dcrat | 6b4372f45d14a2f2b5d64d153e31b65436936921bceeeb8b01585f71a8c0e1bf

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-01-2025 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b4372f45d14a2f2b5d64d153e31b65436936921bceeeb8b01585f71a8c0e1bf.exe
Size

2.6MB
MD5

95a33349fd2a84e397b2f406d86ecf91
SHA1

aa12a73b3de5be31c77dac39d4d3a6a70269429f
SHA256

6b4372f45d14a2f2b5d64d153e31b65436936921bceeeb8b01585f71a8c0e1bf
SHA512

3fc5579a23da99e5ed41bd91bcbcf241a8cafb466bfa94d131ddc4f1d12c8d755361595d70e19e707d81f1d1ce5efc0e36b8579e47d9372f5da16a05b7c96ea1
SSDEEP

49152:0bB7GpqxgFuANb7UqRDIZ63KYV4JOU5/FZ53aqWVPVrNCddRrvawu:0bBSpeOuU7U4SC44U5DprauPu

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	3024	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	3024	schtasks.exe	37

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000a000000015685-6.dat	dcrat
behavioral1/files/0x0007000000015d60-22.dat	dcrat
behavioral1/memory/2708-26-0x0000000000A50000-0x0000000000CA2000-memory.dmp	dcrat
behavioral1/memory/2852-78-0x00000000008B0000-0x0000000000B02000-memory.dmp	dcrat

Executes dropped EXE 3 IoCs

pid	Process
3048	Install_JJSploit16.8.exe
2708	chainsavesref.exe
2852	wscript.exe

