dcrat | fb145a248667da2c0f287c070250dc501c7b3d03df44f22e4f50a735599923d4

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb145a248667da2c0f287c070250dc501c7b3d03df44f22e4f50a735599923d4.exe
Size

2.0MB
MD5

ff6e26dc9893c97196aefe245defeff9
SHA1

6ec3649790e948299b43bc522ee6d3fc9d10f769
SHA256

fb145a248667da2c0f287c070250dc501c7b3d03df44f22e4f50a735599923d4
SHA512

6c4f76b35b0a90ca8e132d20a3b9d0eaf4752c6c49efe9a6f180b3b7a2091af55f8cab0be881e499a90da496ccbce7550eba4d8a3bc124060b429d44fb08e0a0
SSDEEP

49152:1Djlabwz9WV429A3twp/pZ5zUg45hGUrf/osAX4RUhpKT/+qYiv:Zqw+T9ewpRzz6OUkR4R7TmqYK

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\csrss.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Users\\Public\\TextInputHost.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Users\\Public\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\blockPortServerdriverRuntime.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Users\\Public\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\blockPortServerdriverRuntime.exe\", \"C:\\Users\\Default\\Pictures\\blockPortServerdriverRuntime.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Users\\Public\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\blockPortServerdriverRuntime.exe\", \"C:\\Users\\Default\\Pictures\\blockPortServerdriverRuntime.exe\", \"C:\\blockPortServerdriverRuntime.exe\""	blockPortServerdriverRuntime.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	640	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	640	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	640	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	640	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3184	640	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	640	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	640	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	640	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	640	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	640	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	640	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	640	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4072	640	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	640	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	640	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	640	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	640	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	640	schtasks.exe	88

Checks computer location settings 2 TTPs 20 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	blockPortServerdriverRuntime.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	blockPortServerdriverRuntime.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	blockPortServerdriverRuntime.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	blockPortServerdriverRuntime.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	blockPortServerdriverRuntime.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	blockPortServerdriverRuntime.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	blockPortServerdriverRuntime.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	blockPortServerdriverRuntime.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	blockPortServerdriverRuntime.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	blockPortServerdriverRuntime.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	fb145a248667da2c0f287c070250dc501c7b3d03df44f22e4f50a735599923d4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	blockPortServerdriverRuntime.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	blockPortServerdriverRuntime.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	blockPortServerdriverRuntime.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	blockPortServerdriverRuntime.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	blockPortServerdriverRuntime.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	blockPortServerdriverRuntime.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	blockPortServerdriverRuntime.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	blockPortServerdriverRuntime.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	blockPortServerdriverRuntime.exe

Executes dropped EXE 19 IoCs

pid	Process
1932	blockPortServerdriverRuntime.sfx.exe
3428	blockPortServerdriverRuntime.exe
4616	blockPortServerdriverRuntime.exe
1740	blockPortServerdriverRuntime.exe
5000	blockPortServerdriverRuntime.exe
3628	blockPortServerdriverRuntime.exe
4924	blockPortServerdriverRuntime.exe
3212	blockPortServerdriverRuntime.exe
4828	blockPortServerdriverRuntime.exe
1936	blockPortServerdriverRuntime.exe
3204	blockPortServerdriverRuntime.exe
1536	blockPortServerdriverRuntime.exe
5080	blockPortServerdriverRuntime.exe
2176	blockPortServerdriverRuntime.exe
868	blockPortServerdriverRuntime.exe
992	blockPortServerdriverRuntime.exe
2912	blockPortServerdriverRuntime.exe
3664	blockPortServerdriverRuntime.exe
4732	blockPortServerdriverRuntime.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\WindowsRE\\dwm.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Users\\Public\\TextInputHost.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Users\\Public\\TextInputHost.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\blockPortServerdriverRuntime = "\"C:\\Recovery\\WindowsRE\\blockPortServerdriverRuntime.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\blockPortServerdriverRuntime = "\"C:\\Users\\Default\\Pictures\\blockPortServerdriverRuntime.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\blockPortServerdriverRuntime = "\"C:\\blockPortServerdriverRuntime.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\WindowsRE\\dwm.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\blockPortServerdriverRuntime = "\"C:\\Users\\Default\\Pictures\\blockPortServerdriverRuntime.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\blockPortServerdriverRuntime = "\"C:\\blockPortServerdriverRuntime.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\""	blockPortServerdriverRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\blockPortServerdriverRuntime = "\"C:\\Recovery\\WindowsRE\\blockPortServerdriverRuntime.exe\""	blockPortServerdriverRuntime.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC415661AA129C4220833CB73FDFD644.TMP	csc.exe
File created	\??\c:\Windows\System32\hnaorh.exe	csc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 10 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4100	PING.EXE
4696	PING.EXE
3196	PING.EXE
3292	PING.EXE
4876	PING.EXE
2360	PING.EXE
4972	PING.EXE
1004	PING.EXE
2360	PING.EXE
2196	PING.EXE

