dcrat | c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16

Analysis

max time kernel
119s
max time network
116s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
07-01-2025 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
Size

1.5MB
MD5

eb9014d81c8697c47e025d43befbc380
SHA1

977508927fc85602ff50dbc34bf52dfafea15a51
SHA256

c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16
SHA512

babfa7a3c6a74a0e25bac5c559e472cf4fb6ff1fba1b149b1376f6c41301a0e909333062895d20d7f141cc29f3b4b931689f5be8c5eaab5c9c13fabe47e4b9c2
SSDEEP

24576:UNNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:kzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 6 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		788	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
File created	C:\Windows\System32\wbem\wlan\75a57c1bdf437c		c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
		332	schtasks.exe
		2964	schtasks.exe
		2716	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\wbem\\wlan\\WMIADAP.exe\", \"C:\\Windows\\System32\\wbem\\profileassociationprovider\\WmiPrvSE.exe\", \"C:\\Windows\\System32\\rdpshell\\smss.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\spoolsv.exe\""	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\wbem\\wlan\\WMIADAP.exe\""	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\wbem\\wlan\\WMIADAP.exe\", \"C:\\Windows\\System32\\wbem\\profileassociationprovider\\WmiPrvSE.exe\""	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\wbem\\wlan\\WMIADAP.exe\", \"C:\\Windows\\System32\\wbem\\profileassociationprovider\\WmiPrvSE.exe\", \"C:\\Windows\\System32\\rdpshell\\smss.exe\""	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	2900	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2900	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2900	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2900	schtasks.exe	31

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2016	powershell.exe
920	powershell.exe
1920	powershell.exe
2680	powershell.exe
1332	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe

