dcrat | dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-02-2025 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Size

1.5MB
MD5

5aeeddc9c33fb19473c2d36a1bf77632
SHA1

78c1f862eb9ba6c6e106f7c289d01358f42f655e
SHA256

dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d
SHA512

3b56c817e7a004d2fdfcbdec57bb1dbbb003bc0ef4c767b26257e9547bcc8894a062351a083648483921216003426a629038008837112d1985e39ff1f8ee20d2
SSDEEP

24576:UNNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:kzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 9 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2888	schtasks.exe
		2884	schtasks.exe
		2612	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT\1610b97d3ab4a7		dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
		2688	schtasks.exe
		2660	schtasks.exe
		2332	schtasks.exe
		2640	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPCEXT\\OSPPSVC.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\dwm.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPCEXT\\OSPPSVC.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\dwm.exe\", \"C:\\Windows\\System32\\wbem\\powermeterprovider\\WMIADAP.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPCEXT\\OSPPSVC.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\dwm.exe\", \"C:\\Windows\\System32\\wbem\\powermeterprovider\\WMIADAP.exe\", \"C:\\Documents and Settings\\spoolsv.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPCEXT\\OSPPSVC.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\dwm.exe\", \"C:\\Windows\\System32\\wbem\\powermeterprovider\\WMIADAP.exe\", \"C:\\Documents and Settings\\spoolsv.exe\", \"C:\\Documents and Settings\\explorer.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPCEXT\\OSPPSVC.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\dwm.exe\", \"C:\\Windows\\System32\\wbem\\powermeterprovider\\WMIADAP.exe\", \"C:\\Documents and Settings\\spoolsv.exe\", \"C:\\Documents and Settings\\explorer.exe\", \"C:\\Windows\\System32\\djoin\\csrss.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPCEXT\\OSPPSVC.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\dwm.exe\", \"C:\\Windows\\System32\\wbem\\powermeterprovider\\WMIADAP.exe\", \"C:\\Documents and Settings\\spoolsv.exe\", \"C:\\Documents and Settings\\explorer.exe\", \"C:\\Windows\\System32\\djoin\\csrss.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\sppsvc.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPCEXT\\OSPPSVC.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe

Process spawned unexpected child process 7 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2772	schtasks.exe	31

UAC bypass 3 TTPs 48 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1948	powershell.exe
1936	powershell.exe
1760	powershell.exe
1944	powershell.exe
2396	powershell.exe
2420	powershell.exe
1976	powershell.exe
1908	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe

Executes dropped EXE 15 IoCs

pid	Process
3012	WMIADAP.exe
2536	WMIADAP.exe
1020	WMIADAP.exe
1528	WMIADAP.exe
1092	WMIADAP.exe
1596	WMIADAP.exe
1916	WMIADAP.exe
1688	WMIADAP.exe
2840	WMIADAP.exe
2596	WMIADAP.exe
2336	WMIADAP.exe
1096	WMIADAP.exe
1492	WMIADAP.exe
768	WMIADAP.exe
832	WMIADAP.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Windows\\System32\\wbem\\powermeterprovider\\WMIADAP.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Documents and Settings\\explorer.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Common Files\\DESIGNER\\sppsvc.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\dwm.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\dwm.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Documents and Settings\\spoolsv.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\djoin\\csrss.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPCEXT\\OSPPSVC.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Documents and Settings\\explorer.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPCEXT\\OSPPSVC.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Windows\\System32\\wbem\\powermeterprovider\\WMIADAP.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Documents and Settings\\spoolsv.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\djoin\\csrss.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Common Files\\DESIGNER\\sppsvc.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe

Checks whether UAC is enabled 1 TTPs 32 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\System32\djoin\csrss.exe	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File created	C:\Windows\System32\djoin\886983d96e3d3e	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File opened for modification	C:\Windows\System32\wbem\powermeterprovider\RCXDAA9.tmp	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File opened for modification	C:\Windows\System32\wbem\powermeterprovider\WMIADAP.exe	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File opened for modification	C:\Windows\System32\djoin\RCXE18F.tmp	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File opened for modification	C:\Windows\System32\djoin\csrss.exe	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File created	C:\Windows\System32\wbem\powermeterprovider\WMIADAP.exe	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File created	C:\Windows\System32\wbem\powermeterprovider\75a57c1bdf437c	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT\1610b97d3ab4a7	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File created	C:\Program Files (x86)\Common Files\DESIGNER\sppsvc.exe	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File created	C:\Program Files (x86)\Common Files\DESIGNER\0a1fd5f707cd16	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT\RCXD634.tmp	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File opened for modification	C:\Program Files (x86)\Common Files\DESIGNER\RCXE393.tmp	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File opened for modification	C:\Program Files (x86)\Common Files\DESIGNER\sppsvc.exe	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT\OSPPSVC.exe	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT\OSPPSVC.exe	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Performance\WinSAT\DataStore\dwm.exe	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File created	C:\Windows\Performance\WinSAT\DataStore\6cb0b6c459d5d3	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\RCXD838.tmp	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\dwm.exe	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2612	schtasks.exe
2688	schtasks.exe
2660	schtasks.exe
2332	schtasks.exe
2888	schtasks.exe
2640	schtasks.exe
2884	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1944	powershell.exe
1760	powershell.exe
1936	powershell.exe
2420	powershell.exe
2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1908	powershell.exe
1976	powershell.exe
2396	powershell.exe
1948	powershell.exe
3012	WMIADAP.exe
3012	WMIADAP.exe
3012	WMIADAP.exe
3012	WMIADAP.exe
3012	WMIADAP.exe
3012	WMIADAP.exe
3012	WMIADAP.exe
3012	WMIADAP.exe
3012	WMIADAP.exe
3012	WMIADAP.exe
3012	WMIADAP.exe
3012	WMIADAP.exe
3012	WMIADAP.exe
3012	WMIADAP.exe
2536	WMIADAP.exe
2536	WMIADAP.exe
2536	WMIADAP.exe
2536	WMIADAP.exe
2536	WMIADAP.exe
2536	WMIADAP.exe
2536	WMIADAP.exe
2536	WMIADAP.exe
2536	WMIADAP.exe
2536	WMIADAP.exe
2536	WMIADAP.exe
2536	WMIADAP.exe
2536	WMIADAP.exe
2536	WMIADAP.exe
2536	WMIADAP.exe
2536	WMIADAP.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	3012	WMIADAP.exe
Token: SeDebugPrivilege	2536	WMIADAP.exe
Token: SeDebugPrivilege	1020	WMIADAP.exe
Token: SeDebugPrivilege	1528	WMIADAP.exe
Token: SeDebugPrivilege	1092	WMIADAP.exe
Token: SeDebugPrivilege	1596	WMIADAP.exe
Token: SeDebugPrivilege	1916	WMIADAP.exe
Token: SeDebugPrivilege	1688	WMIADAP.exe
Token: SeDebugPrivilege	2840	WMIADAP.exe
Token: SeDebugPrivilege	2596	WMIADAP.exe
Token: SeDebugPrivilege	2336	WMIADAP.exe
Token: SeDebugPrivilege	1096	WMIADAP.exe
Token: SeDebugPrivilege	1492	WMIADAP.exe
Token: SeDebugPrivilege	832	WMIADAP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 1760	2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	39
PID 2432 wrote to memory of 1760	2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	39
PID 2432 wrote to memory of 1760	2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	39
PID 2432 wrote to memory of 1944	2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	40
