dcrat | ccd8fe156b0f0e49cd57438279edd5309a1cf0bf2d3c0d0276e85a265b125a78

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 06:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

74548bc293609543285f3260033299f0_NeikiAnalytics.exe
Size

1.2MB
MD5

74548bc293609543285f3260033299f0
SHA1

70afb45f951e1f4f6a71cdc14206aa7c9dee8982
SHA256

ccd8fe156b0f0e49cd57438279edd5309a1cf0bf2d3c0d0276e85a265b125a78
SHA512

c76bed7f890884ee3deba85e5f7f7612e8bd9594479f8c7844e2e9c1ec1c69b4daf2db0da35d364ad6b35bd57406ee9ef87d055a6f2b9438461f1b4bd8d505a0
SSDEEP

24576:FR28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:rJaDKf4p4UD1v

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3960	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	364	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3100	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3324	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3196	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3144	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4116	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3808	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	4904	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3316	4904	schtasks.exe	83

UAC bypass 3 TTPs 45 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1864-0-0x0000000000AB0000-0x0000000000BEA000-memory.dmp	dcrat
behavioral2/files/0x0007000000023435-30.dat	dcrat
behavioral2/files/0x000b000000023392-137.dat	dcrat

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	spoolsv.exe

Executes dropped EXE 14 IoCs

pid	Process
32	spoolsv.exe
2960	spoolsv.exe
2856	spoolsv.exe
2524	spoolsv.exe
3436	spoolsv.exe
432	spoolsv.exe
2580	spoolsv.exe
4272	spoolsv.exe
4232	spoolsv.exe
1380	spoolsv.exe
3584	spoolsv.exe
1408	spoolsv.exe
2580	spoolsv.exe
4440	spoolsv.exe