Executes dropped EXE 10 IoCs

pid	Process
708	WMIADAP.exe
1792	WMIADAP.exe
2844	WMIADAP.exe
2004	WMIADAP.exe
2284	WMIADAP.exe
1560	WMIADAP.exe
2876	WMIADAP.exe
2940	WMIADAP.exe
1448	WMIADAP.exe
2912	WMIADAP.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\rdpshell\\smss.exe\""	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\rdpshell\\smss.exe\""	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\spoolsv.exe\""	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\spoolsv.exe\""	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Windows\\System32\\wbem\\wlan\\WMIADAP.exe\""	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Windows\\System32\\wbem\\wlan\\WMIADAP.exe\""	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\profileassociationprovider\\WmiPrvSE.exe\""	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\profileassociationprovider\\WmiPrvSE.exe\""	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\wbem\wlan\WMIADAP.exe	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
File opened for modification	C:\Windows\System32\wbem\wlan\WMIADAP.exe	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
File created	C:\Windows\System32\wbem\wlan\75a57c1bdf437c	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
File created	C:\Windows\System32\wbem\profileassociationprovider\WmiPrvSE.exe	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
File created	C:\Windows\System32\rdpshell\smss.exe	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
File opened for modification	C:\Windows\System32\wbem\profileassociationprovider\RCXD867.tmp	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
File opened for modification	C:\Windows\System32\rdpshell\RCXDA6A.tmp	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
File created	C:\Windows\System32\wbem\profileassociationprovider\24dbde2999530e	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
File created	C:\Windows\System32\rdpshell\69ddcba757bf72	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
File opened for modification	C:\Windows\System32\wbem\wlan\RCXD663.tmp	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
File opened for modification	C:\Windows\System32\wbem\profileassociationprovider\WmiPrvSE.exe	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
File opened for modification	C:\Windows\System32\rdpshell\smss.exe	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
788	schtasks.exe
332	schtasks.exe
2964	schtasks.exe
2716	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
588	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
588	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
588	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
588	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
588	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
588	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
588	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
588	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
588	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
588	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
588	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
588	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
588	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
588	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
588	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
588	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
588	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
2680	powershell.exe
1332	powershell.exe
2016	powershell.exe
920	powershell.exe
1920	powershell.exe
708	WMIADAP.exe
708	WMIADAP.exe
708	WMIADAP.exe
708	WMIADAP.exe
708	WMIADAP.exe
708	WMIADAP.exe
708	WMIADAP.exe
708	WMIADAP.exe
708	WMIADAP.exe
708	WMIADAP.exe
708	WMIADAP.exe
708	WMIADAP.exe
708	WMIADAP.exe
708	WMIADAP.exe
708	WMIADAP.exe
708	WMIADAP.exe
708	WMIADAP.exe
708	WMIADAP.exe
708	WMIADAP.exe
708	WMIADAP.exe
708	WMIADAP.exe
708	WMIADAP.exe
708	WMIADAP.exe
708	WMIADAP.exe
708	WMIADAP.exe
708	WMIADAP.exe
708	WMIADAP.exe
708	WMIADAP.exe
708	WMIADAP.exe
708	WMIADAP.exe
1792	WMIADAP.exe
1792	WMIADAP.exe
1792	WMIADAP.exe
1792	WMIADAP.exe
1792	WMIADAP.exe
1792	WMIADAP.exe
1792	WMIADAP.exe
1792	WMIADAP.exe
1792	WMIADAP.exe
1792	WMIADAP.exe
1792	WMIADAP.exe
1792	WMIADAP.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	588	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	1332	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	708	WMIADAP.exe
Token: SeDebugPrivilege	1792	WMIADAP.exe
Token: SeDebugPrivilege	2844	WMIADAP.exe
Token: SeDebugPrivilege	2004	WMIADAP.exe
Token: SeDebugPrivilege	2284	WMIADAP.exe
Token: SeDebugPrivilege	1560	WMIADAP.exe
Token: SeDebugPrivilege	2876	WMIADAP.exe
Token: SeDebugPrivilege	2940	WMIADAP.exe
Token: SeDebugPrivilege	1448	WMIADAP.exe
Token: SeDebugPrivilege	2912	WMIADAP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 588 wrote to memory of 2016	588	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe	36
PID 588 wrote to memory of 2016	588	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe	36
PID 588 wrote to memory of 2016	588	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe	36
PID 588 wrote to memory of 2680	588	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe	37
PID 588 wrote to memory of 2680	588	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe	37
PID 588 wrote to memory of 2680	588	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe	37
PID 588 wrote to memory of 920	588	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe	38
PID 588 wrote to memory of 920	588	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe	38
PID 588 wrote to memory of 920	588	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe	38
PID 588 wrote to memory of 1920	588	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe	39
PID 588 wrote to memory of 1920	588	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe	39
PID 588 wrote to memory of 1920	588	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe	39
PID 588 wrote to memory of 1332	588	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe	40
PID 588 wrote to memory of 1332	588	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe	40
PID 588 wrote to memory of 1332	588	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe	40
PID 588 wrote to memory of 2992	588	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe	46
PID 588 wrote to memory of 2992	588	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe	46
PID 588 wrote to memory of 2992	588	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe	46
PID 2992 wrote to memory of 2448	2992	cmd.exe	48
PID 2992 wrote to memory of 2448	2992	cmd.exe	48
PID 2992 wrote to memory of 2448	2992	cmd.exe	48
PID 2992 wrote to memory of 708	2992	cmd.exe	49
PID 2992 wrote to memory of 708	2992	cmd.exe	49
PID 2992 wrote to memory of 708	2992	cmd.exe	49
PID 708 wrote to memory of 2876	708	WMIADAP.exe	50
PID 708 wrote to memory of 2876	708	WMIADAP.exe	50
PID 708 wrote to memory of 2876	708	WMIADAP.exe	50
PID 708 wrote to memory of 2164	708	WMIADAP.exe	51
PID 708 wrote to memory of 2164	708	WMIADAP.exe	51
PID 708 wrote to memory of 2164	708	WMIADAP.exe	51
PID 2876 wrote to memory of 1792	2876	WScript.exe	52
PID 2876 wrote to memory of 1792	2876	WScript.exe	52
PID 2876 wrote to memory of 1792	2876	WScript.exe	52
PID 1792 wrote to memory of 1736	1792	WMIADAP.exe	53
PID 1792 wrote to memory of 1736	1792	WMIADAP.exe	53
PID 1792 wrote to memory of 1736	1792	WMIADAP.exe	53
PID 1792 wrote to memory of 572	1792	WMIADAP.exe	54
PID 1792 wrote to memory of 572	1792	WMIADAP.exe	54
PID 1792 wrote to memory of 572	1792	WMIADAP.exe	54
PID 1736 wrote to memory of 2844	1736	WScript.exe	55
PID 1736 wrote to memory of 2844	1736	WScript.exe	55
PID 1736 wrote to memory of 2844	1736	WScript.exe	55
PID 2844 wrote to memory of 1828	2844	WMIADAP.exe	56
PID 2844 wrote to memory of 1828	2844	WMIADAP.exe	56
PID 2844 wrote to memory of 1828	2844	WMIADAP.exe	56
PID 2844 wrote to memory of 1392	2844	WMIADAP.exe	57
PID 2844 wrote to memory of 1392	2844	WMIADAP.exe	57
PID 2844 wrote to memory of 1392	2844	WMIADAP.exe	57
PID 1828 wrote to memory of 2004	1828	WScript.exe	58
PID 1828 wrote to memory of 2004	1828	WScript.exe	58
PID 1828 wrote to memory of 2004	1828	WScript.exe	58
PID 2004 wrote to memory of 2532	2004	WMIADAP.exe	59
PID 2004 wrote to memory of 2532	2004	WMIADAP.exe	59
PID 2004 wrote to memory of 2532	2004	WMIADAP.exe	59
PID 2004 wrote to memory of 1652	2004	WMIADAP.exe	60
PID 2004 wrote to memory of 1652	2004	WMIADAP.exe	60
PID 2004 wrote to memory of 1652	2004	WMIADAP.exe	60
PID 2532 wrote to memory of 2284	2532	WScript.exe	61
PID 2532 wrote to memory of 2284	2532	WScript.exe	61
PID 2532 wrote to memory of 2284	2532	WScript.exe	61
PID 2284 wrote to memory of 1440	2284	WMIADAP.exe	62
PID 2284 wrote to memory of 1440	2284	WMIADAP.exe	62
PID 2284 wrote to memory of 1440	2284	WMIADAP.exe	62
PID 2284 wrote to memory of 2332	2284	WMIADAP.exe	63

