dcrat | a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-01-2025 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe
Size

1.7MB
MD5

6b21edfb72167ffb20e32f8dbbc7fb38
SHA1

1f5411cd37262fca7a8b88ece06d8c78e8ec70fd
SHA256

a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5
SHA512

14a28825501056a1bfe94b0d86924c7f5f33c7fd985b467f6b16d3563d0929af625ee1bb761c4b7640195229e0d1ed1a2e80e3e531709b7108495d7f833866ac
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvA:OTHUxUoh1IF9gl2V

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2920	schtasks.exe	30

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2084-1-0x0000000001120000-0x00000000012E0000-memory.dmp	dcrat
behavioral1/files/0x000d00000001226d-29.dat	dcrat
behavioral1/memory/3020-106-0x0000000000CC0000-0x0000000000E80000-memory.dmp	dcrat
behavioral1/memory/2444-132-0x00000000013C0000-0x0000000001580000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2860	powershell.exe
2888	powershell.exe
1836	powershell.exe
1276	powershell.exe
852	powershell.exe
560	powershell.exe
1208	powershell.exe
1116	powershell.exe
592	powershell.exe
328	powershell.exe
1312	powershell.exe
1060	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe

Executes dropped EXE 8 IoCs

pid	Process
3020	dwm.exe
2444	dwm.exe
1544	dwm.exe
2512	dwm.exe
1276	dwm.exe
1776	dwm.exe
604	dwm.exe
1312	dwm.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\server\RCXB791.tmp	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe
File opened for modification	C:\Program Files\Java\jre7\bin\server\dwm.exe	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe
File created	C:\Program Files\Java\jre7\bin\server\dwm.exe	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe
File created	C:\Program Files\Java\jre7\bin\server\6cb0b6c459d5d3	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe
File opened for modification	C:\Program Files\Java\jre7\bin\server\RCXB790.tmp	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2660	schtasks.exe
2952	schtasks.exe
2780	schtasks.exe
2108	schtasks.exe
2184	schtasks.exe
2944	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe
2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe
2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe
2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe
2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe
2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe
2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe
2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe
2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe
2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe
2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe
1116	powershell.exe
2888	powershell.exe
592	powershell.exe
1276	powershell.exe
1836	powershell.exe
328	powershell.exe
2860	powershell.exe
1312	powershell.exe
1208	powershell.exe
852	powershell.exe
560	powershell.exe
1060	powershell.exe
3020	dwm.exe
3020	dwm.exe
3020	dwm.exe
3020	dwm.exe
3020	dwm.exe
3020	dwm.exe
3020	dwm.exe
3020	dwm.exe
3020	dwm.exe
3020	dwm.exe
3020	dwm.exe
3020	dwm.exe
3020	dwm.exe
3020	dwm.exe
3020	dwm.exe
3020	dwm.exe
3020	dwm.exe
3020	dwm.exe
3020	dwm.exe
3020	dwm.exe
3020	dwm.exe
3020	dwm.exe
3020	dwm.exe
3020	dwm.exe
3020	dwm.exe
3020	dwm.exe
3020	dwm.exe
2444	dwm.exe
2444	dwm.exe
2444	dwm.exe
2444	dwm.exe
2444	dwm.exe
2444	dwm.exe
2444	dwm.exe
2444	dwm.exe
2444	dwm.exe
2444	dwm.exe
2444	dwm.exe
2444	dwm.exe
2444	dwm.exe
2444	dwm.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe
Token: SeDebugPrivilege	1116	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	592	powershell.exe
Token: SeDebugPrivilege	1276	powershell.exe
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeDebugPrivilege	328	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	3020	dwm.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	2444	dwm.exe
Token: SeDebugPrivilege	1544	dwm.exe
Token: SeDebugPrivilege	2512	dwm.exe
Token: SeDebugPrivilege	1276	dwm.exe
Token: SeDebugPrivilege	1776	dwm.exe
Token: SeDebugPrivilege	604	dwm.exe
Token: SeDebugPrivilege	1312	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 1836	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	37
PID 2084 wrote to memory of 1836	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	37
PID 2084 wrote to memory of 1836	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	37
PID 2084 wrote to memory of 1276	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	38
PID 2084 wrote to memory of 1276	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	38
PID 2084 wrote to memory of 1276	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	38
PID 2084 wrote to memory of 328	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	39
PID 2084 wrote to memory of 328	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	39