Checks whether UAC is enabled 1 TTPs 30 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Portable Devices\RCX5181.tmp	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Media Player\74548bc293609543285f3260033299f0_NeikiAnalytics.exe	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\RCX558A.tmp	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Portable Devices\sihost.exe	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
File created	C:\Program Files\Windows Portable Devices\66fc9ff0ee96c2	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
File created	C:\Program Files\Windows Mail\csrss.exe	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
File created	C:\Program Files\Windows Media Player\f2f37fb6e2d323	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\55b276f4edf653	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Registry.exe	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\unsecapp.exe	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Mail\RCX5994.tmp	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Mail\csrss.exe	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\RCX5E0A.tmp	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\RCX6281.tmp	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
File created	C:\Program Files\Windows Mail\886983d96e3d3e	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\ee2ad38f3d4382	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\unsecapp.exe	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
File created	C:\Program Files\Windows Portable Devices\sihost.exe	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\9e8d7a4ca61bd9	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\29c1c3cc0f7685	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Media Player\RCX4D78.tmp	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RCX578F.tmp	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Registry.exe	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
File created	C:\Program Files\Windows Media Player\74548bc293609543285f3260033299f0_NeikiAnalytics.exe	74548bc293609543285f3260033299f0_NeikiAnalytics.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Globalization\ICU\RCX4F7D.tmp	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\ShellExperiences\OfficeClickToRun.exe	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
File created	C:\Windows\Globalization\ICU\RuntimeBroker.exe	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
File created	C:\Windows\ShellExperiences\OfficeClickToRun.exe	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
File created	C:\Windows\ShellExperiences\e6c9b481da804f	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\ShellExperiences\RCX5386.tmp	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
File created	C:\Windows\Globalization\ICU\9e8d7a4ca61bd9	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
File created	C:\Windows\diagnostics\scheduled\Maintenance\dwm.exe	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\Globalization\ICU\RuntimeBroker.exe	74548bc293609543285f3260033299f0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3692	schtasks.exe
4912	schtasks.exe
4716	schtasks.exe
4244	schtasks.exe
956	schtasks.exe
4464	schtasks.exe
4816	schtasks.exe
2148	schtasks.exe
1524	schtasks.exe
5116	schtasks.exe
2152	schtasks.exe
612	schtasks.exe
1344	schtasks.exe
3808	schtasks.exe
4852	schtasks.exe
2004	schtasks.exe
2924	schtasks.exe
3960	schtasks.exe
2224	schtasks.exe
2968	schtasks.exe
4724	schtasks.exe
4400	schtasks.exe
3196	schtasks.exe
2500	schtasks.exe
1992	schtasks.exe
2740	schtasks.exe
1148	schtasks.exe
364	schtasks.exe
3324	schtasks.exe
448	schtasks.exe
3316	schtasks.exe
1644	schtasks.exe
4524	schtasks.exe
4232	schtasks.exe
1216	schtasks.exe
388	schtasks.exe
4756	schtasks.exe
3144	schtasks.exe
4116	schtasks.exe
4556	schtasks.exe
2932	schtasks.exe
3100	schtasks.exe
1624	schtasks.exe
2964	schtasks.exe
4928	schtasks.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
32	spoolsv.exe
32	spoolsv.exe
32	spoolsv.exe
32	spoolsv.exe
32	spoolsv.exe
32	spoolsv.exe
32	spoolsv.exe
32	spoolsv.exe
32	spoolsv.exe
32	spoolsv.exe
32	spoolsv.exe
32	spoolsv.exe
32	spoolsv.exe