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe
"C:\Users\Admin\AppData\Local\Temp\c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wbem\wlan\WMIADAP.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wbem\profileassociationprovider\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\rdpshell\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1332
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rc7n3FwZHW.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2448
- - C:\Windows\System32\wbem\wlan\WMIADAP.exe
    "C:\Windows\System32\wbem\wlan\WMIADAP.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:708
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f62fb046-b279-4cba-bd44-b0847d391037.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2876
    - - C:\Windows\System32\wbem\wlan\WMIADAP.exe
        
        C:\Windows\System32\wbem\wlan\WMIADAP.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1792
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef215263-e768-486a-a3a3-901c7cb17325.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\System32\wbem\wlan\WMIADAP.exe
        
        C:\Windows\System32\wbem\wlan\WMIADAP.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9a5ac7f-be8f-4f6e-bb68-7c131788e0a4.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\System32\wbem\wlan\WMIADAP.exe
        
        C:\Windows\System32\wbem\wlan\WMIADAP.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9aa7e99-ed7e-4850-b19d-0ae11e1b1b83.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\System32\wbem\wlan\WMIADAP.exe
        
        C:\Windows\System32\wbem\wlan\WMIADAP.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dad7f650-0af5-44e9-9fd7-4e044fbff6f1.vbs"
        12⤵
        
        PID:1440
        
        C:\Windows\System32\wbem\wlan\WMIADAP.exe
        
        C:\Windows\System32\wbem\wlan\WMIADAP.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fc54625-9c58-4922-8f14-822132d80648.vbs"
        14⤵
        
        PID:2224
        
        C:\Windows\System32\wbem\wlan\WMIADAP.exe
        
        C:\Windows\System32\wbem\wlan\WMIADAP.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f69a7056-9c64-4cd9-bbe5-7d71963f70e8.vbs"
        16⤵
        
        PID:2692
        
        C:\Windows\System32\wbem\wlan\WMIADAP.exe
        
        C:\Windows\System32\wbem\wlan\WMIADAP.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\613b34ce-7fbd-4aac-8468-7f936c10c8d9.vbs"
        18⤵
        
        PID:2180
        
        C:\Windows\System32\wbem\wlan\WMIADAP.exe
        
        C:\Windows\System32\wbem\wlan\WMIADAP.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f5b67e0-3bc1-4936-ab69-b4b71e84d891.vbs"
        20⤵
        
        PID:1760
        
        C:\Windows\System32\wbem\wlan\WMIADAP.exe
        
        C:\Windows\System32\wbem\wlan\WMIADAP.exe
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5ad19f3-390e-4568-9294-bff050983536.vbs"
        22⤵
        