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	blockPortServerdriverRuntime.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	blockPortServerdriverRuntime.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	blockPortServerdriverRuntime.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	blockPortServerdriverRuntime.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	blockPortServerdriverRuntime.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	blockPortServerdriverRuntime.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	blockPortServerdriverRuntime.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	blockPortServerdriverRuntime.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	blockPortServerdriverRuntime.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	blockPortServerdriverRuntime.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	blockPortServerdriverRuntime.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	blockPortServerdriverRuntime.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	blockPortServerdriverRuntime.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	blockPortServerdriverRuntime.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	blockPortServerdriverRuntime.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	blockPortServerdriverRuntime.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	blockPortServerdriverRuntime.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	blockPortServerdriverRuntime.exe

Runs ping.exe 1 TTPs 10 IoCs

Remote System Discovery

T1018

pid	Process
4696	PING.EXE
4876	PING.EXE
2196	PING.EXE
2360	PING.EXE
2360	PING.EXE
4972	PING.EXE
1004	PING.EXE
4100	PING.EXE
3196	PING.EXE
3292	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
944	schtasks.exe
4708	schtasks.exe
1852	schtasks.exe
2176	schtasks.exe
1452	schtasks.exe
3660	schtasks.exe
3184	schtasks.exe
2548	schtasks.exe
1328	schtasks.exe
2600	schtasks.exe
4072	schtasks.exe
4900	schtasks.exe
1808	schtasks.exe
700	schtasks.exe
3192	schtasks.exe
1408	schtasks.exe
4972	schtasks.exe
1336	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe
3428	blockPortServerdriverRuntime.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	3428	blockPortServerdriverRuntime.exe
Token: SeDebugPrivilege	4616	blockPortServerdriverRuntime.exe
Token: SeDebugPrivilege	1740	blockPortServerdriverRuntime.exe
Token: SeDebugPrivilege	5000	blockPortServerdriverRuntime.exe
Token: SeDebugPrivilege	3628	blockPortServerdriverRuntime.exe
Token: SeDebugPrivilege	4924	blockPortServerdriverRuntime.exe
Token: SeDebugPrivilege	3212	blockPortServerdriverRuntime.exe
Token: SeDebugPrivilege	4828	blockPortServerdriverRuntime.exe
Token: SeDebugPrivilege	1936	blockPortServerdriverRuntime.exe
Token: SeDebugPrivilege	3204	blockPortServerdriverRuntime.exe
Token: SeDebugPrivilege	1536	blockPortServerdriverRuntime.exe
Token: SeDebugPrivilege	5080	blockPortServerdriverRuntime.exe
Token: SeDebugPrivilege	2176	blockPortServerdriverRuntime.exe
Token: SeDebugPrivilege	868	blockPortServerdriverRuntime.exe
Token: SeDebugPrivilege	992	blockPortServerdriverRuntime.exe
Token: SeDebugPrivilege	2912	blockPortServerdriverRuntime.exe
Token: SeDebugPrivilege	3664	blockPortServerdriverRuntime.exe
Token: SeDebugPrivilege	4732	blockPortServerdriverRuntime.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 3528	4308	fb145a248667da2c0f287c070250dc501c7b3d03df44f22e4f50a735599923d4.exe	83
PID 4308 wrote to memory of 3528	4308	fb145a248667da2c0f287c070250dc501c7b3d03df44f22e4f50a735599923d4.exe	83