2960	spoolsv.exe
2960	spoolsv.exe
2960	spoolsv.exe
2960	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
Token: SeDebugPrivilege	32	spoolsv.exe
Token: SeDebugPrivilege	2960	spoolsv.exe
Token: SeDebugPrivilege	2856	spoolsv.exe
Token: SeDebugPrivilege	2524	spoolsv.exe
Token: SeDebugPrivilege	3436	spoolsv.exe
Token: SeDebugPrivilege	432	spoolsv.exe
Token: SeDebugPrivilege	2580	spoolsv.exe
Token: SeDebugPrivilege	4272	spoolsv.exe
Token: SeDebugPrivilege	4232	spoolsv.exe
Token: SeDebugPrivilege	1380	spoolsv.exe
Token: SeDebugPrivilege	3584	spoolsv.exe
Token: SeDebugPrivilege	1408	spoolsv.exe
Token: SeDebugPrivilege	2580	spoolsv.exe
Token: SeDebugPrivilege	4440	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 32	1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe	142
PID 1864 wrote to memory of 32	1864	74548bc293609543285f3260033299f0_NeikiAnalytics.exe	142
PID 32 wrote to memory of 2104	32	spoolsv.exe	143
PID 32 wrote to memory of 2104	32	spoolsv.exe	143
PID 32 wrote to memory of 4076	32	spoolsv.exe	144
PID 32 wrote to memory of 4076	32	spoolsv.exe	144
PID 2104 wrote to memory of 2960	2104	WScript.exe	145
PID 2104 wrote to memory of 2960	2104	WScript.exe	145
PID 2960 wrote to memory of 940	2960	spoolsv.exe	146
PID 2960 wrote to memory of 940	2960	spoolsv.exe	146
PID 2960 wrote to memory of 4852	2960	spoolsv.exe	147
PID 2960 wrote to memory of 4852	2960	spoolsv.exe	147
PID 940 wrote to memory of 2856	940	WScript.exe	148
PID 940 wrote to memory of 2856	940	WScript.exe	148
PID 2856 wrote to memory of 2484	2856	spoolsv.exe	150
PID 2856 wrote to memory of 2484	2856	spoolsv.exe	150
PID 2856 wrote to memory of 3220	2856	spoolsv.exe	151
PID 2856 wrote to memory of 3220	2856	spoolsv.exe	151
PID 2484 wrote to memory of 2524	2484	WScript.exe	153
PID 2484 wrote to memory of 2524	2484	WScript.exe	153
PID 2524 wrote to memory of 1736	2524	spoolsv.exe	154
PID 2524 wrote to memory of 1736	2524	spoolsv.exe	154
PID 2524 wrote to memory of 4736	2524	spoolsv.exe	155
PID 2524 wrote to memory of 4736	2524	spoolsv.exe	155
PID 1736 wrote to memory of 3436	1736	WScript.exe	156
PID 1736 wrote to memory of 3436	1736	WScript.exe	156
PID 3436 wrote to memory of 2320	3436	spoolsv.exe	157
PID 3436 wrote to memory of 2320	3436	spoolsv.exe	157
PID 3436 wrote to memory of 860	3436	spoolsv.exe	158
PID 3436 wrote to memory of 860	3436	spoolsv.exe	158
PID 2320 wrote to memory of 432	2320	WScript.exe	159
PID 2320 wrote to memory of 432	2320	WScript.exe	159
PID 432 wrote to memory of 3888	432	spoolsv.exe	160
PID 432 wrote to memory of 3888	432	spoolsv.exe	160
PID 432 wrote to memory of 4408	432	spoolsv.exe	161
PID 432 wrote to memory of 4408	432	spoolsv.exe	161
PID 3888 wrote to memory of 2580	3888	WScript.exe	163
PID 3888 wrote to memory of 2580	3888	WScript.exe	163
PID 2580 wrote to memory of 1268	2580	spoolsv.exe	164
PID 2580 wrote to memory of 1268	2580	spoolsv.exe	164
PID 2580 wrote to memory of 32	2580	spoolsv.exe	165
PID 2580 wrote to memory of 32	2580	spoolsv.exe	165
PID 1268 wrote to memory of 4272	1268	WScript.exe	166
PID 1268 wrote to memory of 4272	1268	WScript.exe	166
PID 4272 wrote to memory of 1440	4272	spoolsv.exe	167
PID 4272 wrote to memory of 1440	4272	spoolsv.exe	167
PID 4272 wrote to memory of 3464	4272	spoolsv.exe	168
PID 4272 wrote to memory of 3464	4272	spoolsv.exe	168
PID 1440 wrote to memory of 4232	1440	WScript.exe	169
PID 1440 wrote to memory of 4232	1440	WScript.exe	169
PID 4232 wrote to memory of 3968	4232	spoolsv.exe	170
PID 4232 wrote to memory of 3968	4232	spoolsv.exe	170
PID 4232 wrote to memory of 2104	4232	spoolsv.exe	171
PID 4232 wrote to memory of 2104	4232	spoolsv.exe	171
PID 3968 wrote to memory of 1380	3968	WScript.exe	179
PID 3968 wrote to memory of 1380	3968	WScript.exe	179
PID 1380 wrote to memory of 1012	1380	spoolsv.exe	180
PID 1380 wrote to memory of 1012	1380	spoolsv.exe	180
PID 1380 wrote to memory of 4320	1380	spoolsv.exe	181
PID 1380 wrote to memory of 4320	1380	spoolsv.exe	181
PID 1012 wrote to memory of 3584	1012	WScript.exe	182
PID 1012 wrote to memory of 3584	1012	WScript.exe	182
PID 3584 wrote to memory of 3960	3584	spoolsv.exe	183
PID 3584 wrote to memory of 3960	3584	spoolsv.exe	183

