dcrat | 5e18fece13e186284ad707df63c1d44b117dbffd5da5b814ebf1a68647679c5b

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 05:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
Size

3.2MB
MD5

9053e1e0f0dc79857427f7ef64fa3530
SHA1

93298ff5140f6ba9724e31dda271148cd73c7511
SHA256

5e18fece13e186284ad707df63c1d44b117dbffd5da5b814ebf1a68647679c5b
SHA512

9bbcb60546639f4b995a817978c4f3331933fbf7dd409c2b1d06c84aeef1b437cd8e750abdf8dccafb558f5d68fe2f98f42feaeb01ccbee8934147f575cf5657
SSDEEP

49152:/C0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:/C0Fl8v/qXYrv5tG9uKJGAWl5N

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat 61 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1332	schtasks.exe
File created	C:\Program Files\Uninstall Information\69ddcba757bf72		9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
		708	schtasks.exe
		2152	schtasks.exe
		1580	schtasks.exe
		2844	schtasks.exe
		2012	schtasks.exe
		1356	schtasks.exe
		320	schtasks.exe
File created	C:\Program Files\Windows Mail\es-ES\56085415360792		9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
		2504	schtasks.exe
		1028	schtasks.exe
		2304	schtasks.exe
		2372	schtasks.exe
		2708	schtasks.exe
		2300	schtasks.exe
		2408	schtasks.exe
		2084	schtasks.exe
		324	schtasks.exe
		2520	schtasks.exe
		2816	schtasks.exe
		2036	schtasks.exe
		1228	schtasks.exe
		2484	schtasks.exe
		2440	schtasks.exe
		1708	schtasks.exe
		2296	schtasks.exe
		2388	schtasks.exe
		1696	schtasks.exe
		2208	schtasks.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\56085415360792		9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
		2628	schtasks.exe
		1020	schtasks.exe
		1520	schtasks.exe
		2492	schtasks.exe
		2488	schtasks.exe
		1940	schtasks.exe
		2808	schtasks.exe
		2684	schtasks.exe
		2248	schtasks.exe
		2124	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
		660	schtasks.exe
		2692	schtasks.exe
		2940	schtasks.exe
		2612	schtasks.exe
		636	schtasks.exe
		1504	schtasks.exe
		2172	schtasks.exe
		1244	schtasks.exe
		1744	schtasks.exe
		1484	schtasks.exe
		1496	schtasks.exe
		1516	schtasks.exe
		2240	schtasks.exe
		1160	schtasks.exe
		2660	schtasks.exe
		1748	schtasks.exe
		1644	schtasks.exe
		2988	schtasks.exe
		1388	schtasks.exe

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	708	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2720	schtasks.exe	28

UAC bypass 3 TTPs 21 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2228-1-0x0000000000930000-0x0000000000C6C000-memory.dmp	dcrat
behavioral1/files/0x0007000000016851-43.dat	dcrat
behavioral1/memory/2592-149-0x0000000000FF0000-0x000000000132C000-memory.dmp	dcrat
behavioral1/memory/2400-278-0x0000000000F10000-0x000000000124C000-memory.dmp	dcrat
behavioral1/memory/3040-290-0x0000000000320000-0x000000000065C000-memory.dmp	dcrat
behavioral1/memory/1136-302-0x00000000000F0000-0x000000000042C000-memory.dmp	dcrat
behavioral1/memory/1592-314-0x00000000013B0000-0x00000000016EC000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2528	powershell.exe
1452	powershell.exe
2252	powershell.exe
1680	powershell.exe
2584	powershell.exe
1456	powershell.exe
1592	powershell.exe
2932	powershell.exe
1248	powershell.exe
2332	powershell.exe
2380	powershell.exe
2068	powershell.exe
1536	powershell.exe
1520	powershell.exe
2948	powershell.exe
892	powershell.exe
876	powershell.exe
1772	powershell.exe
1632	powershell.exe
2428	powershell.exe
2500	powershell.exe
2748	powershell.exe
2672	powershell.exe
2548	powershell.exe

Executes dropped EXE 6 IoCs

pid	Process
2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2400	smss.exe
3040	smss.exe
1136	smss.exe
1592	smss.exe
1452	smss.exe