PID 2084 wrote to memory of 328	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	39
PID 2084 wrote to memory of 852	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	40
PID 2084 wrote to memory of 852	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	40
PID 2084 wrote to memory of 852	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	40
PID 2084 wrote to memory of 560	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	41
PID 2084 wrote to memory of 560	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	41
PID 2084 wrote to memory of 560	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	41
PID 2084 wrote to memory of 1208	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	42
PID 2084 wrote to memory of 1208	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	42
PID 2084 wrote to memory of 1208	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	42
PID 2084 wrote to memory of 1116	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	43
PID 2084 wrote to memory of 1116	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	43
PID 2084 wrote to memory of 1116	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	43
PID 2084 wrote to memory of 1312	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	44
PID 2084 wrote to memory of 1312	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	44
PID 2084 wrote to memory of 1312	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	44
PID 2084 wrote to memory of 1060	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	45
PID 2084 wrote to memory of 1060	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	45
PID 2084 wrote to memory of 1060	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	45
PID 2084 wrote to memory of 2860	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	46
PID 2084 wrote to memory of 2860	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	46
PID 2084 wrote to memory of 2860	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	46
PID 2084 wrote to memory of 2888	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	47
PID 2084 wrote to memory of 2888	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	47
PID 2084 wrote to memory of 2888	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	47
PID 2084 wrote to memory of 592	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	48
PID 2084 wrote to memory of 592	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	48
PID 2084 wrote to memory of 592	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	48
PID 2084 wrote to memory of 3020	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	61
PID 2084 wrote to memory of 3020	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	61
PID 2084 wrote to memory of 3020	2084	a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe	61
PID 3020 wrote to memory of 2928	3020	dwm.exe	62
PID 3020 wrote to memory of 2928	3020	dwm.exe	62
PID 3020 wrote to memory of 2928	3020	dwm.exe	62
PID 3020 wrote to memory of 2944	3020	dwm.exe	63
PID 3020 wrote to memory of 2944	3020	dwm.exe	63
PID 3020 wrote to memory of 2944	3020	dwm.exe	63
PID 2928 wrote to memory of 2444	2928	WScript.exe	65
PID 2928 wrote to memory of 2444	2928	WScript.exe	65
PID 2928 wrote to memory of 2444	2928	WScript.exe	65
PID 2444 wrote to memory of 1888	2444	dwm.exe	66
PID 2444 wrote to memory of 1888	2444	dwm.exe	66
PID 2444 wrote to memory of 1888	2444	dwm.exe	66
PID 2444 wrote to memory of 1804	2444	dwm.exe	67
PID 2444 wrote to memory of 1804	2444	dwm.exe	67
PID 2444 wrote to memory of 1804	2444	dwm.exe	67
PID 1888 wrote to memory of 1544	1888	WScript.exe	68
PID 1888 wrote to memory of 1544	1888	WScript.exe	68
PID 1888 wrote to memory of 1544	1888	WScript.exe	68
PID 1544 wrote to memory of 2832	1544	dwm.exe	69
PID 1544 wrote to memory of 2832	1544	dwm.exe	69
PID 1544 wrote to memory of 2832	1544	dwm.exe	69
PID 1544 wrote to memory of 1116	1544	dwm.exe	70
PID 1544 wrote to memory of 1116	1544	dwm.exe	70
PID 1544 wrote to memory of 1116	1544	dwm.exe	70
PID 2832 wrote to memory of 2512	2832	WScript.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe
"C:\Users\Admin\AppData\Local\Temp\a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:592
- C:\Program Files\Java\jre7\bin\server\dwm.exe
  "C:\Program Files\Java\jre7\bin\server\dwm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2e17f97-000f-4f6a-a8da-1d427ace8556.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Program Files\Java\jre7\bin\server\dwm.exe
      "C:\Program Files\Java\jre7\bin\server\dwm.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2444
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4afa8847-7bc0-4107-beb5-89f77dc323c8.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1888
      - C:\Program Files\Java\jre7\bin\server\dwm.exe
        