PID 2432 wrote to memory of 1944	2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	40
PID 2432 wrote to memory of 1944	2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	40
PID 2432 wrote to memory of 1936	2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	41
PID 2432 wrote to memory of 1936	2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	41
PID 2432 wrote to memory of 1936	2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	41
PID 2432 wrote to memory of 1948	2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	43
PID 2432 wrote to memory of 1948	2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	43
PID 2432 wrote to memory of 1948	2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	43
PID 2432 wrote to memory of 1908	2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	44
PID 2432 wrote to memory of 1908	2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	44
PID 2432 wrote to memory of 1908	2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	44
PID 2432 wrote to memory of 2396	2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	46
PID 2432 wrote to memory of 2396	2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	46
PID 2432 wrote to memory of 2396	2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	46
PID 2432 wrote to memory of 2420	2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	47
PID 2432 wrote to memory of 2420	2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	47
PID 2432 wrote to memory of 2420	2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	47
PID 2432 wrote to memory of 1976	2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	48
PID 2432 wrote to memory of 1976	2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	48
PID 2432 wrote to memory of 1976	2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	48
PID 2432 wrote to memory of 3012	2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	55
PID 2432 wrote to memory of 3012	2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	55
PID 2432 wrote to memory of 3012	2432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	55
PID 3012 wrote to memory of 1564	3012	WMIADAP.exe	56
PID 3012 wrote to memory of 1564	3012	WMIADAP.exe	56
PID 3012 wrote to memory of 1564	3012	WMIADAP.exe	56
PID 3012 wrote to memory of 2528	3012	WMIADAP.exe	57
PID 3012 wrote to memory of 2528	3012	WMIADAP.exe	57
PID 3012 wrote to memory of 2528	3012	WMIADAP.exe	57
PID 1564 wrote to memory of 2536	1564	WScript.exe	58
PID 1564 wrote to memory of 2536	1564	WScript.exe	58
PID 1564 wrote to memory of 2536	1564	WScript.exe	58
PID 2536 wrote to memory of 2844	2536	WMIADAP.exe	59
PID 2536 wrote to memory of 2844	2536	WMIADAP.exe	59
PID 2536 wrote to memory of 2844	2536	WMIADAP.exe	59
PID 2536 wrote to memory of 2616	2536	WMIADAP.exe	60
PID 2536 wrote to memory of 2616	2536	WMIADAP.exe	60
PID 2536 wrote to memory of 2616	2536	WMIADAP.exe	60
PID 2844 wrote to memory of 1020	2844	WScript.exe	61
PID 2844 wrote to memory of 1020	2844	WScript.exe	61
PID 2844 wrote to memory of 1020	2844	WScript.exe	61
PID 1020 wrote to memory of 1196	1020	WMIADAP.exe	62
PID 1020 wrote to memory of 1196	1020	WMIADAP.exe	62
PID 1020 wrote to memory of 1196	1020	WMIADAP.exe	62
PID 1020 wrote to memory of 672	1020	WMIADAP.exe	63
PID 1020 wrote to memory of 672	1020	WMIADAP.exe	63
PID 1020 wrote to memory of 672	1020	WMIADAP.exe	63
PID 1196 wrote to memory of 1528	1196	WScript.exe	64
PID 1196 wrote to memory of 1528	1196	WScript.exe	64
PID 1196 wrote to memory of 1528	1196	WScript.exe	64
PID 1528 wrote to memory of 3048	1528	WMIADAP.exe	65
PID 1528 wrote to memory of 3048	1528	WMIADAP.exe	65
PID 1528 wrote to memory of 3048	1528	WMIADAP.exe	65
PID 1528 wrote to memory of 2792	1528	WMIADAP.exe	66
PID 1528 wrote to memory of 2792	1528	WMIADAP.exe	66
PID 1528 wrote to memory of 2792	1528	WMIADAP.exe	66
PID 3048 wrote to memory of 1092	3048	WScript.exe	67
PID 3048 wrote to memory of 1092	3048	WScript.exe	67
PID 3048 wrote to memory of 1092	3048	WScript.exe	67
PID 1092 wrote to memory of 1728	1092	WMIADAP.exe	68