        PID:820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca85d767-c6c2-49b3-88ef-08809d6f6a57.vbs"
        22⤵
        
        PID:3048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2162ff47-5b7f-4c7b-83af-ac29822a49b4.vbs"
        20⤵
        
        PID:2752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94ee30f1-1bdf-4a06-ad3a-4eb3391ca1d7.vbs"
        18⤵
        
        PID:2228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f75a6e2-e10f-4997-85e1-b90d33911b17.vbs"
        16⤵
        
        PID:788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac8e923d-038e-42e8-bfd3-1230438c8feb.vbs"
        14⤵
        
        PID:2040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\096a56e0-b63d-4f5e-b032-5ac4669da8d0.vbs"
        12⤵
        
        PID:2332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8fc9f437-f196-471c-b49f-a77ce35d5f62.vbs"
        10⤵
        
        PID:1652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6103e641-d50d-460b-bd67-057e0f6d6b0b.vbs"
        8⤵
        
        PID:1392
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\510db077-5849-4d56-921b-c20ff889613f.vbs"
        6⤵
        
        PID:572
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84ea2ffc-0ec2-42af-bde6-6cedadd3d5d6.vbs"
      4⤵
      PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\System32\wbem\wlan\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\profileassociationprovider\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\rdpshell\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\098c62288e94d738a38506e0933399f00ce0b094.exe

Filesize
1.5MB

MD5
0a428abb987ca6fd4e555c60582151a0

SHA1
0d6761081ac1b225692f4add2b4fde84d9b6b28c

SHA256
7f07212c848b20d018f7d7cd14c316fe725d3ed1892243dfdbe71c36e57dfc78

SHA512
0c9c404ef9a5c17b6d1542387cda2d5e9baab69ca36d08c7dbcf9af52e49d6cee8a8cf5b9402fce7c88ee4ebe316b516c7fe7f0eca7d6356f17019ab8a5289fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f5b67e0-3bc1-4936-ab69-b4b71e84d891.vbs

Filesize
717B

MD5
ab993a55eb96f099aaafa4d1e28b87dc

SHA1
562365d21e9113fe60b5e9100fae8b73944bf190

SHA256
c53c75ccfa4c441ea3aa12c643a625eb3865882b4fe073eb3bfc7f5808cc697a

SHA512
2daa46f89547269500a7d7deb5779f15ffe7bac246f958525b629f2ec57a1da3a2e35cd898890ffde2274efeee775d6ffd05c0e0a99c1fb8ca6fe028de1ad5ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\1fc54625-9c58-4922-8f14-822132d80648.vbs

Filesize
717B

MD5
5e4bcc16b725533a9d3c45f12f31b5a5

SHA1
3b6b283b82e2ada7e8f843d8d59f678407edf7d1

SHA256
7c9d150aae7df61cb18d98e7f79af0b831961489ccc6b2e585baa3e275e66f2a

SHA512
622ebcbfa8e9123dfde9e6cf148be81934ac49acef637ad0c4bb9a2085188270fa17be16738094bfa54eba8f9762dc73b1b5dfbec7c732a88cbf36ebfa888982

Download Submit
C:\Users\Admin\AppData\Local\Temp\613b34ce-7fbd-4aac-8468-7f936c10c8d9.vbs

Filesize
717B

MD5
f1fc7532f31082dd2df65ab61bc73a86

SHA1
249af120150590e0834d0745543b20c88ab2db44

SHA256
b0817680c4e704adc3a108f463ec6475870861b3e2fa7b6c32188e4d1554d731

SHA512
0fc201b3b83fa87c840fa47af676e3e0161bc2e2a647814efcf94c176f6d0b37695b21bcc0e84ba32be48892166f51815cef1a60b630adb3ccc3f7551c190ee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\84ea2ffc-0ec2-42af-bde6-6cedadd3d5d6.vbs

Filesize
493B

MD5
515eebddca70b58d1bf8bd4f4863f059

SHA1
394179a2da8d3ca56f96317a56c327559b62b127

SHA256
cdb87deabf86e7edd49c087bc39235b82f93274b547888a55cb00063a6cc4e08

SHA512
c72365c66db4b93dfbdeda03297ed8a6b3f9760f28451b45bb338d776c43cfd0dcc06280a5f520dff645e704f7b0e7cd2364b0bc9fd13d536e0e6b2b9f0b1315

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9aa7e99-ed7e-4850-b19d-0ae11e1b1b83.vbs