System policy modification 1 TTPs 45 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	74548bc293609543285f3260033299f0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\74548bc293609543285f3260033299f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\74548bc293609543285f3260033299f0_NeikiAnalytics.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1864
- C:\Recovery\WindowsRE\spoolsv.exe
  "C:\Recovery\WindowsRE\spoolsv.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:32
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c0b6bde-4391-479e-b028-d9e104546e5b.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Recovery\WindowsRE\spoolsv.exe
      C:\Recovery\WindowsRE\spoolsv.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2960
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6dcd362-f58f-4971-b65c-d338460bb0b8.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:940
      - C:\Recovery\WindowsRE\spoolsv.exe
        
        C:\Recovery\WindowsRE\spoolsv.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8183a34-63fa-4c5e-95aa-6869d5e56976.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        C:\Recovery\WindowsRE\spoolsv.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc2fb763-f648-422e-9993-df269f61c6f9.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        C:\Recovery\WindowsRE\spoolsv.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1be4dc0-13f6-4d31-b3af-17a97ae614fd.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        C:\Recovery\WindowsRE\spoolsv.exe
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5a026ed-ee8a-4318-bce8-e2d6cf9008c5.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        C:\Recovery\WindowsRE\spoolsv.exe
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df022e28-edd7-40ab-9d34-cc293bdbe72e.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        C:\Recovery\WindowsRE\spoolsv.exe
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a1e5a22-4c9e-4962-8710-0245156fe26c.vbs"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        C:\Recovery\WindowsRE\spoolsv.exe
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97fd658c-6993-42a4-84c7-11e567aa1fb3.vbs"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        C:\Recovery\WindowsRE\spoolsv.exe
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfd39ce3-6246-46be-8963-73783da512ba.vbs"
        21⤵
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        C:\Recovery\WindowsRE\spoolsv.exe
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8f6579b-37f3-4cda-bc8f-3499d824d51e.vbs"
        23⤵
        
        PID:3960
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        C:\Recovery\WindowsRE\spoolsv.exe
        24⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d41cb5fc-f8f7-40f8-b91a-b911a20c828f.vbs"
        25⤵
        
        PID:3752
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        C:\Recovery\WindowsRE\spoolsv.exe
        26⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb13038e-71a9-4a1b-8947-599d8a72d733.vbs"
        27⤵
        
        PID:2728
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        C:\Recovery\WindowsRE\spoolsv.exe
        28⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfc64b1c-d4f1-4af2-ae0b-f01d204f3c6a.vbs"
        29⤵
        
        PID:4872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\276177b4-696f-4e52-9d81-36234518128f.vbs"
        29⤵
        
        PID:1064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5350ee6c-5abc-40af-9ad2-da32eac3d1c5.vbs"
        27⤵
        
        PID:3100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\052eb107-92e6-4131-97d3-c5b858fcc97d.vbs"
        25⤵
        
        PID:2572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10f8bea0-d15c-4257-bf23-9e85d8f4563c.vbs"
        23⤵
        
        PID:2548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c981dcb-3d12-47a7-a3ae-f50ae052e18e.vbs"
        21⤵
        
        PID:4320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c67dde6-739a-44eb-a1e1-7201a7839d0e.vbs"
        19⤵
        
        PID:2104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c124723b-b141-4c64-8c50-6485e813718c.vbs"
        17⤵
        
        PID:3464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\338bc24f-0b1a-4679-8658-f69e7e1ff65c.vbs"
        15⤵
        
        PID:32
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f136923-ef05-452e-9e50-22ca66d00684.vbs"
        13⤵
        
        PID:4408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f7b3207-2b1c-4831-9250-6c1e1bbcd215.vbs"
        11⤵
        
        PID:860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61475dd4-98dc-46f5-9754-5e2132ab6ed6.vbs"
        9⤵
        
        PID:4736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fa2e642-db93-45fd-a003-602fc94b1ca0.vbs"
        7⤵
        
        PID:3220
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c0af7f1-c452-4249-bd23-45d7f42502c4.vbs"
        5⤵
        
        PID:4852
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2790747-14ae-46aa-b3f2-a6319a53d126.vbs"
    3⤵
    PID:4076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "74548bc293609543285f3260033299f0_NeikiAnalytics7" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\74548bc293609543285f3260033299f0_NeikiAnalytics.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "74548bc293609543285f3260033299f0_NeikiAnalytics" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\74548bc293609543285f3260033299f0_NeikiAnalytics.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "74548bc293609543285f3260033299f0_NeikiAnalytics7" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\74548bc293609543285f3260033299f0_NeikiAnalytics.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "74548bc293609543285f3260033299f0_NeikiAnalytics7" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\74548bc293609543285f3260033299f0_NeikiAnalytics.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "74548bc293609543285f3260033299f0_NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\74548bc293609543285f3260033299f0_NeikiAnalytics.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "74548bc293609543285f3260033299f0_NeikiAnalytics7" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\74548bc293609543285f3260033299f0_NeikiAnalytics.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\Globalization\ICU\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Globalization\ICU\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\Globalization\ICU\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellExperiences\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Windows\ShellExperiences\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Desktop\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Public\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Public\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WindowsPowerShell\Configuration\Registry.exe

