eaaa5e11356c2ff4fcc26e4262b5210301bae0d2de01e42f74165407828d9874a085bc1f8e1288839ad9ddc9b3c376f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2cb0c163f92e343cbfa657ce4d842fb6

SHA1
0299696d7430f09f9e3d32aa5b95f01363b405f5

SHA256
c604c709aa50f7f59c87b4420713c8563bc5b80d9bce8f812d26e0a7c25d13f7

SHA512
780353a0fa086a96d6b186a4f38160b0521e972ccfa18803db64ecd2ef6d3c1c69ea4dba0b557f1cf7c1ff6ab8720e447e827c92549b6aea5a0ecacd0494b8d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0f29d4b03e157fa020f2b793683543af

SHA1
1b0603266b02dd38444489e0d5e18ee93b6b766a

SHA256
eec5516679b34fb0efe983a81cc19b0b5cf33fd3191d5d8fd5c3fb082a55d410

SHA512
b0cca3aa1373f813a7a16a1ca94b7e048d83f8875b28949d7ece9668c5cb847250d1468080a85e478833a8876b668a8a6e0ef4df4a289ca66badac3af00dc5c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
452593747a6f6f0b2e08d8502e1ec6e7

SHA1
027c3a7f5f18e7a1e96bbf2a3d3c267e72821836

SHA256
495c62eea4eb41269dbcdba0c0acd65d27a407ac837f5c04feaaa0542963b33d

SHA512
17a8288467e77ade8e81bf7620e9013ff3690c2577a172ce30734c65ca2d2328afd3737dd6a9fb6b4d7ba673767f094986f6b996f5920d7e1cdecdf019e37488

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_reeuemx1.sdu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpgeZ6SzYc.bat

Filesize
237B

MD5
b7feb667205a6c449ce02f09be9de977

SHA1
4d6eeec0fe6365491e645cf6cfc833d7d46eed26

SHA256
7450247a8dba08d2115ff6d5e354c0fb96da6d671c0fba4c1355ee980d047cc4

SHA512
fe4102fc9c4c942799cd9c098bd3d2b6224437099b704cf078acdb416a072930e9b161e4cc40992487378027ba716ffcabe693971c64c1375f80baf9b8c9ce07

Download Submit
C:\Windows\System32\SystemSettings.Handlers\taskhostw.exe

Filesize
1.1MB

MD5
c352378ac9b1f657296fe5f59ab423ff

SHA1
5d7ad6725b88191452eccd670f3fbfabb3e149d4

SHA256
8f4a8d63793a5f14743d5f2c333623214b1dc1814158e36cbdcf451d5cc70a98

SHA512
c57005a9d36ff23bcc8fba1612c848323e1a83293f8bd4dac390693e9db68c3f54071dba7513fd61b4ef441a77478ba654c972cc2472a3cd52d05f0b7f4ee3f2

Download Submit
memory/1220-110-0x00000202BF2F0000-0x00000202BF312000-memory.dmp

Filesize
136KB

Download
memory/1456-4-0x0000000000BD0000-0x0000000000BDA000-memory.dmp

Filesize
40KB

Download
memory/1456-100-0x00007FFD82340000-0x00007FFD82E01000-memory.dmp

Filesize
10.8MB

Download
memory/1456-3-0x00007FFD82340000-0x00007FFD82E01000-memory.dmp

Filesize
10.8MB

Download
memory/1456-5-0x0000000000BE0000-0x0000000000BEC000-memory.dmp

Filesize
48KB

Download
memory/1456-7-0x0000000000C10000-0x0000000000C1A000-memory.dmp

Filesize
40KB

Download
memory/1456-0-0x00007FFD82343000-0x00007FFD82345000-memory.dmp

Filesize
8KB

Download
memory/1456-2-0x0000000000BC0000-0x0000000000BD0000-memory.dmp

Filesize
64KB

Download
memory/1456-1-0x0000000000300000-0x0000000000416000-memory.dmp

Filesize
1.1MB

Download
memory/1456-6-0x0000000000BF0000-0x0000000000BF8000-memory.dmp

Filesize
32KB

Download
memory/3092-184-0x0000000000ED0000-0x0000000000FE6000-memory.dmp

Filesize
1.1MB

Download