PID 3528 wrote to memory of 1932	3528	cmd.exe	86
PID 3528 wrote to memory of 1932	3528	cmd.exe	86
PID 1932 wrote to memory of 3428	1932	blockPortServerdriverRuntime.sfx.exe	87
PID 1932 wrote to memory of 3428	1932	blockPortServerdriverRuntime.sfx.exe	87
PID 3428 wrote to memory of 3616	3428	blockPortServerdriverRuntime.exe	92
PID 3428 wrote to memory of 3616	3428	blockPortServerdriverRuntime.exe	92
PID 3616 wrote to memory of 2172	3616	csc.exe	94
PID 3616 wrote to memory of 2172	3616	csc.exe	94
PID 3428 wrote to memory of 1520	3428	blockPortServerdriverRuntime.exe	110
PID 3428 wrote to memory of 1520	3428	blockPortServerdriverRuntime.exe	110
PID 1520 wrote to memory of 4872	1520	cmd.exe	112
PID 1520 wrote to memory of 4872	1520	cmd.exe	112
PID 1520 wrote to memory of 4184	1520	cmd.exe	113
PID 1520 wrote to memory of 4184	1520	cmd.exe	113
PID 1520 wrote to memory of 4616	1520	cmd.exe	115
PID 1520 wrote to memory of 4616	1520	cmd.exe	115
PID 4616 wrote to memory of 532	4616	blockPortServerdriverRuntime.exe	117
PID 4616 wrote to memory of 532	4616	blockPortServerdriverRuntime.exe	117
PID 532 wrote to memory of 3172	532	cmd.exe	119
PID 532 wrote to memory of 3172	532	cmd.exe	119
PID 532 wrote to memory of 2360	532	cmd.exe	120
PID 532 wrote to memory of 2360	532	cmd.exe	120
PID 532 wrote to memory of 1740	532	cmd.exe	133
PID 532 wrote to memory of 1740	532	cmd.exe	133
PID 1740 wrote to memory of 4448	1740	blockPortServerdriverRuntime.exe	135
PID 1740 wrote to memory of 4448	1740	blockPortServerdriverRuntime.exe	135
PID 4448 wrote to memory of 2548	4448	cmd.exe	137
PID 4448 wrote to memory of 2548	4448	cmd.exe	137
PID 4448 wrote to memory of 4972	4448	cmd.exe	138
PID 4448 wrote to memory of 4972	4448	cmd.exe	138
PID 4448 wrote to memory of 5000	4448	cmd.exe	140
PID 4448 wrote to memory of 5000	4448	cmd.exe	140
PID 5000 wrote to memory of 856	5000	blockPortServerdriverRuntime.exe	142
PID 5000 wrote to memory of 856	5000	blockPortServerdriverRuntime.exe	142
PID 856 wrote to memory of 1508	856	cmd.exe	144
PID 856 wrote to memory of 1508	856	cmd.exe	144
PID 856 wrote to memory of 1004	856	cmd.exe	145
PID 856 wrote to memory of 1004	856	cmd.exe	145
PID 856 wrote to memory of 3628	856	cmd.exe	150
PID 856 wrote to memory of 3628	856	cmd.exe	150
PID 3628 wrote to memory of 3744	3628	blockPortServerdriverRuntime.exe	152
PID 3628 wrote to memory of 3744	3628	blockPortServerdriverRuntime.exe	152
PID 3744 wrote to memory of 1620	3744	cmd.exe	154
PID 3744 wrote to memory of 1620	3744	cmd.exe	154
PID 3744 wrote to memory of 2940	3744	cmd.exe	155
PID 3744 wrote to memory of 2940	3744	cmd.exe	155
PID 3744 wrote to memory of 4924	3744	cmd.exe	157
PID 3744 wrote to memory of 4924	3744	cmd.exe	157
PID 4924 wrote to memory of 2716	4924	blockPortServerdriverRuntime.exe	159
PID 4924 wrote to memory of 2716	4924	blockPortServerdriverRuntime.exe	159
PID 2716 wrote to memory of 4696	2716	cmd.exe	161
PID 2716 wrote to memory of 4696	2716	cmd.exe	161
PID 2716 wrote to memory of 4764	2716	cmd.exe	162
PID 2716 wrote to memory of 4764	2716	cmd.exe	162
PID 2716 wrote to memory of 3212	2716	cmd.exe	164
PID 2716 wrote to memory of 3212	2716	cmd.exe	164
PID 3212 wrote to memory of 2748	3212	blockPortServerdriverRuntime.exe	166
PID 3212 wrote to memory of 2748	3212	blockPortServerdriverRuntime.exe	166
PID 2748 wrote to memory of 3988	2748	cmd.exe	168
PID 2748 wrote to memory of 3988	2748	cmd.exe	168
PID 2748 wrote to memory of 2188	2748	cmd.exe	169
PID 2748 wrote to memory of 2188	2748	cmd.exe	169

