dcrat | 3c5d4007aabc7835b586d15313645af2e823dfad1d487cad46453dc3474e2693

Analysis

max time kernel
19s
max time network
22s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85edcd8fbc445760ff0796aa459e3c42.exe
Size

999KB
MD5

85edcd8fbc445760ff0796aa459e3c42
SHA1

bc63d62de0f20bee25246b808bf512371e9aa875
SHA256

8b7f417cdbc071fe2752a6c225154b943636ebd63674d591861251f5bdaaa292
SHA512

a192875edf98bd51e92a0a827c7b767041fa1c25595a70683f458971ff300a87404edfd9b1507220440f5e6c9704ebed07655498f27bee224d97dc56eb91525c
SSDEEP

12288:H9pLLk45WSSY1BX6f4bIS7rMNetPfC9Vs6IFGs0jxAqXj9xPSI0dzNgCoD7WX+Iu:H9pP5WS3lrMNyC9TJPCXBi

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\TableTextService\\ja-JP\\explorer.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\csrss.exe\", \"C:\\ProgramData\\Desktop\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Defender\\ja-JP\\dllhost.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\audiodg.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\TableTextService\\ja-JP\\explorer.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\TableTextService\\ja-JP\\explorer.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\OSPPSVC.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\TableTextService\\ja-JP\\explorer.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\csrss.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\TableTextService\\ja-JP\\explorer.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\csrss.exe\", \"C:\\ProgramData\\Desktop\\WmiPrvSE.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\TableTextService\\ja-JP\\explorer.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\csrss.exe\", \"C:\\ProgramData\\Desktop\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Defender\\ja-JP\\dllhost.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	468	schtasks.exe	30

Executes dropped EXE 1 IoCs

pid	Process
2240	explorer.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Windows NT\\TableTextService\\ja-JP\\explorer.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\OSPPSVC.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft.NET\\csrss.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\ProgramData\\Desktop\\WmiPrvSE.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Defender\\ja-JP\\dllhost.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\audiodg.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft.NET\csrss.exe	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXCB38.tmp	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\audiodg.exe	85edcd8fbc445760ff0796aa459e3c42.exe
File created	C:\Program Files\Windows NT\TableTextService\ja-JP\explorer.exe	85edcd8fbc445760ff0796aa459e3c42.exe
File created	C:\Program Files (x86)\Microsoft.NET\886983d96e3d3e	85edcd8fbc445760ff0796aa459e3c42.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\42af1c969fbb7b	85edcd8fbc445760ff0796aa459e3c42.exe
File created	C:\Program Files\Windows NT\TableTextService\ja-JP\7a0fd90576e088	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RCXC450.tmp	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\RCXC858.tmp	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\dllhost.exe	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXCACA.tmp	85edcd8fbc445760ff0796aa459e3c42.exe
File created	C:\Program Files (x86)\Microsoft.NET\csrss.exe	85edcd8fbc445760ff0796aa459e3c42.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\audiodg.exe	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\ja-JP\RCXBFD9.tmp	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RCXC44F.tmp	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\RCXC8C6.tmp	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\ja-JP\explorer.exe	85edcd8fbc445760ff0796aa459e3c42.exe
File created	C:\Program Files\Windows Defender\ja-JP\dllhost.exe	85edcd8fbc445760ff0796aa459e3c42.exe
File created	C:\Program Files\Windows Defender\ja-JP\5940a34987c991	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\ja-JP\RCXBF6B.tmp	85edcd8fbc445760ff0796aa459e3c42.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2280	schtasks.exe
1728	schtasks.exe
1924	schtasks.exe
2400	schtasks.exe
2792	schtasks.exe
2680	schtasks.exe
1700	schtasks.exe
2892	schtasks.exe
2880	schtasks.exe
2764	schtasks.exe
288	schtasks.exe
1936	schtasks.exe
1856	schtasks.exe
2912	schtasks.exe
2804	schtasks.exe
2684	schtasks.exe
2884	schtasks.exe
2772	schtasks.exe
1280	schtasks.exe
1812	schtasks.exe
2520	schtasks.exe
2996	schtasks.exe
2672	schtasks.exe
2120	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2556	85edcd8fbc445760ff0796aa459e3c42.exe
2556	85edcd8fbc445760ff0796aa459e3c42.exe
2556	85edcd8fbc445760ff0796aa459e3c42.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2556	85edcd8fbc445760ff0796aa459e3c42.exe
Token: SeDebugPrivilege	2240	explorer.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2240	2556	85edcd8fbc445760ff0796aa459e3c42.exe	57
PID 2556 wrote to memory of 2240	2556	85edcd8fbc445760ff0796aa459e3c42.exe	57
PID 2556 wrote to memory of 2240	2556	85edcd8fbc445760ff0796aa459e3c42.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\85edcd8fbc445760ff0796aa459e3c42.exe
"C:\Users\Admin\AppData\Local\Temp\85edcd8fbc445760ff0796aa459e3c42.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Program Files\Windows NT\TableTextService\ja-JP\explorer.exe
  "C:\Program Files\Windows NT\TableTextService\ja-JP\explorer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\ja-JP\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\ja-JP\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONSTART /tr "'C:\Program Files\Windows NT\TableTextService\ja-JP\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\TableTextService\ja-JP\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONSTART /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONSTART /tr "'C:\Program Files (x86)\Microsoft.NET\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc MINUTE /mo 14 /tr "'C:\ProgramData\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\ProgramData\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONSTART /tr "'C:\ProgramData\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\ProgramData\Desktop\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONSTART /tr "'C:\Program Files\Windows Defender\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\ja-JP\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONSTART /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Defender\ja-JP\dllhost.exe

