dcrat | 59aad546a2a32c7e540e7067d41fd51046f275ce8ca021dfe06f0dd2c1063779

Processes:

portproviderperf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\dllhost.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\taskhost.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Users\\Default\\Templates\\csrss.exe\", \"C:\\SurrogatewinDrivernetsvc\\conhost.exe\", \"C:\\SurrogatewinDrivernetsvc\\spoolsv.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dllhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\dwm.exe\", \"C:\\Users\\Admin\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files\\Java\\jre7\\lib\\deploy\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\SurrogatewinDrivernetsvc\\sppsvc.exe\", \"C:\\Windows\\debug\\System.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\dllhost.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\taskhost.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Users\\Default\\Templates\\csrss.exe\", \"C:\\SurrogatewinDrivernetsvc\\conhost.exe\", \"C:\\SurrogatewinDrivernetsvc\\spoolsv.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dllhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\dwm.exe\", \"C:\\Users\\Admin\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files\\Java\\jre7\\lib\\deploy\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\SurrogatewinDrivernetsvc\\sppsvc.exe\", \"C:\\Windows\\debug\\System.exe\", \"C:\\MSOCache\\All Users\\smss.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\dllhost.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\taskhost.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Users\\Default\\Templates\\csrss.exe\", \"C:\\SurrogatewinDrivernetsvc\\conhost.exe\", \"C:\\SurrogatewinDrivernetsvc\\spoolsv.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dllhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\dwm.exe\", \"C:\\Users\\Admin\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files\\Java\\jre7\\lib\\deploy\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\SurrogatewinDrivernetsvc\\sppsvc.exe\", \"C:\\Windows\\debug\\System.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Windows\\Panther\\cmd.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\dllhost.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\taskhost.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Users\\Default\\Templates\\csrss.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\dllhost.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\taskhost.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Users\\Default\\Templates\\csrss.exe\", \"C:\\SurrogatewinDrivernetsvc\\conhost.exe\", \"C:\\SurrogatewinDrivernetsvc\\spoolsv.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dllhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\dwm.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\dllhost.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\taskhost.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Users\\Default\\Templates\\csrss.exe\", \"C:\\SurrogatewinDrivernetsvc\\conhost.exe\", \"C:\\SurrogatewinDrivernetsvc\\spoolsv.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dllhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\dwm.exe\", \"C:\\Users\\Admin\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\dwm.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\dllhost.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\taskhost.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Users\\Default\\Templates\\csrss.exe\", \"C:\\SurrogatewinDrivernetsvc\\conhost.exe\", \"C:\\SurrogatewinDrivernetsvc\\spoolsv.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dllhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\dwm.exe\", \"C:\\Users\\Admin\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files\\Java\\jre7\\lib\\deploy\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\SurrogatewinDrivernetsvc\\sppsvc.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\dllhost.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\dllhost.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\taskhost.exe\", \"C:\\Users\\Default User\\lsm.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\dllhost.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\taskhost.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Users\\Default\\Templates\\csrss.exe\", \"C:\\SurrogatewinDrivernetsvc\\conhost.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\dllhost.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\taskhost.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Users\\Default\\Templates\\csrss.exe\", \"C:\\SurrogatewinDrivernetsvc\\conhost.exe\", \"C:\\SurrogatewinDrivernetsvc\\spoolsv.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\dllhost.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\taskhost.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Users\\Default\\Templates\\csrss.exe\", \"C:\\SurrogatewinDrivernetsvc\\conhost.exe\", \"C:\\SurrogatewinDrivernetsvc\\spoolsv.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dllhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\dllhost.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\taskhost.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Users\\Default\\Templates\\csrss.exe\", \"C:\\SurrogatewinDrivernetsvc\\conhost.exe\", \"C:\\SurrogatewinDrivernetsvc\\spoolsv.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dllhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\dwm.exe\", \"C:\\Users\\Admin\\taskhost.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\dllhost.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\taskhost.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Users\\Default\\Templates\\csrss.exe\", \"C:\\SurrogatewinDrivernetsvc\\conhost.exe\", \"C:\\SurrogatewinDrivernetsvc\\spoolsv.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dllhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\dwm.exe\", \"C:\\Users\\Admin\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files\\Java\\jre7\\lib\\deploy\\spoolsv.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\dllhost.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\taskhost.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\dllhost.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\taskhost.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Users\\Default\\Templates\\csrss.exe\", \"C:\\SurrogatewinDrivernetsvc\\conhost.exe\", \"C:\\SurrogatewinDrivernetsvc\\spoolsv.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dllhost.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\dllhost.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\taskhost.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Users\\Default\\Templates\\csrss.exe\", \"C:\\SurrogatewinDrivernetsvc\\conhost.exe\", \"C:\\SurrogatewinDrivernetsvc\\spoolsv.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dllhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\dllhost.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\taskhost.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Users\\Default\\Templates\\csrss.exe\", \"C:\\SurrogatewinDrivernetsvc\\conhost.exe\", \"C:\\SurrogatewinDrivernetsvc\\spoolsv.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dllhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\dwm.exe\", \"C:\\Users\\Admin\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files\\Java\\jre7\\lib\\deploy\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\explorer.exe\""	portproviderperf.exe