        "C:\Program Files\Java\jre7\bin\server\dwm.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd6709d9-2ef7-47b1-8c86-605eab884cc6.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Program Files\Java\jre7\bin\server\dwm.exe
        
        "C:\Program Files\Java\jre7\bin\server\dwm.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca9b1d1f-0ace-440a-a0fa-ab627cb532f1.vbs"
        9⤵
        
        PID:1784
        
        C:\Program Files\Java\jre7\bin\server\dwm.exe
        
        "C:\Program Files\Java\jre7\bin\server\dwm.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f833b3d0-2794-4f18-b82e-9ab207336c24.vbs"
        11⤵
        
        PID:2632
        
        C:\Program Files\Java\jre7\bin\server\dwm.exe
        
        "C:\Program Files\Java\jre7\bin\server\dwm.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c7d6630-42f1-418c-90de-761499f8a287.vbs"
        13⤵
        
        PID:960
        
        C:\Program Files\Java\jre7\bin\server\dwm.exe
        
        "C:\Program Files\Java\jre7\bin\server\dwm.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fdd5785-dd1a-4c8b-95b1-12cab4e7bcf2.vbs"
        15⤵
        
        PID:1932
        
        C:\Program Files\Java\jre7\bin\server\dwm.exe
        
        "C:\Program Files\Java\jre7\bin\server\dwm.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\285d74aa-2422-4a8b-b42e-58aca7fc1cee.vbs"
        17⤵
        
        PID:2848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43323568-9f80-44b6-9467-c7e857252a1a.vbs"
        17⤵
        
        PID:2512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ffe5d5b-cae0-458f-9fe7-862d873b49bd.vbs"
        15⤵
        
        PID:2840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a666ff5-2320-4ee9-94e3-eabe88a95938.vbs"
        13⤵
        
        PID:840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ba5f8f2-6927-4aa7-acdb-8f2fea1b2ee9.vbs"
        11⤵
        
        PID:2892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3193f1e7-4c84-412f-a38a-75414b00ea85.vbs"
        9⤵
        
        PID:3060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5f56841-ae67-4739-b45c-afc60cab719b.vbs"
        7⤵
        
        PID:1116
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5549920-74ca-4c82-86a5-cb45c42032be.vbs"
        5⤵
        
        PID:1804
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d074442c-a60a-4ee2-aca1-df9de92848d4.vbs"
    3⤵
    PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Default\AppData\Roaming\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Default\AppData\Roaming\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jre7\bin\server\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\server\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre7\bin\server\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\285d74aa-2422-4a8b-b42e-58aca7fc1cee.vbs

Filesize
721B

MD5
c5a880cddf08c12e229e90695d41649b

SHA1
705be7cf1052878f3832279f909c09e30b9f9690

SHA256
1a029814e4fbdb29ee69336d3487b7456f6f0939adc5fb5ac44e72c1166990cf

SHA512
c314929290d936b2fee2d290dd93d8209721db779a27bc6bfbcbaa5aea8fc2ad06be9b594615a632342afad4a59cc74be865665f9570ce52e85ceeec438b1b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\3fdd5785-dd1a-4c8b-95b1-12cab4e7bcf2.vbs

Filesize
720B

MD5
0f6abb0e0447e7fa78cb37a4d1dc9976

SHA1
f097a4905ab55327704e17072112e86ab0ed768b

SHA256
114dfba53f45a02abe99c6a040925d1d740fcba39b9049bcf533d017ed6e324c

SHA512
ae1bb0c3e143282806af66284eb29a73fbcb4a9a1d52af33f293ad1c8a0e8a9ebcdbac3d17d8e01ff494e966b4cc318206b4e438a192db4b6d8b2a5c8be480ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\4afa8847-7bc0-4107-beb5-89f77dc323c8.vbs