System policy modification 1 TTPs 48 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
"C:\Users\Admin\AppData\Local\Temp\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wbem\powermeterprovider\WMIADAP.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\djoin\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\DESIGNER\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1976
- C:\Windows\System32\wbem\powermeterprovider\WMIADAP.exe
  "C:\Windows\System32\wbem\powermeterprovider\WMIADAP.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3012
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f1ead4f-6e3d-45ec-823f-208148c51c83.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\Windows\System32\wbem\powermeterprovider\WMIADAP.exe
      C:\Windows\System32\wbem\powermeterprovider\WMIADAP.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2536
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86d6eabc-71f8-4aa7-a334-2ba261e47db7.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2844
      - C:\Windows\System32\wbem\powermeterprovider\WMIADAP.exe
        
        C:\Windows\System32\wbem\powermeterprovider\WMIADAP.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37367d03-6fad-4ffd-bacc-27fee8779fe1.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\System32\wbem\powermeterprovider\WMIADAP.exe
        
        C:\Windows\System32\wbem\powermeterprovider\WMIADAP.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ecd7ef36-9fb9-437a-89d2-ba3d11599348.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\System32\wbem\powermeterprovider\WMIADAP.exe
        
        C:\Windows\System32\wbem\powermeterprovider\WMIADAP.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\054a8551-3843-406f-8a1e-c763cd826f6c.vbs"
        11⤵
        
        PID:1728
        
        C:\Windows\System32\wbem\powermeterprovider\WMIADAP.exe
        
        C:\Windows\System32\wbem\powermeterprovider\WMIADAP.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c02c1d41-77a1-4e2a-be7c-a117d3fc3343.vbs"
        13⤵
        
        PID:764
        
        C:\Windows\System32\wbem\powermeterprovider\WMIADAP.exe
        
        C:\Windows\System32\wbem\powermeterprovider\WMIADAP.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8676f0ea-31ce-48b1-852d-287388d08068.vbs"
        15⤵
        
        PID:1564
        
        C:\Windows\System32\wbem\powermeterprovider\WMIADAP.exe
        
        C:\Windows\System32\wbem\powermeterprovider\WMIADAP.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64334381-f1d8-4b7b-baab-1b289310ae12.vbs"
        17⤵
        
        PID:816
        
        C:\Windows\System32\wbem\powermeterprovider\WMIADAP.exe
        
        C:\Windows\System32\wbem\powermeterprovider\WMIADAP.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d81926a-9a48-4a8f-9f01-738fef635574.vbs"
        19⤵
        
        PID:2912
        
        C:\Windows\System32\wbem\powermeterprovider\WMIADAP.exe
        
        C:\Windows\System32\wbem\powermeterprovider\WMIADAP.exe
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27474b2d-2639-4205-8e52-a26e0514243e.vbs"
        21⤵
        
        PID:884
        
        C:\Windows\System32\wbem\powermeterprovider\WMIADAP.exe
        
        C:\Windows\System32\wbem\powermeterprovider\WMIADAP.exe
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71306557-f7d1-48d7-a437-755b76a10a32.vbs"
        23⤵
        
        PID:1296
        
        C:\Windows\System32\wbem\powermeterprovider\WMIADAP.exe
        
        C:\Windows\System32\wbem\powermeterprovider\WMIADAP.exe
        24⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42f44a9b-907a-4884-bc40-a3f4507ac735.vbs"
        25⤵
        
        PID:2096
        
        C:\Windows\System32\wbem\powermeterprovider\WMIADAP.exe
        
        C:\Windows\System32\wbem\powermeterprovider\WMIADAP.exe
        26⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9cf747d5-555c-4b8e-9a2d-ccd71522bdfc.vbs"
        27⤵
        
        PID:1612
        
        C:\Windows\System32\wbem\powermeterprovider\WMIADAP.exe
        
        C:\Windows\System32\wbem\powermeterprovider\WMIADAP.exe
        28⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        System policy modification
        
        PID:768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b96fa5d-17eb-42e5-a1de-5b98c68fa64b.vbs"
        29⤵
        