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fb145a248667da2c0f287c070250dc501c7b3d03df44f22e4f50a735599923d4.exe
"C:\Users\Admin\AppData\Local\Temp\fb145a248667da2c0f287c070250dc501c7b3d03df44f22e4f50a735599923d4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\blockPortServerdriverRuntime.sfx.exe
    blockPortServerdriverRuntime.sfx.exe -p1234
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\blockPortServerdriverRuntime.exe
      "C:\blockPortServerdriverRuntime.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3428
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3c2acecg\3c2acecg.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3616
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8712.tmp" "c:\Windows\System32\CSC415661AA129C4220833CB73FDFD644.TMP"
        6⤵
        
        PID:2172
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xpEtGOhFuJ.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1520
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4872
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4184
      - C:\blockPortServerdriverRuntime.exe
        
        "C:\blockPortServerdriverRuntime.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nhkbaghNki.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3172
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2360
        
        C:\blockPortServerdriverRuntime.exe
        
        "C:\blockPortServerdriverRuntime.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\89KjNYDQ1l.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2548
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4972
        
        C:\blockPortServerdriverRuntime.exe
        
        "C:\blockPortServerdriverRuntime.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BIMUOuvqlP.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1508
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1004
        
        C:\blockPortServerdriverRuntime.exe
        
        "C:\blockPortServerdriverRuntime.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ar6wdwHCe.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2940
        
        C:\blockPortServerdriverRuntime.exe
        
        "C:\blockPortServerdriverRuntime.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UHHMDGRBfc.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:4764
        
        C:\blockPortServerdriverRuntime.exe
        
        "C:\blockPortServerdriverRuntime.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Gu3WPocxsu.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2188
        
        C:\blockPortServerdriverRuntime.exe
        
        "C:\blockPortServerdriverRuntime.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EROGQHdFU4.bat"
        19⤵
        
        PID:2328
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2472
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:4500
        
        C:\blockPortServerdriverRuntime.exe
        
        "C:\blockPortServerdriverRuntime.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UHHMDGRBfc.bat"
        21⤵
        
        PID:4528
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:4928
        
        C:\blockPortServerdriverRuntime.exe
        
        "C:\blockPortServerdriverRuntime.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Soc6EjSTIm.bat"
        23⤵
        
        PID:1516
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1992
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4100
        
        C:\blockPortServerdriverRuntime.exe
        
        "C:\blockPortServerdriverRuntime.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dNZC7W0h3T.bat"
        25⤵
        
        PID:3944
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2596
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4696
        
        C:\blockPortServerdriverRuntime.exe
        
        "C:\blockPortServerdriverRuntime.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I8setZco4p.bat"
        27⤵
        
        PID:2184
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:388
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3196
        
        C:\blockPortServerdriverRuntime.exe
        
        "C:\blockPortServerdriverRuntime.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zjPPW8Mczj.bat"
        29⤵
        
        PID:2948
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:4900
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3292
        
        C:\blockPortServerdriverRuntime.exe
        
        "C:\blockPortServerdriverRuntime.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Soc6EjSTIm.bat"
        31⤵
        
        PID:4592
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:4336
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4876
        
        C:\blockPortServerdriverRuntime.exe
        
        "C:\blockPortServerdriverRuntime.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6L2ySswQ0j.bat"
        33⤵
        
        PID:4340
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:3836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        34⤵
        
        PID:3672
        
        C:\blockPortServerdriverRuntime.exe
        
        "C:\blockPortServerdriverRuntime.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CXBctguhxK.bat"
        35⤵
        
        PID:2228
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:4020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        36⤵
        
        PID:1536
        
        C:\blockPortServerdriverRuntime.exe
        
        "C:\blockPortServerdriverRuntime.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2yB5vkEA4A.bat"
        37⤵
        
        PID:224
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        38⤵
        
        PID:1544
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        38⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2360
        
        C:\blockPortServerdriverRuntime.exe
        
        "C:\blockPortServerdriverRuntime.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gjUXinqH5W.bat"
        39⤵
        