Filesize
717B

MD5
8c31df03bc0a194b0fdfeb84d432a39e

SHA1
ee9684c1809e8a7f1c4b5344dfc270b23acbeb2c

SHA256
2f8096aec41a88b1c29aeabfc628e42df90bf35741d180fdd0a4954de6b19483

SHA512
0e0ff3c1b88d977beaa976237e306160e82dd5055bb1f1aadabf0d6dc1cfb1e8a466fb8f9b92c98935035598a1e811a7df0afd8cda483811746dc0c38e06e687

Download Submit
C:\Users\Admin\AppData\Local\Temp\c9a5ac7f-be8f-4f6e-bb68-7c131788e0a4.vbs

Filesize
717B

MD5
bd14c52fb0c52862a03528e09ee65ea9

SHA1
ad2fab78cc61293a4c78b8fb64eb45cb5868b2e0

SHA256
510ac4e74fb89f48afa4f30cf229faa13630ce58e47191fd179ae94cb8ca3647

SHA512
997f7fc3f25aa45180889da35ad2643bb848c3d7ff96e9b6456c4610a715abff0c1d9e7cde7c93a0ee82e4de78f0e4b87c6493e37418df0f424bea709670e3c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dad7f650-0af5-44e9-9fd7-4e044fbff6f1.vbs

Filesize
717B

MD5
f4fae95502aab30ccd38ba5b1a606845

SHA1
4d2b3ad665ec96cdc0aa492baedaf3a3afd43480

SHA256
a8df37cc6de9c8bb8f54a419c5233c8d40b550b2b4d3059ffd958a8c71106cd1

SHA512
6c7628606cbd6f3ab69dd5370e43c078f5a59cd477b25c2d3789057d423606181f10f1a0f1c10d428a906e90da8e27e3be4c4d2960ceaafa5812363a6d5cb43f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef215263-e768-486a-a3a3-901c7cb17325.vbs

Filesize
717B

MD5
1e16a0e0b40629073d4e4064284a52a8

SHA1
05bf76edbc17c64a8af38a5c5db24eb686a28d4e

SHA256
665dd3f7e5f6b8aef191ecf2df938215866f3fa571cf5f8a781a926f2f79a9dc

SHA512
a675a1c569902517f60b19faf1389c5d8684662506e11c0a64d04ee0980f2210761ee74e2e9beb00d01a6f3f0576506b2b04e7088705dcf37e5b015043dd1272

Download Submit
C:\Users\Admin\AppData\Local\Temp\f5ad19f3-390e-4568-9294-bff050983536.vbs

Filesize
717B

MD5
50255ea86eac0e47e97f67d141c650db

SHA1
288d3cf0250386ef3e01a9b324b06f94cdbc675b

SHA256
0c95b6c83cacf2a43a8b3aab0cf0b93f4ba656192b91790dafa80438ef190756

SHA512
a32add541f6959ee6eba7d7bf6dc654adb55fe171411280d346b5d6a0eef8219ea291c4e17134f5bb63c5f574ce1e15a33f115c2ddb9cd0337060899f07f1e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\f62fb046-b279-4cba-bd44-b0847d391037.vbs

Filesize
716B

MD5
e8f553f08b35a981b213e5fcb7a87949

SHA1
975c14beb7f4b6eed0472f7879ee12a7a82f81ef

SHA256
41620353ea22efe664450715e1772d0a6929d535f65a88199c8cf73d19917357

SHA512
7beb750971254440389ff6bb4281f7fa9107a5ed51d3e4a182099a751404583603382bce6caeaf9082a3a48ca6a473a18be2a3cea603fcbae0b43df23a69a944

Download Submit
C:\Users\Admin\AppData\Local\Temp\f69a7056-9c64-4cd9-bbe5-7d71963f70e8.vbs

Filesize
717B

MD5
3514a6ffc27dbc3857b45449416b92db

SHA1
879fe1345775a5cb335b0e8efa69be73547e7768

SHA256
5f059676d5b7e9cce0abd25e2ba17eb5b11ef442855874cc3cc6ef28db68b77f

SHA512
292fee6d0cd201f98eb96f46f21c0ffae273db90172c5d37097325303a0c223d32d511fab125403dfa59a519174ebd558e11e7cc1f032f16b5bb3a652b1021fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\rc7n3FwZHW.bat