        PID:868
        
        C:\Windows\System32\wbem\powermeterprovider\WMIADAP.exe
        
        C:\Windows\System32\wbem\powermeterprovider\WMIADAP.exe
        30⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7288e3cc-332c-4913-9c18-10d129f44ef6.vbs"
        31⤵
        
        PID:2668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9903c876-7222-4820-88a7-1823dafec748.vbs"
        31⤵
        
        PID:3044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ca1ff99-947d-4d70-912a-6b8bcaf1f949.vbs"
        29⤵
        
        PID:2820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4145c7ac-9f2e-48af-a27e-f0a6322aea34.vbs"
        27⤵
        
        PID:2852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3bb12443-2954-4b46-b269-13ee4236d7b7.vbs"
        25⤵
        
        PID:2388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58b01b33-cc66-49ae-bdf0-b76ae75339fd.vbs"
        23⤵
        
        PID:764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\604c4e6d-8634-4c20-853e-9b5a63bee241.vbs"
        21⤵
        
        PID:948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2262a9d9-7a2b-431c-92b2-8e613f31a889.vbs"
        19⤵
        
        PID:2228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0358c95e-6e15-4ee5-ad07-2ae3a6b01fd7.vbs"
        17⤵
        
        PID:448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d34a5b0a-ee74-4ef0-8935-340499d0e229.vbs"
        15⤵
        
        PID:2028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3973711c-d8db-40e7-b982-a1410dae943c.vbs"
        13⤵
        
        PID:2896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d117be8-55ea-4212-83e2-e402a4616e9f.vbs"
        11⤵
        
        PID:2796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7b5c4f6-bacc-4057-95bc-0646f611cc35.vbs"
        9⤵
        
        PID:2792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a111f5e4-8ad3-46c7-95d7-eddeb4762ecd.vbs"
        7⤵
        
        PID:672
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c9f59c5-8c6a-4a75-8d34-3266013d3bdd.vbs"
        5⤵
        
        PID:2616
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\555685be-b1ac-45d8-ab38-ecdda9ec3e05.vbs"
    3⤵
    PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\System32\wbem\powermeterprovider\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Documents and Settings\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Documents and Settings\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\djoin\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\DESIGNER\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\054a8551-3843-406f-8a1e-c763cd826f6c.vbs

Filesize
731B

MD5
9ec4b4f696deeea5ccd0d5230a1e1956

SHA1
ae8c4ee4d62b4029f9436af85dc503995d731a6e

SHA256
70ced518a3f69840b85f5aed44489f47dc1d6e8412aeaf54bafc9bf61a8db6a9

SHA512
67202b7795887a600435fb27aaf2e79159fa5ca6df84e87265e16cc32fcebb4c819a1c3a808bffe881d8c7e8536cefdfd927f0e50999920f28f1e739ecbdf585

Download Submit
C:\Users\Admin\AppData\Local\Temp\27474b2d-2639-4205-8e52-a26e0514243e.vbs

Filesize
731B

MD5
47ff0a77f0513a5c1a7474caa84ec685

SHA1
9ef711d834b8daccd328e89e527233ad5959bf02

SHA256
234aa977dec828f05a02887cd8f144939bd66e3efc4ffe19f5e8672060bbb82d

SHA512
e8ee272cff845624873cdff00936236d3c2f63602fc4c2041e3875b9251f7f63741b9ca3f5d2fd5b527da99843af65b3a13702f7603e2ced311dca755b42691d

Download Submit
C:\Users\Admin\AppData\Local\Temp\37367d03-6fad-4ffd-bacc-27fee8779fe1.vbs

Filesize
731B

MD5
1909b23d9415e5f2085c872c88656450

SHA1
70f7e16ab2857f4a3368494495d276d785583abd

SHA256
22202d7aa9e1fe7e1a329f41fa7b2b90645bc63e27dd1aacd37b85d8a69eb39b

SHA512
ee619c2baf550a7f854e2f222a338ad27a7b525ef1afc054fd55f6e9342f7c612554f8f10720dbdb2530369f38ce5935fe6acd1634a2cf0e6222966e7bdd2c7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3d81926a-9a48-4a8f-9f01-738fef635574.vbs