        PID:2200
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        40⤵
        
        PID:2952
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        40⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Users\Public\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Public\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Users\Public\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortServerdriverRuntimeb" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\blockPortServerdriverRuntime.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortServerdriverRuntime" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\blockPortServerdriverRuntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortServerdriverRuntimeb" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\blockPortServerdriverRuntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortServerdriverRuntimeb" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Pictures\blockPortServerdriverRuntime.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortServerdriverRuntime" /sc ONLOGON /tr "'C:\Users\Default\Pictures\blockPortServerdriverRuntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortServerdriverRuntimeb" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Pictures\blockPortServerdriverRuntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortServerdriverRuntimeb" /sc MINUTE /mo 14 /tr "'C:\blockPortServerdriverRuntime.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortServerdriverRuntime" /sc ONLOGON /tr "'C:\blockPortServerdriverRuntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortServerdriverRuntimeb" /sc MINUTE /mo 6 /tr "'C:\blockPortServerdriverRuntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1.bat

Filesize
62B

MD5
3caf9e84bed0774d4503d0a9832e3489

SHA1
57e750cc31918f91bf15309f182f5b84265ecfcc

SHA256
2b335dd0175798cd62d16dc74c7961835afe69f47e4c04529caba0b1dd9d1aa2

SHA512
e359ad56cad85fb27617f4393dfe6a33a454d506fe4be0024814175f3fb12b5ef7c3e9e3e2c1d6dcbec90d6f54015e9210b499e5ff8a2f537a1f46abccb42100

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\blockPortServerdriverRuntime.exe.log

Filesize
1KB

MD5
af6acd95d59de87c04642509c30e81c1

SHA1
f9549ae93fdb0a5861a79a08f60aa81c4b32377b

SHA256
7521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6

SHA512
93ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2yB5vkEA4A.bat

Filesize
163B

MD5
b4a483d68f8a9361f21f2601266067a2

SHA1
aadc33bed4adefb472c14c8080cb1202efebbdbd

SHA256
c64b8be169e74b6dca8589c9002c3b015ed9a4658bde0f3e817c5a5a93638a8e

SHA512
1c68c3cbe45e5d4ca077b8397dc2e43b2b8e75afe1ec6dc175f2c21a988a95578bea3d6902f312dd294b5c06fc9c31253892a2f1806c402aa35b7d4dbce44d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\6L2ySswQ0j.bat

Filesize
211B

MD5
3b1cfd9b2b66d564b8b63e41743dd48d

SHA1
a8c4007c9b60b4b4870dc89a2ef820793991969e

SHA256
dcdd0d9b9d29280cd609f9c810e6bc1c5caf973753c4fec7b0bc0d39f199b107

SHA512
e7b1e47317e143adc124090d0fa79222ea34c95a8cde9a8fd302f43d2c368a1c505957c730f9d4c62bba223444ca911149f9c8cdc640b340363395b20f9d75af

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ar6wdwHCe.bat

Filesize
211B

MD5
de885734798003c7669cfbc60da625ba

SHA1
a63dc2d29d7dd8b415191e14b3ed0bae0f8485fa

SHA256
b906be47dc896421dca576565b5e31bc0d6f7422d6c2ff1df62cd6cd75a6afb6

SHA512
c0b1e4b5dd27e45e7f7c9a44307f02d9d83aed6148127b183b7d464c6fa06977666c0f92ea336c29889f67de2842aeb9a39a685b87d11e0a10b00a42b95b3d90

Download Submit
C:\Users\Admin\AppData\Local\Temp\89KjNYDQ1l.bat

Filesize
163B

MD5
39ad07670a7bfb98c5536b09d8e80398

SHA1
ad8d32ad200713bd6a29fb32e12e91bbb2f9fd8d

SHA256
dc2a1f0f99026c0f9e5083159482573b0e10773e26da7bb05cb0bc5cac709e84

SHA512
93a8f1268585a9a01072d15fadf9903778e77af8d4217f3b123a70ddbc4e94d331e4ccceeb98af8181787a8a7c1e9b3ec0a264969c7dc73e7198c25bde90e712