Filesize
721B

MD5
61b1b1183be333c02392daced871fb5b

SHA1
8bf80fb907390dc93aa91888feb9184a2f403a75

SHA256
c1b90e87bb920d6b96860b054fb1a56a4336d91e06f81225bf50ebdaa579ef74

SHA512
13a9d6db025390c52bbd093a2058594b21d35579cc9037b7876d5292358872440de234286f02ad38fcaca6ac28d4eec8f5153bca6e36fc840fe5a25698353e25

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c7d6630-42f1-418c-90de-761499f8a287.vbs

Filesize
721B

MD5
205769c2f29be5a7da783f80e67cfcea

SHA1
f0288269bac955165f853312b3dc2c2ffc84cb73

SHA256
d81e6bc855c2dc49bbc3fc90e4ced03156a0944454b94a8f8da1510ffd1d6319

SHA512
a7ba5478cc32ccf0b92dc8b6643b2229c4880f29e71d646304397d46fc3878bd96e24d42fd4659ee0bd62d52b26440d3c3608fdeb1839cfab8d3b706edea6d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2e17f97-000f-4f6a-a8da-1d427ace8556.vbs

Filesize
721B

MD5
00f8710be54db61bd6f77338f84eafeb

SHA1
6936e9258e20ddc7322cc056154fc3133704f708

SHA256
3726626b5049e8325c1b6529b17afe1dbe69e426f8cf3d61e2429e615a2c7469

SHA512
af26b7b9ff4036cc00fafeca7abd30a206d0872e7e9d7239e38f98b7a134c967093e33eed06be705efe00b0291421c8139f7fc019029044efc97bdff46b0b2a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca9b1d1f-0ace-440a-a0fa-ab627cb532f1.vbs

Filesize
721B

MD5
0468f3a07604c08c6d15a4f6eb2d77bd

SHA1
eead2e4e0b98352ad2e665f954a01bb7f0f14990

SHA256
e8f29629917026f77dc954761d985896e7e5afee044f9dab1e9fc65407e1535a

SHA512
3b39692d1d81d2da5dc7b867072e800180c96031baf39bbc549fb3954fddcb92c88dbb2e945eb0af241c2361df447c48ed6668443958b5204ac41b52d69d00e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\d074442c-a60a-4ee2-aca1-df9de92848d4.vbs

Filesize
497B

MD5
d6469080cda06eb3eb1d899f1ac6a287

SHA1
7cbdb23a1832daa380075b19b41a3e94c7d5ab92

SHA256
ab1b8f2717769fd44bc7bde9901950a5dbd528ab5063b4b56d178a3712b29434

SHA512
30ccab2fc1232173bf5751029a435e84c23ae2ca48569d34aaecfd22e492a1d2d375dec137dd8d05379e8f9bf80243478553d3eb652d84d67bebf260b8cac829

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd6709d9-2ef7-47b1-8c86-605eab884cc6.vbs

Filesize
721B

MD5
024d2ee826078397bea2a78d60059b96

SHA1
1359d5fb2a6cdaa23492b4e593472694e8a4e82c

SHA256
70b1b1d26fd33ffe2dffd8cb63f5ee331a1a5450a34f2cde4a47284432d53b18

SHA512
8d674d7f55416e9eb28da350cba78435648e65f53a663fb34ff5c0723fd65bfb7d76b07ce2894804f859d507dd048406f97c17259f74e66fed7a875e8e2453c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\f833b3d0-2794-4f18-b82e-9ab207336c24.vbs