Filesize
731B

MD5
60f623bd48d07d25e41c78f5ae745e66

SHA1
77d4f730cde600a74281eda75def326a1dbc3038

SHA256
881d498f3b2d3586f33a3e532e1b9cc65db76ac223b5c4fe822ce506911dcfc8

SHA512
c9f60ca8ea67acca595506b8f301f597204170d8f086e8d58a84d9339fa4b74c60ddf3a15ab3ad1a02f131e54d6728c6788a20195c5168da1d41b0f7b928dd16

Download Submit
C:\Users\Admin\AppData\Local\Temp\42f44a9b-907a-4884-bc40-a3f4507ac735.vbs

Filesize
731B

MD5
01b59e58ec4305832794f81586807ac4

SHA1
cc68c4cbbf460dca09bbe2217a9feb7f5d02e2c1

SHA256
7f324f388b6d3003ee7bc8854459d9b46bdb340ddd6cb730c98a0bf00759ff7e

SHA512
31777ff9be112315fa1b8121b4f6b6279bddfdf214fb4c67c28711b21425b6205e585424b9b2fcd8e6d908b0191f8ed627c5e8601c52388ba13b200ca05db353

Download Submit
C:\Users\Admin\AppData\Local\Temp\555685be-b1ac-45d8-ab38-ecdda9ec3e05.vbs

Filesize
507B

MD5
031a93bdffe27694bbab8b14844e7125

SHA1
639a863e3e8b1b4d3ffe5289d1f864041d232e53

SHA256
fdd621e49adfaf613548e69a05cd860754397c1e76fdfdc4d4f493b8e54d9b39

SHA512
bff8473c71fed74d0aff806d4dfd6292e3f72fe7a656efcca257086a9f7d3005d4a3ceadb690dcbd4e9ba974d2b7d818f3568e77c874402943605a27285bc9fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\64334381-f1d8-4b7b-baab-1b289310ae12.vbs

Filesize
731B

MD5
5bfc0fc5210e0c069d7b3eb8a5696b11

SHA1
febabc1874bf0f71bc236d73f0af06da383f0416

SHA256
65080c29d434445addfd63abfb7486b3edbda7ae35f37ccc683a5d746713bbed

SHA512
dcbc75466f676af8f53a8dfdec0498b573867f35d2dc1e15db2b290149f103e78098164f7ff0ed5ca389a4860743c4891b1587848ed08360749802673bcf0cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\71306557-f7d1-48d7-a437-755b76a10a32.vbs

Filesize
731B

MD5
431c30b3828431992a49103a4e6f367b

SHA1
7e8ae144a01959d331da9245c5323cb2258bfe3d

SHA256
5a820680c92fbf317030bebb459865b94eedd8eaf93f9511a5d92be18bc4fc32

SHA512
4f4608d204d4d76bf20deb07c58319ffdf67744276a2cbdb1748642c70b6229653396c2c9d771e02d15dc212f24777f065e443fd4f6bc1266d96947c398da076

Download Submit
C:\Users\Admin\AppData\Local\Temp\7288e3cc-332c-4913-9c18-10d129f44ef6.vbs

Filesize
730B

MD5
195a9bfa4c09bd5581c0f025426be008

SHA1
af4ca42b47a68624062ae6c2ca434ed8df9b57c3

SHA256
a57c1884d624bbc80428f8034f834975a7c8b2704c751620bab69ecb219496dc

SHA512
1c91c379657e0194edd7c6368e214972282603487d43a894e4758a4d25d6ee8043fbf4a48daa0b5a1fb53d57033c72a156c3045968f8dd1536c868471b98c729

Download Submit
C:\Users\Admin\AppData\Local\Temp\8676f0ea-31ce-48b1-852d-287388d08068.vbs