Download Submit
C:\Users\Admin\AppData\Local\Temp\BIMUOuvqlP.bat

Filesize
163B

MD5
49641825825af0fa8d71e4b23224049c

SHA1
8d28f9a15ea58d98fa5ce761f6f50344520a7f1e

SHA256
6068e5802dd79076670182bb807ec5b1543f08ad9ca50113e1124198754b3d40

SHA512
85a2de7d5a7eeede1fe64ab59c7f5dbdccb33292df867b18fbd2b80e98c456f84d009950d2ecd46e91335da16862651e50364759625d79565625ec33e09d17de

Download Submit
C:\Users\Admin\AppData\Local\Temp\CXBctguhxK.bat

Filesize
211B

MD5
d07447f4dfc6942f3412be853b72cb6d

SHA1
8677e173053021ee14877f4d45abe00eb89166f5

SHA256
fc8d981f382ca6890c71f565add628cdedf5ad9bb35b579dcc0f9b1179be531c

SHA512
7abb5ec24df2af7ea505c1b3d5d43aff7cdfa4c8b4f493b068d8cf0eefb651a992c7e8a5759dd559c51e5534b265d1a6df1d383fc4c3e339c0b8c2649383ec8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EROGQHdFU4.bat

Filesize
211B

MD5
61512d6c7614e2ea01e8700a00baa791

SHA1
107aed4e5e173dc63760033faa67cdd8e60c0959

SHA256
e293aefe34ef929d55dade9b566bca9ea54a50cf26b3bf3c794a2197333312d6

SHA512
200721a03f0ac5d456f07b43c8f9aa054719410d88763f807cbe8282d7b10917fd06866bf6caf6b157bd9e92b371f58a3eb331928b507538cc61a398e459119a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gu3WPocxsu.bat

Filesize
211B

MD5
059b635e43017e15658aedbcefb66315

SHA1
84f7fb2fcb74dc5f07a973520d2ae68a6da733ae

SHA256
1784ab4240222658ce8c7fd958bd7bf75376c9c85eaa769d824549d45b1af2f6

SHA512
f2c48719e7aaaade9b3e1614149b7692eaf1cf7ca906255c612415d67c17d176f273819ec4653365936f28865615300031b01e9b296a8f4914eff422d31d1870

Download Submit
C:\Users\Admin\AppData\Local\Temp\I8setZco4p.bat

Filesize
163B

MD5
acaf53c64c4914227480ca33ccc68cad

SHA1
4e8820e1df66949cfe86febb53fc5a012c5e955f

SHA256
4e67c1ba4a4104c4f0bae4905a560c884442f4aef735c0095219f6b33617c283

SHA512
addfc9be0f4beec22621920d595ab77d70fba52e2ce635518ac311e3e6e0e3a50b1e139f5703b1d9c64ce302ea16ca4364c4f5df40623b86013d684f309d57dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8712.tmp

Filesize
1KB

MD5
8fdf9b4fb5ac5e82a96e43b2f956f46a

SHA1
bcfe98536bc85220a26b2924425ecf286e21e301

SHA256
4b8cfa39ceb5886e2dc74503aee51810faf4e8cb6cecd56f2d4df268c0910330

SHA512
b1934f2a50acf7283db3522c025218609028b012a0d2c856d953ad24bf0a86c0cb5e0aab3c1de63d0ca2c5537d7457b6a3006ed86e86c70a38f5678e8d2b6b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Soc6EjSTIm.bat

Filesize
163B

MD5
09a5782d219ad35a324703d12fd56a1a

SHA1
db76b1b96ba98c3155d8c0db4ae38df3951c8e15

SHA256
9c6ff2146d9f411016268d8ac47370c8a75b901e746ac9b9077dbb1c84ae068b

SHA512
049cb7c0e14ba8e17798294d61efbe4469396735ccc156c31b24b2e7b30bc6c1250025f5553dde6bb5782894aac6504138f03d7756f374a5bc06197bc4bac4fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\UHHMDGRBfc.bat

Filesize
211B

MD5
1156c9e6d1a78a807abf3087beccdc7f

SHA1
5630a0dca2983302bf5beb23cbecab6e27f75fe4

SHA256
ec444fcaa61f11c7c56baa33d293281bb50bd8b039fd73f9fcce02050614217b

SHA512
5a344cff3f09c8b5725e434e0b77debe34a1cb88edcc6e7f4781c904b58cb97836f10a5f54eea560061f8955438dd291937684d31ff42351fde17f400184e959