Loads dropped DLL 2 IoCs

pid	Process
2560	cmd.exe
2560	cmd.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Synchronization Services\7a0fd90576e088	chainsavesref.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\817c8c8ec737a7	chainsavesref.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\wscript.exe	chainsavesref.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe	chainsavesref.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\886983d96e3d3e	chainsavesref.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\69ddcba757bf72	chainsavesref.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\csrss.exe	chainsavesref.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\wscript.exe	chainsavesref.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\explorer.exe	chainsavesref.exe
File created	C:\Program Files\DVD Maker\es-ES\lsm.exe	chainsavesref.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\6cb0b6c459d5d3	chainsavesref.exe
File created	C:\Program Files\DVD Maker\es-ES\101b941d020240	chainsavesref.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe	chainsavesref.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe	chainsavesref.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\rc0006\csrss.exe	chainsavesref.exe
File created	C:\Windows\diagnostics\index\System.exe	chainsavesref.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install_JJSploit16.8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2840	schtasks.exe
3032	schtasks.exe
468	schtasks.exe
2056	schtasks.exe
1076	schtasks.exe
3004	schtasks.exe
2456	schtasks.exe
860	schtasks.exe
2276	schtasks.exe
2232	schtasks.exe
2880	schtasks.exe
2360	schtasks.exe
1936	schtasks.exe
2848	schtasks.exe
2712	schtasks.exe
1300	schtasks.exe
1716	schtasks.exe
2768	schtasks.exe
1476	schtasks.exe
2984	schtasks.exe
2624	schtasks.exe
1596	schtasks.exe
1644	schtasks.exe
848	schtasks.exe
1380	schtasks.exe
2816	schtasks.exe
1268	schtasks.exe
1156	schtasks.exe
2764	schtasks.exe
1200	schtasks.exe
1216	schtasks.exe
2140	schtasks.exe
2352	schtasks.exe
1004	schtasks.exe
892	schtasks.exe
2096	schtasks.exe
1848	schtasks.exe
2692	schtasks.exe
1696	schtasks.exe
1232	schtasks.exe
1524	schtasks.exe
2636	schtasks.exe
2436	schtasks.exe
2728	schtasks.exe
560	schtasks.exe
900	schtasks.exe
1448	schtasks.exe
1312	schtasks.exe
1692	schtasks.exe
2016	schtasks.exe
2432	schtasks.exe
2912	schtasks.exe
1944	schtasks.exe
1792	schtasks.exe
1196	schtasks.exe
2148	schtasks.exe
1664	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2708	chainsavesref.exe
2708	chainsavesref.exe
2708	chainsavesref.exe
2708	chainsavesref.exe
2708	chainsavesref.exe
2708	chainsavesref.exe
2708	chainsavesref.exe
2708	chainsavesref.exe
2708	chainsavesref.exe
2852	wscript.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	chainsavesref.exe
Token: SeDebugPrivilege	2852	wscript.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 3048	2036	6b4372f45d14a2f2b5d64d153e31b65436936921bceeeb8b01585f71a8c0e1bf.exe	31
PID 2036 wrote to memory of 3048	2036	6b4372f45d14a2f2b5d64d153e31b65436936921bceeeb8b01585f71a8c0e1bf.exe	31
PID 2036 wrote to memory of 3048	2036	6b4372f45d14a2f2b5d64d153e31b65436936921bceeeb8b01585f71a8c0e1bf.exe	31
PID 2036 wrote to memory of 3048	2036	6b4372f45d14a2f2b5d64d153e31b65436936921bceeeb8b01585f71a8c0e1bf.exe	31
PID 2036 wrote to memory of 3048	2036	6b4372f45d14a2f2b5d64d153e31b65436936921bceeeb8b01585f71a8c0e1bf.exe	31
PID 2036 wrote to memory of 3048	2036	6b4372f45d14a2f2b5d64d153e31b65436936921bceeeb8b01585f71a8c0e1bf.exe	31
PID 2036 wrote to memory of 3048	2036	6b4372f45d14a2f2b5d64d153e31b65436936921bceeeb8b01585f71a8c0e1bf.exe	31
PID 3048 wrote to memory of 2760	3048	Install_JJSploit16.8.exe	32
PID 3048 wrote to memory of 2760	3048	Install_JJSploit16.8.exe	32
PID 3048 wrote to memory of 2760	3048	Install_JJSploit16.8.exe	32
PID 3048 wrote to memory of 2760	3048	Install_JJSploit16.8.exe	32
PID 3048 wrote to memory of 2824	3048	Install_JJSploit16.8.exe	33
PID 3048 wrote to memory of 2824	3048	Install_JJSploit16.8.exe	33
PID 3048 wrote to memory of 2824	3048	Install_JJSploit16.8.exe	33
PID 3048 wrote to memory of 2824	3048	Install_JJSploit16.8.exe	33
PID 2760 wrote to memory of 2560	2760	WScript.exe	34
PID 2760 wrote to memory of 2560	2760	WScript.exe	34
PID 2760 wrote to memory of 2560	2760	WScript.exe	34
PID 2760 wrote to memory of 2560	2760	WScript.exe	34
PID 2560 wrote to memory of 2708	2560	cmd.exe	36
PID 2560 wrote to memory of 2708	2560	cmd.exe	36
PID 2560 wrote to memory of 2708	2560	cmd.exe	36
PID 2560 wrote to memory of 2708	2560	cmd.exe	36
PID 2708 wrote to memory of 2852	2708	chainsavesref.exe	95
PID 2708 wrote to memory of 2852	2708	chainsavesref.exe	95
PID 2708 wrote to memory of 2852	2708	chainsavesref.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6b4372f45d14a2f2b5d64d153e31b65436936921bceeeb8b01585f71a8c0e1bf.exe
"C:\Users\Admin\AppData\Local\Temp\6b4372f45d14a2f2b5d64d153e31b65436936921bceeeb8b01585f71a8c0e1bf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Roaming\Install_JJSploit16.8.exe
  "C:\Users\Admin\AppData\Roaming\Install_JJSploit16.8.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Runtimehost\MYWzp0a6xwrEK5S4UF.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Runtimehost\pQImPX9m1y2f8C.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Runtimehost\chainsavesref.exe
        