Filesize
205B

MD5
4dfb0a207b02058596d4698c787b84d8

SHA1
32126178a564525ee565aabf6289d4329a977ac0

SHA256
b304ef724a29efb3e41d830d012dde25c09df42cc53e608df2416fa896644691

SHA512
7a5b4b7348d807083f412eeb623a8fcefd484d2b58119d4104249918bb8e071907df5537020e8705ef00799843f8af395e7fad4cb3c2c66758851740734a91a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b787a6c5727cc35285c70172be7d10f4

SHA1
2a1f5b40690c90d3b07fc1c28ea4b066ff54d4ef

SHA256
2d990cf7445415cd63faf5186b0156c00d9c5f8ccd43bdf0b75ca0cc33f25637

SHA512
4738c7660a296bd8707ab3f3b980ebbc7e305c3123f668e435f63a582cf3660e256b9b5ddf6c5aad5024696a5909c28041512ad517242f9eca213010f574b9bd

Download Submit
C:\Windows\System32\wbem\wlan\WMIADAP.exe

Filesize
1.5MB

MD5
eb9014d81c8697c47e025d43befbc380

SHA1
977508927fc85602ff50dbc34bf52dfafea15a51

SHA256
c021c06a4b291afc74fac32988c25b202f8ed4ba45909d5498b69337004cdd16

SHA512
babfa7a3c6a74a0e25bac5c559e472cf4fb6ff1fba1b149b1376f6c41301a0e909333062895d20d7f141cc29f3b4b931689f5be8c5eaab5c9c13fabe47e4b9c2

Download Submit
memory/588-10-0x00000000004A0000-0x00000000004B0000-memory.dmp

Filesize
64KB

Download
memory/588-11-0x00000000004C0000-0x00000000004D0000-memory.dmp

Filesize
64KB

Download
memory/588-17-0x0000000000720000-0x000000000072C000-memory.dmp

Filesize
48KB

Download
memory/588-18-0x0000000000730000-0x0000000000738000-memory.dmp

Filesize
32KB

Download
memory/588-20-0x0000000000740000-0x000000000074C000-memory.dmp

Filesize
48KB

Download
memory/588-21-0x0000000000E10000-0x0000000000E18000-memory.dmp

Filesize
32KB

Download
memory/588-24-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/588-15-0x0000000000500000-0x000000000050A000-memory.dmp

Filesize
40KB

Download
memory/588-41-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/588-14-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/588-13-0x00000000004E0000-0x00000000004EA000-memory.dmp

Filesize
40KB

Download
memory/588-12-0x00000000004D0000-0x00000000004D8000-memory.dmp

Filesize
32KB

Download
memory/588-78-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/588-16-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/588-1-0x0000000001220000-0x000000000139E000-memory.dmp

Filesize
1.5MB

Download
memory/588-9-0x0000000000490000-0x000000000049C000-memory.dmp

Filesize
48KB

Download
memory/588-8-0x0000000000480000-0x0000000000488000-memory.dmp

Filesize
32KB

Download
memory/588-2-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/588-7-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/588-3-0x0000000000430000-0x0000000000438000-memory.dmp

Filesize
32KB

Download
memory/588-6-0x0000000000460000-0x000000000046A000-memory.dmp

Filesize
40KB

Download
memory/588-0-0x000007FEF5CB3000-0x000007FEF5CB4000-memory.dmp

Filesize
4KB

Download
memory/588-5-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/588-4-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/708-98-0x0000000000300000-0x000000000047E000-memory.dmp

Filesize
1.5MB

Download
memory/1448-192-0x0000000000A10000-0x0000000000A22000-memory.dmp

Filesize
72KB

Download
memory/1560-158-0x00000000011D0000-0x000000000134E000-memory.dmp

Filesize
1.5MB

Download
memory/1792-109-0x0000000000910000-0x0000000000A8E000-memory.dmp

Filesize
1.5MB

Download
memory/2004-133-0x0000000000070000-0x00000000001EE000-memory.dmp

Filesize
1.5MB

Download
memory/2284-146-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/2284-145-0x0000000000960000-0x0000000000ADE000-memory.dmp

Filesize
1.5MB

Download
memory/2680-83-0x0000000001D70000-0x0000000001D78000-memory.dmp

Filesize
32KB

Download
memory/2680-77-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2844-121-0x0000000000020000-0x000000000019E000-memory.dmp

Filesize
1.5MB

Download