Download Submit
C:\Users\Admin\AppData\Local\Temp\dNZC7W0h3T.bat

Filesize
163B

MD5
b706f7e13856e53bdab0075ee24435ec

SHA1
1509de27f6bebaf64dcbe29303483bd4db21e64e

SHA256
7df9a5f1d0ef857eba5978a895a5541688f851678e8750438027abf46f8a4527

SHA512
e92db394113eea6c6c87fe4686cd36c5587bd6ba24646f28985f13ef373114247c6901f2032df27d57fa5f796326cd733402fea423beeedcb20bfd2131e9f730

Download Submit
C:\Users\Admin\AppData\Local\Temp\gjUXinqH5W.bat

Filesize
163B

MD5
9e7858922d7e4bf10f42c572f0bfd140

SHA1
ff387327b03dbb0e430e2babdeb21cf1619b6c49

SHA256
4c96c5107535f93817bd80e58d9e11a381cb664c63227e9d522172647d9b9b11

SHA512
a0cdf9a5ff2ae8f41c704c85716245ecde9f5c0666455e19b867c40c4572d7ea9cdc0a3b91188ae468a8f27b3cf52acb892086ce200ee0f228116c3dd421d750

Download Submit
C:\Users\Admin\AppData\Local\Temp\nhkbaghNki.bat

Filesize
163B

MD5
780f87365656e9f8a41eb94c6504fcc7

SHA1
d8cdbedbeb28f6e5ec0277146dc803909e9342ab

SHA256
3a8dba35c91d7c46f80394857a6f89c71b981d753459d49bbb8a99cd8eff4db8

SHA512
d143fed09a376dd9ffbf5ca4f4a75590eeb6f5526d585f2f9f91defd261f0536b62456ed2d02fb4725459e79fa26ec78234ea1c4060a6cd5fa5eb37c41068f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\xpEtGOhFuJ.bat

Filesize
211B

MD5
856f7c9ab489174e1b408edb4ef41acf

SHA1
d1970059b85149cb5cb083db37dffceb1f9b59ab

SHA256
a5c305e2b610c7b6509d7232042d07769bc2602aa13958b95d22af5459e19555

SHA512
aa1aba20a1a56008bd4f0f79fefcf1e92be613c9adcafb443d2da6b795e4e776ec3f7923c92ce0330b9ba43abd8a84884f0e4db05d1c2e3c4e614ff463d4a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\zjPPW8Mczj.bat

Filesize
163B

MD5
c952fb48be2ff077f6e67b1705133e58

SHA1
716acabdd9c86804052310b8e0679eba3e92b957

SHA256
762a42a5a941dc17652207ce466b6663ffb981da6fa4331b2ddb8f746771a175

SHA512
6c5b45a115f13f1448f78d9b9f10c170b94fbc82987f055011e6cbb993deecb20af8d3ac35745700bdbe4b0376e9311d4618c1005a911167aeaa3e553d910f38

Download Submit
C:\blockPortServerdriverRuntime.exe

Filesize
1.8MB

MD5
cd66d0673239c0998cf9f49c73f15cd3

SHA1
67054ee170e7a637dddc1604081815fb3e9d04e3

SHA256
eb7028f8db4bf6e44ef8e3d2250304c604cbd350d93529d2bfe24ddf773383de

SHA512
328e36bd61e8a00f10ea22af5e86921278217c23546f7502e5ed02881d8c1155372578d83141e8da3e564c3fce7bf212493b15e74585d97d67644dc6f4184274

Download Submit
C:\blockPortServerdriverRuntime.sfx.exe

Filesize
1.8MB

MD5
b5a4e3bf294fd3e5b4d82af34eeca853

SHA1
ba027c0af5d3c7c5e38b25ee037cd157037096bc

SHA256
3b20edc0a80f388a8178aa1b540b335e66810f8be9deb5fc9876ecbd848f7ff6

SHA512
00aa0a2befd1cfbf2b72941d34bd1042a3b5e27016f3775276cd46778c94b64a5a0ca03283a52f60d00fa11ef4d787a5d72b0fd2971a5bdec9203e43e3a85952