Filesize
721B

MD5
2baf9a9d294800cb9858a0a90b37f558

SHA1
f09bb224e5137e22856bcadf20c6047d56ef92f5

SHA256
ac30dec89360b48e30889c633459bd654b6ab719de867a30097f0b574651d924

SHA512
4f0e479b6c18b20255e383c4427bcc2eedb3e839b276384167a542d97c2e13eebe14043a7dac590428395b8719c08e451b895273e4475c496e878ece93db093e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\430I9GAW6M1BROGLLR8V.temp

Filesize
7KB

MD5
d273352a78e8a9c744c51ed2797c96ef

SHA1
b6bd113be7d54941b8976b5ec2b7dd8002c9214b

SHA256
1663e29ad19ce19673eddf6cbad75779052a3a33524e8d9cdfb3405a9a377af4

SHA512
dff95da391361440055dd02f7046098b274784a33934a523d32a2d84b466825322b304794187f0b89239bfb8fbca1788f4012bdcfe609ab8ddeb8dbfa88591db

Download Submit
C:\Users\Default\AppData\Roaming\explorer.exe

Filesize
1.7MB

MD5
6b21edfb72167ffb20e32f8dbbc7fb38

SHA1
1f5411cd37262fca7a8b88ece06d8c78e8ec70fd

SHA256
a8ded05ad12e25c00518165ba83803e5cbe549e7dcbd5577ae48f831c57be6c5

SHA512
14a28825501056a1bfe94b0d86924c7f5f33c7fd985b467f6b16d3563d0929af625ee1bb761c4b7640195229e0d1ed1a2e80e3e531709b7108495d7f833866ac

Download Submit
memory/1116-68-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/1776-178-0x0000000000BE0000-0x0000000000BF2000-memory.dmp

Filesize
72KB

Download
memory/2084-105-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

Filesize
9.9MB

Download
memory/2084-1-0x0000000001120000-0x00000000012E0000-memory.dmp

Filesize
1.8MB

Download
memory/2084-12-0x0000000000610000-0x000000000061C000-memory.dmp

Filesize
48KB

Download
memory/2084-17-0x0000000000D10000-0x0000000000D1C000-memory.dmp

Filesize
48KB

Download
memory/2084-20-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

Filesize
9.9MB

Download
memory/2084-0-0x000007FEF5B23000-0x000007FEF5B24000-memory.dmp

Filesize
4KB

Download
memory/2084-11-0x00000000005E0000-0x00000000005F2000-memory.dmp

Filesize
72KB

Download
memory/2084-13-0x0000000000CD0000-0x0000000000CDA000-memory.dmp

Filesize
40KB

Download
memory/2084-9-0x00000000005D0000-0x00000000005D8000-memory.dmp

Filesize
32KB

Download
memory/2084-8-0x00000000004C0000-0x00000000004CC000-memory.dmp

Filesize
48KB

Download
memory/2084-16-0x0000000000D00000-0x0000000000D0C000-memory.dmp

Filesize
48KB

Download
memory/2084-15-0x0000000000CF0000-0x0000000000CF8000-memory.dmp

Filesize
32KB

Download
memory/2084-2-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

Filesize
9.9MB

Download
memory/2084-3-0x0000000000250000-0x000000000026C000-memory.dmp

Filesize
112KB

Download
memory/2084-7-0x0000000000310000-0x0000000000320000-memory.dmp

Filesize
64KB

Download
memory/2084-6-0x00000000004A0000-0x00000000004B6000-memory.dmp

Filesize
88KB

Download
memory/2084-14-0x0000000000CE0000-0x0000000000CEE000-memory.dmp

Filesize
56KB

Download
memory/2084-5-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/2084-4-0x00000000002F0000-0x00000000002F8000-memory.dmp

Filesize
32KB

Download
memory/2444-132-0x00000000013C0000-0x0000000001580000-memory.dmp

Filesize
1.8MB

Download
memory/2512-155-0x0000000000560000-0x0000000000572000-memory.dmp

Filesize
72KB

Download
memory/2888-66-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/3020-106-0x0000000000CC0000-0x0000000000E80000-memory.dmp

Filesize
1.8MB

Download