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	736	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	2720	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

portproviderperf.execonhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	portproviderperf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	portproviderperf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	portproviderperf.exe

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\SurrogatewinDrivernetsvc\portproviderperf.exe	dcrat
behavioral1/memory/2776-13-0x00000000001E0000-0x0000000000486000-memory.dmp	dcrat
behavioral1/memory/812-72-0x0000000000C60000-0x0000000000F06000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion
Executes dropped EXE 2 IoCs

Processes:

portproviderperf.execonhost.exe

pid process

2776 portproviderperf.exe
812 conhost.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2272 cmd.exe
2272 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2272	cmd.exe
2272	cmd.exe

Adds Run key to start application 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

portproviderperf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dllhost.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Windows NT\\Accessories\\dwm.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Windows NT\\Accessories\\dwm.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\explorer.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\SurrogatewinDrivernetsvc\\spoolsv.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\explorer.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\SurrogatewinDrivernetsvc\\sppsvc.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\SurrogatewinDrivernetsvc\\sppsvc.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Windows\\Panther\\cmd.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\explorer.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Public\\dllhost.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\taskhost.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Default User\\lsm.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\SurrogatewinDrivernetsvc\\conhost.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Admin\\taskhost.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\Templates\\csrss.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\dwm.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Java\\jre7\\lib\\deploy\\spoolsv.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Java\\jre7\\lib\\deploy\\spoolsv.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\debug\\System.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\debug\\System.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Default User\\lsm.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\Templates\\csrss.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\dwm.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\smss.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Public\\dllhost.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\taskhost.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\SurrogatewinDrivernetsvc\\conhost.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\SurrogatewinDrivernetsvc\\spoolsv.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dllhost.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Admin\\taskhost.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\explorer.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\smss.exe\""	portproviderperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Windows\\Panther\\cmd.exe\""	portproviderperf.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

conhost.exeportproviderperf.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	portproviderperf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	portproviderperf.exe

Drops file in Program Files directory 8 IoCs

Processes:

portproviderperf.exe

description	ioc	process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\b75386f1303e64	portproviderperf.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe	portproviderperf.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\886983d96e3d3e	portproviderperf.exe
File created	C:\Program Files\Windows NT\Accessories\dwm.exe	portproviderperf.exe
File created	C:\Program Files\Windows NT\Accessories\6cb0b6c459d5d3	portproviderperf.exe
File created	C:\Program Files\Java\jre7\lib\deploy\spoolsv.exe	portproviderperf.exe
File created	C:\Program Files\Java\jre7\lib\deploy\f3b6ecef712a24	portproviderperf.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\taskhost.exe	portproviderperf.exe

Drops file in Windows directory 4 IoCs

Processes:

portproviderperf.exe

description	ioc	process
File created	C:\Windows\debug\System.exe	portproviderperf.exe
File created	C:\Windows\debug\27d1bcfc3c54e0	portproviderperf.exe
File created	C:\Windows\Panther\cmd.exe	portproviderperf.exe
File created	C:\Windows\Panther\ebf1f9fa8afd6d	portproviderperf.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

reg.exeDCRatBuild442.exeWScript.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild442.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2684 reg.exe

pid	process
2684	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2136	schtasks.exe
1648	schtasks.exe
2924	schtasks.exe
336	schtasks.exe
2456	schtasks.exe
2564	schtasks.exe
808	schtasks.exe
1408	schtasks.exe
2796	schtasks.exe
2184	schtasks.exe
1744	schtasks.exe
2188	schtasks.exe
1236	schtasks.exe
1820	schtasks.exe
3028	schtasks.exe
1776	schtasks.exe
1504	schtasks.exe
956	schtasks.exe
2052	schtasks.exe
1696	schtasks.exe
1752	schtasks.exe
1732	schtasks.exe
348	schtasks.exe
2800	schtasks.exe
2320	schtasks.exe
1852	schtasks.exe
2576	schtasks.exe
2076	schtasks.exe
2408	schtasks.exe
736	schtasks.exe
844	schtasks.exe
2672	schtasks.exe
916	schtasks.exe
1404	schtasks.exe
2736	schtasks.exe
2032	schtasks.exe
1452	schtasks.exe
2120	schtasks.exe
1056	schtasks.exe
1936	schtasks.exe
2308	schtasks.exe
2256	schtasks.exe
2652	schtasks.exe
1860	schtasks.exe
2840	schtasks.exe
1956	schtasks.exe
1596	schtasks.exe
776	schtasks.exe
3048	schtasks.exe
2904	schtasks.exe
2648	schtasks.exe
2996	schtasks.exe
676	schtasks.exe
2252	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