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3c2acecg\3c2acecg.0.cs

Filesize
363B

MD5
e87a3197b5983e4bf66809a692b9ca29

SHA1
76ae5f0cd900d3fc4c96bee795acc3bc0d2d5f68

SHA256
77f87c570329556ac1faab7375188a84479351ab506e25b7cbb2fa69c2a1c44f

SHA512
9e19757d54a1ca92d282c7cdfec637af90dabaf975f4bcf6d7d45b175af23f43cc9917c4f60897406b27214cf95786efe0386bccd97f7aa45b27e3b3c7e4c95a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3c2acecg\3c2acecg.cmdline

Filesize
235B

MD5
17924f66c8fb9e76be228bf9ca3ba681

SHA1
ced0a3ac45d269451f221e499f66eb6e1b0cc9b3

SHA256
1d9d846a875e788e09ed1f0a967ea46c8a0aa2cdf57ac3fce93f5cd52a51bcb6

SHA512
c5b04e74fe1e1b775cb7cb4ededa3f37a57a6a423001940b39cf87732ce07d8eaabf5d5af35fd35467c7af4d60ef8c4099408eac278667b800489d150879193a

Download Submit
\??\c:\Windows\System32\CSC415661AA129C4220833CB73FDFD644.TMP

Filesize
1KB

MD5
65d5babddb4bd68783c40f9e3678613f

SHA1
71e76abb44dbea735b9faaccb8c0fad345b514f4

SHA256
d61a59849cacd91b8039a8e41a5b92a7f93e2d46c90791b9ba6b5f856008cd8f

SHA512
21223e9a32df265bb75093d1ebaa879880a947d25ac764f3452b9104893b05f2c8fe4150cb2465681df7a0554dcefdb7f623aaf54772ade878270f453ebc1bcf

Download Submit
memory/868-204-0x000000001C080000-0x000000001C14D000-memory.dmp

Filesize
820KB

Download
memory/992-215-0x000000001D190000-0x000000001D25D000-memory.dmp

Filesize
820KB

Download
memory/1536-171-0x000000001B160000-0x000000001B22D000-memory.dmp

Filesize
820KB

Download
memory/1740-83-0x000000001C410000-0x000000001C4DD000-memory.dmp

Filesize
820KB

Download
memory/1936-149-0x000000001C670000-0x000000001C73D000-memory.dmp

Filesize
820KB

Download
memory/2176-193-0x000000001C000000-0x000000001C0CD000-memory.dmp

Filesize
820KB

Download
memory/2912-226-0x000000001CA10000-0x000000001CADD000-memory.dmp

Filesize
820KB

Download
memory/3204-160-0x000000001D120000-0x000000001D1ED000-memory.dmp

Filesize
820KB

Download
memory/3212-127-0x000000001CD30000-0x000000001CDFD000-memory.dmp

Filesize
820KB

Download
memory/3428-31-0x00000000025C0000-0x00000000025CC000-memory.dmp

Filesize
48KB

Download
memory/3428-60-0x000000001B7B0000-0x000000001B87D000-memory.dmp

Filesize
820KB

Download
memory/3428-22-0x00000000002C0000-0x000000000049A000-memory.dmp

Filesize
1.9MB

Download
memory/3428-24-0x0000000002520000-0x000000000252E000-memory.dmp

Filesize
56KB

Download
memory/3428-27-0x000000001B050000-0x000000001B0A0000-memory.dmp

Filesize
320KB

Download
memory/3428-29-0x0000000002600000-0x0000000002618000-memory.dmp

Filesize
96KB

Download
memory/3428-26-0x00000000025E0000-0x00000000025FC000-memory.dmp

Filesize
112KB

Download
memory/3628-105-0x000000001CFC0000-0x000000001D08D000-memory.dmp

Filesize
820KB

Download
memory/3664-237-0x000000001CEB0000-0x000000001CF7D000-memory.dmp

Filesize
820KB

Download
memory/4616-72-0x000000001D820000-0x000000001D8ED000-memory.dmp

Filesize
820KB

Download
memory/4732-248-0x000000001CC20000-0x000000001CCED000-memory.dmp

Filesize
820KB

Download
memory/4828-138-0x000000001C8F0000-0x000000001C9BD000-memory.dmp

Filesize
820KB

Download
memory/4924-116-0x000000001CA20000-0x000000001CAED000-memory.dmp

Filesize
820KB

Download
memory/5000-94-0x000000001C650000-0x000000001C71D000-memory.dmp

Filesize
820KB

Download
memory/5080-182-0x000000001C9E0000-0x000000001CAAD000-memory.dmp

Filesize
820KB

Download