        "C:\Runtimehost\chainsavesref.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Program Files\Common Files\SpeechEngines\Microsoft\wscript.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\wscript.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Runtimehost\file.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Runtimehost\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Runtimehost\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Runtimehost\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Start Menu\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Start Menu\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Runtimehost\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Runtimehost\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Runtimehost\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\es-ES\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\es-ES\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\DVD Maker\es-ES\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Runtimehost\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Runtimehost\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Runtimehost\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Local Settings\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Local Settings\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Runtimehost\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Runtimehost\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Runtimehost\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Runtimehost\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Runtimehost\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Runtimehost\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\SpeechEngines\Microsoft\wscript.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Program Files\Common Files\SpeechEngines\Microsoft\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\SpeechEngines\Microsoft\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Runtimehost\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Runtimehost\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Runtimehost\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Runtimehost\MYWzp0a6xwrEK5S4UF.vbe

Filesize
202B

MD5
ecf0d0693e7b19616fab6c1923ce1bca

SHA1
11a4d520d950f72c8575faf33e15037e68d36712

SHA256
4b3af66a1c0ed2ef1bf7b55ca6940cada614229200dae62024b03c08b7f843d6

SHA512
a8503afbcc63814c567d666c81b8428c2cd00709c89346e1570c065922ebc014fc296663cc3131148a58f4344a45f1142851aa0ed2754b21445912accf05341f

Download Submit
C:\Runtimehost\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\Runtimehost\pQImPX9m1y2f8C.bat

Filesize
34B

MD5
315845ba3d99cbfaeec438a8dddee9ae

SHA1
9b210d6f805af769de23ae060844a1dddcf9cdce

SHA256
704a1a651e6b566a4a0e54d95de33d5c55a330d75c0b4456b3fa4c2ba4718a97

SHA512
3b5a0364038167ac3133f43f9eb6b85090612a30c27ab3920adc8c18a4a7fc8eb030378819dd9be98227ae668dcdf5779d9feb5993d99e9b02de57bf5622cbc7

Download Submit
C:\Users\Admin\AppData\Roaming\Install_JJSploit16.8.exe

Filesize
2.6MB

MD5
1d3f70e65723398ca3ffefd0f346ef0e

SHA1
40c6926b7abbfaab25806f6e9bb88e9f52c87007

SHA256
50d21266acc179352743c1bf14ada681f4f6517ed240ac1ded4f094a1248a95c

SHA512
02044791a8e8b40625bebd7ea902066222ed00d94065a22b5d8ac39d539e5295d5345259f9fabdc6c2a3c95579e978fe8914f6c1fe640b5a2869082499a57d6d

Download Submit
\Runtimehost\chainsavesref.exe

Filesize
2.3MB

MD5
afc7c278c420c1c025a97af636a4f6cd

SHA1
d5af2fd0336518756ee300dd4fb5106959adcaf7

SHA256
f817634c1236f507c749742bd1bae393b74d2d29620128ecc50037205f175cc7

SHA512
12a401f94aa941e56e116c9981626b50d18e592b1550ff5198fef47895a43a56fcbe77f6e88cd8951d01e7c05a4a6d80ce54176257ec47c9a219b1dece62337a

Download Submit
memory/2036-0-0x000007FEF5293000-0x000007FEF5294000-memory.dmp

Filesize
4KB

Download
memory/2036-1-0x00000000010A0000-0x0000000001344000-memory.dmp

Filesize
2.6MB

Download
memory/2708-27-0x00000000002C0000-0x00000000002DC000-memory.dmp

Filesize
112KB

Download
memory/2708-26-0x0000000000A50000-0x0000000000CA2000-memory.dmp

Filesize
2.3MB

Download
memory/2708-28-0x0000000000470000-0x0000000000486000-memory.dmp

Filesize
88KB

Download
memory/2708-29-0x0000000000490000-0x00000000004E6000-memory.dmp

Filesize
344KB

Download
memory/2708-30-0x00000000002E0000-0x00000000002F2000-memory.dmp

Filesize
72KB

Download
memory/2708-31-0x0000000000500000-0x000000000050E000-memory.dmp

Filesize
56KB

Download
memory/2708-32-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/2708-33-0x0000000000520000-0x0000000000528000-memory.dmp

Filesize
32KB

Download
memory/2852-78-0x00000000008B0000-0x0000000000B02000-memory.dmp

Filesize
2.3MB

Download
memory/2852-79-0x0000000002350000-0x00000000023A6000-memory.dmp

Filesize
344KB

Download
memory/2852-80-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download