Filesize
731B

MD5
e0b6bd8b43594de2d1c46838cbf4706a

SHA1
c5d3dcc8093bae9562ae2f11075aee0140eac76d

SHA256
a2eb58840743cc78841f3fc7e827b17de16b977922cfdba798d326b6c37cf115

SHA512
d688147d00f42e252cf252857a18088446ba6f7bda9ac398c42cec2d9caaa90ba5e634f660c6db18431b45dba0cb2276400c2de4ff9b7defe56112f123079da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\86d6eabc-71f8-4aa7-a334-2ba261e47db7.vbs

Filesize
731B

MD5
bcc190ecb0ab5333075ffa7ab64e1fc1

SHA1
fb03c9e3148417ba81f982ecec2309173ad13121

SHA256
f9955aedc7bd742e12aa7f00abb796f2b40071f366f657ddd987837d3a3068df

SHA512
275f984c458577ef7b4064b0445838dc0c787b3fd913de05771e7052b4320278110e07903d0a3478b9380518e6dbaa2a6e1e05251f7240465900aa721eeb62a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\9cf747d5-555c-4b8e-9a2d-ccd71522bdfc.vbs

Filesize
731B

MD5
67c53c0e39c9b37e02641f545b37d5a5

SHA1
3fffe3a93a361d50818012c718fc1ed3f19022ed

SHA256
77de045988cac23e029ff478d20944d1ad275eb1f47bb3355cad1c1e9fed5fc1

SHA512
9fa5beba8a6500c0cf5876b9d80f78dc8100c9f3216d4d3c0614ad0cad0f8e91699087dd0b7f94df4f3aedcf97cb4d004c650efa700477fddd16c15f39a09599

Download Submit
C:\Users\Admin\AppData\Local\Temp\9f1ead4f-6e3d-45ec-823f-208148c51c83.vbs

Filesize
731B

MD5
c7601c55f25f4b6264427033000e533c

SHA1
09545eb3ac6102cb4be5b458e2f8e9d62145846a

SHA256
92f0f28f085d7b91ff96d5e89aa4d49010c52df9f23546e43aed560240310fba

SHA512
c672d6b5908bc389aa7d9b494c4aea9945cc9271f242f6ab4aa23363997e56949c8c65a34de7acca5674306969ec7d77f73de217c46b766c1c58b0770477cd8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c02c1d41-77a1-4e2a-be7c-a117d3fc3343.vbs

Filesize
731B

MD5
212e380ec2a936725b154f8982cc5097

SHA1
97e4f193371ef305313d88013d117ba85e32263f

SHA256
05c74598143186e2614b1797c8d1e6e0e22141d2a5a70f838016bdbe0aeaef18

SHA512
c769ddb7d37469018a04954ddbfaa88aad1fa48e14435d5990103cfce4749286eea4c75c0582150cbd8f68379c5fb22313e0933025dc2005a658ec7aff8ddf9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecd7ef36-9fb9-437a-89d2-ba3d11599348.vbs

Filesize
731B

MD5
e34895812bff2eb4d31ce568a809e9bb

SHA1
977a33b9263d05ad3819eb5b1171b7ed1533d0da

SHA256
d486c37cdee9f18abc8779c116d9cce9c7d693b52ff7d94ae7d774cdbfb07b80

SHA512
d7fd88144366e343b20544f36302eba90f1a5425a5f6ebe1de2f8ac602355e4bd2ab85bb8843a06923e503920855f65db16744e8b370ff3398c2023eefaf649d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f5c1bb56c1d9c0d6aeaf0913a70db61a

SHA1
9503a7fed467be766a6284ed5e2fb0335bd28d2d

SHA256
c342b6d6dcb0e42bcbdbd30a3ac86d2846b0bbd7caa652dfe380c2b25ad3eda2

SHA512
18a546d4c2c14701d31c2648ba779b4bbb1fd996320bd211d4ac658d83c885b1e583aa2681d1acd86e6bb8b740b83c219279650286347be85f19090b85277ffe