portproviderperf.execonhost.exe

pid	process
2776	portproviderperf.exe
2776	portproviderperf.exe
2776	portproviderperf.exe
2776	portproviderperf.exe
2776	portproviderperf.exe
2776	portproviderperf.exe
2776	portproviderperf.exe
2776	portproviderperf.exe
2776	portproviderperf.exe
2776	portproviderperf.exe
2776	portproviderperf.exe
2776	portproviderperf.exe
2776	portproviderperf.exe
2776	portproviderperf.exe
2776	portproviderperf.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe
812	conhost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

portproviderperf.execonhost.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2776	portproviderperf.exe
Token: SeDebugPrivilege	812	conhost.exe
Token: SeBackupPrivilege	2660	vssvc.exe
Token: SeRestorePrivilege	2660	vssvc.exe
Token: SeAuditPrivilege	2660	vssvc.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

DCRatBuild442.exeWScript.execmd.exeportproviderperf.execonhost.exe

description	pid	process	target process
PID 2292 wrote to memory of 1724	2292	DCRatBuild442.exe	WScript.exe
PID 2292 wrote to memory of 1724	2292	DCRatBuild442.exe	WScript.exe
PID 2292 wrote to memory of 1724	2292	DCRatBuild442.exe	WScript.exe
PID 2292 wrote to memory of 1724	2292	DCRatBuild442.exe	WScript.exe
PID 1724 wrote to memory of 2272	1724	WScript.exe	cmd.exe
PID 1724 wrote to memory of 2272	1724	WScript.exe	cmd.exe
PID 1724 wrote to memory of 2272	1724	WScript.exe	cmd.exe
PID 1724 wrote to memory of 2272	1724	WScript.exe	cmd.exe
PID 2272 wrote to memory of 2776	2272	cmd.exe	portproviderperf.exe
PID 2272 wrote to memory of 2776	2272	cmd.exe	portproviderperf.exe
PID 2272 wrote to memory of 2776	2272	cmd.exe	portproviderperf.exe
PID 2272 wrote to memory of 2776	2272	cmd.exe	portproviderperf.exe
PID 2776 wrote to memory of 812	2776	portproviderperf.exe	conhost.exe
PID 2776 wrote to memory of 812	2776	portproviderperf.exe	conhost.exe
PID 2776 wrote to memory of 812	2776	portproviderperf.exe	conhost.exe
PID 2272 wrote to memory of 2684	2272	cmd.exe	reg.exe
PID 2272 wrote to memory of 2684	2272	cmd.exe	reg.exe
PID 2272 wrote to memory of 2684	2272	cmd.exe	reg.exe
PID 2272 wrote to memory of 2684	2272	cmd.exe	reg.exe
PID 812 wrote to memory of 560	812	conhost.exe	WScript.exe
PID 812 wrote to memory of 560	812	conhost.exe	WScript.exe
PID 812 wrote to memory of 560	812	conhost.exe	WScript.exe
PID 812 wrote to memory of 284	812	conhost.exe	WScript.exe
PID 812 wrote to memory of 284	812	conhost.exe	WScript.exe
PID 812 wrote to memory of 284	812	conhost.exe	WScript.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

Processes:

conhost.exeportproviderperf.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	portproviderperf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	portproviderperf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	portproviderperf.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\DCRatBuild442.exe
"C:\Users\Admin\AppData\Local\Temp\DCRatBuild442.exe"
1⤵
- DcRat
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\j01KoBqau4T1mDZA7pWtHlrYnnCAl.vbe"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\SurrogatewinDrivernetsvc\tab5JuwN9kJgOdDnrNFIynFDGX.bat" "
3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272

C:\SurrogatewinDrivernetsvc\portproviderperf.exe
"C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
4⤵
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2776

C:\SurrogatewinDrivernetsvc\conhost.exe
"C:\SurrogatewinDrivernetsvc\conhost.exe"
5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:812

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e6ec440-e7cd-44cb-a335-9d318e9a794c.vbs"
6⤵
PID:560

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af4ded1d-2b6d-47b3-b3f0-fb3eeee6779a.vbs"
6⤵
PID:284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Public\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Templates\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\SurrogatewinDrivernetsvc\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\SurrogatewinDrivernetsvc\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\SurrogatewinDrivernetsvc\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\SurrogatewinDrivernetsvc\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\SurrogatewinDrivernetsvc\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\SurrogatewinDrivernetsvc\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jre7\lib\deploy\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\lib\deploy\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre7\lib\deploy\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\SurrogatewinDrivernetsvc\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\SurrogatewinDrivernetsvc\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\SurrogatewinDrivernetsvc\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\debug\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\debug\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Windows\Panther\cmd.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Panther\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Windows\Panther\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System