Filesize
1.2MB

MD5
dad12c3c8b13764316f5050d4852bc80

SHA1
a30a5125fc1c381477758e6ad5ead684b00fd347

SHA256
1274382529d1d1822cbb8bcc96f866145f09afdafdaf0043b3912ab4626018f2

SHA512
d2c7ccb701bc5abb1504101a414b8c7a72118c66dacb1032dac139a2e86527f9d45ff0eea9d7704cb6b21bb2ec44b389a50a0b882b183866810041a0bfbd8b66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\8a1e5a22-4c9e-4962-8710-0245156fe26c.vbs

Filesize
709B

MD5
0a92642554e1cc7d64c92b38ab9ee34e

SHA1
3a660a2dd84f1f3f6fb8352b0a40be252c046413

SHA256
376d96344ff6afd8adce3d4a9635add9c6d27ed0658996e9cf589d6c6d07fc10

SHA512
dd7943e5f3e28c4b968e80357bf016c12039ca33c13b599eac92ec9a92c07e184a43e34fc7afe6c96a90d5b4731d08569ac742701375de8af4f70244276ddc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\97fd658c-6993-42a4-84c7-11e567aa1fb3.vbs

Filesize
709B

MD5
d9cc8886d40f86031d769294d46cd37e

SHA1
644855def6c72cdb799ac9a97c86e4d07e34b799

SHA256
3efec70aa43d7aa58fd7e131dc8c55fce1c3e24723125bba4a1258adbe59d7e8

SHA512
357ff5949521f4ebf43581da7989addd878f4653209c14b60810fc6f7a12ace42f88eb4909ef46dab0303cbc4ee9e787f582503f772b6ce427750b93ee48e0e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c0b6bde-4391-479e-b028-d9e104546e5b.vbs

Filesize
707B

MD5
725f22f9f60e20ab4221d87791b46101

SHA1
262064d66a2096a5b4c58d2dae9fd00665e1b01e

SHA256
9883965e90b08fed03d47ba15093a0d2d8d13f105fcaa7d2aeafafb9013984d5

SHA512
b98bf2ab1205a7eaac18b772019eada566c8440798846ddfdc81bb061cc109ce1c4afe7f3c37be9b4cafbd125461e03d47ed18b7a0e0c348f7f7ef448bb777b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1be4dc0-13f6-4d31-b3af-17a97ae614fd.vbs

Filesize
709B

MD5
6cb9f1e9663dba7c6f424b34aa0813da

SHA1
0ed12bad38d25714a6fafa8ce95f1100841b3734

SHA256
1857ec726a271b207f72f0e120e11f272a8266cf9406df8e3027c3c15ec985ca

SHA512
f58213ca54a59808e2648205a3fa11b001dc8fd13c9136698fb19e9032b608cea3d5fbe35a08736f84dce7d54c0a4a2e8cca8b683e1ee8558b42395e54f7d70a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5a026ed-ee8a-4318-bce8-e2d6cf9008c5.vbs

Filesize
708B

MD5
68cfc295d5f2e2529b22e2c3e9753ebe

SHA1
561d9b30ae57fd7b735568fb30c9b0414208ebc1

SHA256
e14d170681331c8b59f4a4e33e6b10b76559abb895e51c456420abf16dc87711

SHA512
acb51224846f8629fd991cca0a5a0c51be788321dcc217892b61471025d53a59f69d20810c3e8efcac7e2367a8594df1dfba30ef0f91ac52878c71a79b394e4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6dcd362-f58f-4971-b65c-d338460bb0b8.vbs

Filesize
709B

MD5
24f9fbad4d09928a8de1d7296a296519

SHA1
846b29c8a8f81794a9d735f6820265fc32f62f19

SHA256
15dd378d7819c743e3f84593b57b028eb7bb16108e7df0d0ec529787fc4c65cf

SHA512
757784d41332c68b1b47e48547ef86353085824fb2fb032e74b58788fa57e8f4b9aa602e077942e7d15bbe48912a8b938e3a6b3bf443230d6cea39927255281f