Filesize
999KB

MD5
85edcd8fbc445760ff0796aa459e3c42

SHA1
bc63d62de0f20bee25246b808bf512371e9aa875

SHA256
8b7f417cdbc071fe2752a6c225154b943636ebd63674d591861251f5bdaaa292

SHA512
a192875edf98bd51e92a0a827c7b767041fa1c25595a70683f458971ff300a87404edfd9b1507220440f5e6c9704ebed07655498f27bee224d97dc56eb91525c

Download Submit
C:\Program Files\Windows Defender\ja-JP\dllhost.exe

Filesize
999KB

MD5
5b56ee1a33476c268be1e64c2c73cc85

SHA1
0b0efab8993f000a53df7c41cead5300fa13a5d2

SHA256
d833577b383c30bb450290132a9a346fad00cca2c6e7df7f655d50fa63442aab

SHA512
4024587ecc8833010cf8042ec6f708b62c5feb928c2136cde76c550add61f4c6cc2c980257765ef81e871a93863ed1f2cc58c06e23fed03e7ecf3ba8f1dce953

Download Submit
C:\Program Files\Windows NT\TableTextService\ja-JP\explorer.exe

Filesize
999KB

MD5
850731a21c7475f9b7e986f609a6f70d

SHA1
8dfbef5a4dac49f9e4effb0c72931ea88f6ad85e

SHA256
7af3f100b3c1e627c001aed03b6f1f8bb84bc413d12f081cb38136518d3c7058

SHA512
e62091418c54922310353ea732777df668cad1ab4eaa676a78dbd412b0ab3f7caa6b2f6f2177bc2653a018c50626eb26ace2b6b9045f782850f0b319c6b5bcdb

Download Submit
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\OSPPSVC.exe

Filesize
999KB

MD5
261caeac26942e63ea53f483a7116577

SHA1
1bd1f2d1208fedb39b8fee63c3c15ee77925b531

SHA256
d022b1b86a70c11860599b47c005fba8a85781f0231519c33ff594040a3089c7

SHA512
162a5ce47fc791e23ba431e36a07d0b626db2d5506fddf11a3e045c2bc7648ee84209f600b15ba6427e7b8f9e2698eb1f32213e7473c7a7e4a7dbce83894fa34

Download Submit
memory/2240-103-0x0000000001000000-0x0000000001100000-memory.dmp

Filesize
1024KB

Download
memory/2556-4-0x00000000002E0000-0x00000000002F0000-memory.dmp

Filesize
64KB

Download
memory/2556-5-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2556-8-0x0000000000320000-0x000000000032E000-memory.dmp

Filesize
56KB

Download
memory/2556-7-0x0000000000310000-0x000000000031C000-memory.dmp

Filesize
48KB

Download
memory/2556-10-0x0000000000340000-0x000000000034C000-memory.dmp

Filesize
48KB

Download
memory/2556-9-0x0000000000330000-0x000000000033C000-memory.dmp

Filesize
48KB

Download
memory/2556-6-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/2556-0-0x000007FEF53A3000-0x000007FEF53A4000-memory.dmp

Filesize
4KB

Download
memory/2556-3-0x00000000002B0000-0x00000000002CC000-memory.dmp

Filesize
112KB

Download
memory/2556-2-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

Filesize
9.9MB

Download
memory/2556-1-0x0000000000F10000-0x0000000001010000-memory.dmp

Filesize
1024KB

Download
memory/2556-104-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

Filesize
9.9MB

Download