Download Submit
C:\Users\explorer.exe

Filesize
1.5MB

MD5
5aeeddc9c33fb19473c2d36a1bf77632

SHA1
78c1f862eb9ba6c6e106f7c289d01358f42f655e

SHA256
dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d

SHA512
3b56c817e7a004d2fdfcbdec57bb1dbbb003bc0ef4c767b26257e9547bcc8894a062351a083648483921216003426a629038008837112d1985e39ff1f8ee20d2

Download Submit
memory/832-290-0x0000000001370000-0x00000000014EE000-memory.dmp

Filesize
1.5MB

Download
memory/1020-159-0x0000000000180000-0x00000000002FE000-memory.dmp

Filesize
1.5MB

Download
memory/1092-183-0x0000000000880000-0x00000000009FE000-memory.dmp

Filesize
1.5MB

Download
memory/1528-171-0x0000000000220000-0x000000000039E000-memory.dmp

Filesize
1.5MB

Download
memory/1596-195-0x0000000000950000-0x0000000000ACE000-memory.dmp

Filesize
1.5MB

Download
memory/1688-220-0x0000000000320000-0x000000000049E000-memory.dmp

Filesize
1.5MB

Download
memory/1916-207-0x0000000001300000-0x000000000147E000-memory.dmp

Filesize
1.5MB

Download
memory/1916-208-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/1944-110-0x0000000002800000-0x0000000002808000-memory.dmp

Filesize
32KB

Download
memory/1944-108-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/2432-13-0x00000000003E0000-0x00000000003EA000-memory.dmp

Filesize
40KB

Download
memory/2432-0-0x000007FEF5523000-0x000007FEF5524000-memory.dmp

Filesize
4KB

Download
memory/2432-1-0x0000000000240000-0x00000000003BE000-memory.dmp

Filesize
1.5MB

Download
memory/2432-2-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmp

Filesize
9.9MB

Download
memory/2432-21-0x00000000006D0000-0x00000000006D8000-memory.dmp

Filesize
32KB

Download
memory/2432-20-0x00000000006C0000-0x00000000006CC000-memory.dmp

Filesize
48KB

Download
memory/2432-18-0x00000000006B0000-0x00000000006B8000-memory.dmp

Filesize
32KB

Download
memory/2432-17-0x00000000006A0000-0x00000000006AC000-memory.dmp

Filesize
48KB

Download
memory/2432-16-0x0000000000690000-0x0000000000698000-memory.dmp

Filesize
32KB

Download
memory/2432-15-0x0000000000680000-0x000000000068A000-memory.dmp

Filesize
40KB

Download
memory/2432-14-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2432-3-0x00000000001C0000-0x00000000001C8000-memory.dmp

Filesize
32KB

Download
memory/2432-12-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/2432-24-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmp

Filesize
9.9MB

Download
memory/2432-135-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmp

Filesize
9.9MB

Download
memory/2432-11-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/2432-10-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2432-9-0x0000000000220000-0x000000000022C000-memory.dmp

Filesize
48KB

Download
memory/2432-4-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2432-8-0x0000000000210000-0x0000000000218000-memory.dmp

Filesize
32KB

Download
memory/2432-5-0x00000000001F0000-0x00000000001FC000-memory.dmp

Filesize
48KB

Download
memory/2432-7-0x0000000000200000-0x000000000020C000-memory.dmp

Filesize
48KB

Download
memory/2432-6-0x00000000001E0000-0x00000000001EA000-memory.dmp

Filesize
40KB

Download
memory/2536-147-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2536-146-0x0000000000260000-0x00000000003DE000-memory.dmp

Filesize
1.5MB

Download
memory/2596-244-0x0000000001340000-0x00000000014BE000-memory.dmp

Filesize
1.5MB

Download
memory/2840-232-0x0000000000960000-0x0000000000ADE000-memory.dmp

Filesize
1.5MB

Download
memory/3012-97-0x0000000000FF0000-0x000000000116E000-memory.dmp

Filesize
1.5MB

Download