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8f6579b-37f3-4cda-bc8f-3499d824d51e.vbs

Filesize
709B

MD5
affeec40b8d695208d149f12a6952786

SHA1
66d23aac3112733be81fff7de7202b0ebcfaff3e

SHA256
8aebf35385322f1f26ee1ad31c4a7dbaf00b40869e3f39514a4f993bdd9d4e52

SHA512
4a40dd71b3d6047a8fa84fafeb2b5fbd1b4b44b4498f59c1e6170588f0a1488b11682139351fa6a1c30992becb7fba8f82263d87abe60818ce7e79d0b7129668

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc2fb763-f648-422e-9993-df269f61c6f9.vbs

Filesize
709B

MD5
7de6a70bd41794c556b7995ad254f108

SHA1
d1762e9c93a80fa0ea434cf094321680ad8ea42a

SHA256
fbfd2851163044d4aa3d621398a21a37312d366c2403126853cfbc0efd2bcbfb

SHA512
b6f165d2bb61d4b856fb6155001f72df2b88874110d856fef9a99fc1fc993aced28994296d594adf664762b627d807b76b3aaca2b04bea781394ccca8f538ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfd39ce3-6246-46be-8963-73783da512ba.vbs

Filesize
709B

MD5
c558b75c729c512daca08d4232b1838e

SHA1
78a86de6a8d116c908a233a648ce624c8b8fe5e5

SHA256
8f87c33ccb6cc16fb874be3c326eceec2a884a870651bfc61c36550f919616a4

SHA512
7aa0129098309fcb457ac42feb948d735ed25765180baa4c6220a83c629f25a56dd91370baad676e4de6e990216f461ad5a4f18539fe0cb88f20ff7d0c5fb23b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2790747-14ae-46aa-b3f2-a6319a53d126.vbs

Filesize
485B

MD5
b1d70fb4b0ca45657745f05102e2795a

SHA1
18cb9a5de07152e2388cd8363948857bc4a834f9

SHA256
628ee28b879d5d0bee3e5198f790e31a21e1af0eaeae0472aea4aa57f9fbdcf7

SHA512
b3c5aa723c989a51a9643efd9d5fc987a4b6605be50a19372c9039732b197f2e1064274ce9117d928012113d319cc49bfc88670e4e441e70733cb327fb884402

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8183a34-63fa-4c5e-95aa-6869d5e56976.vbs

Filesize
709B

MD5
02d11974007f5385e181ca2cd4408b37

SHA1
dde3644c2f4c9d01c0c2b8ab59a28345dcb16882

SHA256
ba8c6288d9747b7a24a9919c9ff4e16a9032593c7d97b1c02d175d7fb4421e66

SHA512
e2673fbff7bbe2f7dc2265d45cafa0e9bc72565c76b1134513123e43deacd76a9025ca92e36b8f9cbd9e0a70bb01cfa35689009c1c3ca91abe40dcd481cd218f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d41cb5fc-f8f7-40f8-b91a-b911a20c828f.vbs

Filesize
709B

MD5
79bc68d7e5965908ab68daac8720bdda

SHA1
801cdaecfc83683076b8272a18fa9ed54cbbefa0

SHA256
529560e5de3cd1d80afe54829247f66c2513c06c4fbecd8da86147e134aecc62

SHA512
eaae809bbba7ae813998df6c27aeadf07699db4e13ad3765230096a058efc5fce574dee524bae1218d0ba59b193eddce00a909bbc4cb9ddca8f6f6c7c3c04e7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\df022e28-edd7-40ab-9d34-cc293bdbe72e.vbs

Filesize
709B

MD5
32174debabef7dc33227c450205a4f25

SHA1
d007528983830f4998fb14a91c454aa27d2294de

SHA256
b624fd8832d9b09424926fa47e8d000211f4c994b5c2fdc7975ac9bbfcffd069

SHA512
02465e37a67455c32d4a8cc5c8538f0c4f17f179fced1fdc5705c7217ab14a2461a6e99f0efc7a4b8a3f690bb86fe5095f835367a0e22a1d8f67c60314e12f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfc64b1c-d4f1-4af2-ae0b-f01d204f3c6a.vbs

Filesize
709B

MD5
52e0561dc8a9ffd5127c615b92d3392e

SHA1
ead26c905be606e907eb22dab741409129102b85

SHA256
def7bc984baccedfcaddf10cb2db076c0f5e07aea4aa01875447558adc1c04b3

SHA512
712a12e5eafb02e3320f4472189b42fd9dd7075d19b73e80cabc84234c28eb02f3fd3b9f97b36b3e0242e53f9eb19509f7a93c994590da94d2661062bca8ea33

Download Submit
C:\Windows\Globalization\ICU\RuntimeBroker.exe

Filesize
1.2MB

MD5
74548bc293609543285f3260033299f0

SHA1
70afb45f951e1f4f6a71cdc14206aa7c9dee8982

SHA256
ccd8fe156b0f0e49cd57438279edd5309a1cf0bf2d3c0d0276e85a265b125a78

SHA512
c76bed7f890884ee3deba85e5f7f7612e8bd9594479f8c7844e2e9c1ec1c69b4daf2db0da35d364ad6b35bd57406ee9ef87d055a6f2b9438461f1b4bd8d505a0

Download Submit
memory/1864-10-0x0000000002FA0000-0x0000000002FAC000-memory.dmp

Filesize
48KB

Download
memory/1864-12-0x000000001B890000-0x000000001B898000-memory.dmp

Filesize
32KB

Download
memory/1864-19-0x000000001BF60000-0x000000001BF68000-memory.dmp

Filesize
32KB

Download
memory/1864-20-0x000000001BF70000-0x000000001BF7A000-memory.dmp

Filesize
40KB

Download
memory/1864-21-0x000000001BF80000-0x000000001BF8C000-memory.dmp

Filesize
48KB

Download
memory/1864-15-0x000000001BF20000-0x000000001BF28000-memory.dmp

Filesize
32KB

Download
memory/1864-17-0x000000001BF40000-0x000000001BF4E000-memory.dmp

Filesize
56KB

Download
memory/1864-217-0x00007FFEB3960000-0x00007FFEB4421000-memory.dmp

Filesize
10.8MB

Download
memory/1864-16-0x000000001BF30000-0x000000001BF3A000-memory.dmp

Filesize
40KB

Download
memory/1864-14-0x000000001BE10000-0x000000001BE1C000-memory.dmp

Filesize
48KB

Download
memory/1864-13-0x000000001BE00000-0x000000001BE0C000-memory.dmp

Filesize
48KB

Download
memory/1864-18-0x000000001BF50000-0x000000001BF5C000-memory.dmp

Filesize
48KB

Download
memory/1864-11-0x0000000002FB0000-0x0000000002FBC000-memory.dmp

Filesize
48KB

Download
memory/1864-0-0x0000000000AB0000-0x0000000000BEA000-memory.dmp

Filesize
1.2MB

Download
memory/1864-5-0x00000000013C0000-0x00000000013C8000-memory.dmp

Filesize
32KB

Download
memory/1864-9-0x0000000002F90000-0x0000000002F9A000-memory.dmp

Filesize
40KB

Download
memory/1864-7-0x0000000002F60000-0x0000000002F76000-memory.dmp

Filesize
88KB

Download
memory/1864-8-0x0000000002F80000-0x0000000002F88000-memory.dmp

Filesize
32KB

Download
memory/1864-6-0x0000000002F50000-0x0000000002F60000-memory.dmp

Filesize
64KB

Download
memory/1864-4-0x000000001BDB0000-0x000000001BE00000-memory.dmp

Filesize
320KB

Download
memory/1864-3-0x0000000002F30000-0x0000000002F4C000-memory.dmp

Filesize
112KB

Download
memory/1864-2-0x00007FFEB3960000-0x00007FFEB4421000-memory.dmp

Filesize
10.8MB

Download
memory/1864-1-0x00007FFEB3963000-0x00007FFEB3965000-memory.dmp

Filesize
8KB

Download