Checks whether UAC is enabled 1 TTPs 14 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\69ddcba757bf72	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\886983d96e3d3e	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\System.exe	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File created	C:\Program Files\Uninstall Information\smss.exe	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File created	C:\Program Files\Uninstall Information\69ddcba757bf72	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\smss.exe	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\27d1bcfc3c54e0	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File created	C:\Program Files\Windows Mail\es-ES\wininit.exe	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\69ddcba757bf72	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\smss.exe	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX2012.tmp	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX2013.tmp	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\csrss.exe	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Mail\es-ES\RCX1DFE.tmp	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Uninstall Information\smss.exe	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\886983d96e3d3e	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\System.exe	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\f64ee6197c7d98	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\csrss.exe	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File created	C:\Program Files\Windows Mail\es-ES\56085415360792	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Mail\es-ES\RCX1DFF.tmp	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\csrss.exe	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Mail\es-ES\wininit.exe	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\csrss.exe	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File created	C:\Windows\LiveKernelReports\lsm.exe	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File opened for modification	C:\Windows\LiveKernelReports\lsm.exe	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File created	C:\Windows\LiveKernelReports\101b941d020240	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File created	C:\Windows\TAPI\winlogon.exe	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File created	C:\Windows\ServiceProfiles\LocalService\Desktop\42af1c969fbb7b	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File opened for modification	C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\RCX2228.tmp	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File created	C:\Windows\Globalization\ELS\Transliteration\winlogon.exe	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File created	C:\Windows\TAPI\cc11b995f2a76d	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File created	C:\Windows\ServiceProfiles\LocalService\Desktop\audiodg.exe	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File opened for modification	C:\Windows\Globalization\ELS\Transliteration\winlogon.exe	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File opened for modification	C:\Windows\TAPI\winlogon.exe	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\56085415360792	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File opened for modification	C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\wininit.exe	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File opened for modification	C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\RCX2227.tmp	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File created	C:\Windows\Globalization\ELS\Transliteration\cc11b995f2a76d	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\Desktop\audiodg.exe	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\wininit.exe	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2484	schtasks.exe
2440	schtasks.exe
1356	schtasks.exe
2248	schtasks.exe
2808	schtasks.exe
2660	schtasks.exe
1244	schtasks.exe
1496	schtasks.exe
2304	schtasks.exe
1696	schtasks.exe
1580	schtasks.exe
2492	schtasks.exe
324	schtasks.exe
2504	schtasks.exe
1332	schtasks.exe
320	schtasks.exe
2152	schtasks.exe
2172	schtasks.exe
2940	schtasks.exe
2124	schtasks.exe
2708	schtasks.exe
1020	schtasks.exe
2628	schtasks.exe
2300	schtasks.exe
1516	schtasks.exe
2520	schtasks.exe
1940	schtasks.exe
1388	schtasks.exe
2372	schtasks.exe
2692	schtasks.exe
1748	schtasks.exe
2488	schtasks.exe
2012	schtasks.exe
2388	schtasks.exe
1644	schtasks.exe
2240	schtasks.exe
1504	schtasks.exe
2988	schtasks.exe
1744	schtasks.exe
1520	schtasks.exe
2684	schtasks.exe
2844	schtasks.exe
708	schtasks.exe
2084	schtasks.exe
660	schtasks.exe
2036	schtasks.exe
2296	schtasks.exe
1228	schtasks.exe
1160	schtasks.exe
2208	schtasks.exe
2612	schtasks.exe
2816	schtasks.exe
636	schtasks.exe
1708	schtasks.exe
1028	schtasks.exe
2408	schtasks.exe
1484	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
1536	powershell.exe
1632	powershell.exe
2428	powershell.exe
2948	powershell.exe
2528	powershell.exe
1452	powershell.exe
1520	powershell.exe
1248	powershell.exe
1592	powershell.exe
2332	powershell.exe
2500	powershell.exe
2932	powershell.exe
2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	1452	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	2400	smss.exe
Token: SeDebugPrivilege	3040	smss.exe
Token: SeDebugPrivilege	1136	smss.exe
Token: SeDebugPrivilege	1592	smss.exe
Token: SeDebugPrivilege	1452	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 1632	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	38
PID 2228 wrote to memory of 1632	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	38
PID 2228 wrote to memory of 1632	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	38
PID 2228 wrote to memory of 1536	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	39
PID 2228 wrote to memory of 1536	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	39
PID 2228 wrote to memory of 1536	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	39
PID 2228 wrote to memory of 1592	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	41
PID 2228 wrote to memory of 1592	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	41
PID 2228 wrote to memory of 1592	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	41
PID 2228 wrote to memory of 1452	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	42
PID 2228 wrote to memory of 1452	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	42
PID 2228 wrote to memory of 1452	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	42
PID 2228 wrote to memory of 2332	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	43
PID 2228 wrote to memory of 2332	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	43
PID 2228 wrote to memory of 2332	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	43
PID 2228 wrote to memory of 2948	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	44
PID 2228 wrote to memory of 2948	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	44
PID 2228 wrote to memory of 2948	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	44
PID 2228 wrote to memory of 2428	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	45
PID 2228 wrote to memory of 2428	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	45
PID 2228 wrote to memory of 2428	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	45
PID 2228 wrote to memory of 2528	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	46
PID 2228 wrote to memory of 2528	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	46
PID 2228 wrote to memory of 2528	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	46
PID 2228 wrote to memory of 2500	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	47
PID 2228 wrote to memory of 2500	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	47
PID 2228 wrote to memory of 2500	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	47
PID 2228 wrote to memory of 1520	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	50
PID 2228 wrote to memory of 1520	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	50
PID 2228 wrote to memory of 1520	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	50
PID 2228 wrote to memory of 1248	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	52
PID 2228 wrote to memory of 1248	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	52
PID 2228 wrote to memory of 1248	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	52
PID 2228 wrote to memory of 2932	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	53
PID 2228 wrote to memory of 2932	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	53
PID 2228 wrote to memory of 2932	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	53
PID 2228 wrote to memory of 2904	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	62
PID 2228 wrote to memory of 2904	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	62
PID 2228 wrote to memory of 2904	2228	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	62
PID 2904 wrote to memory of 896	2904	cmd.exe	64
PID 2904 wrote to memory of 896	2904	cmd.exe	64
PID 2904 wrote to memory of 896	2904	cmd.exe	64
PID 2904 wrote to memory of 2592	2904	cmd.exe	65
PID 2904 wrote to memory of 2592	2904	cmd.exe	65
PID 2904 wrote to memory of 2592	2904	cmd.exe	65
PID 2592 wrote to memory of 2252	2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	114
PID 2592 wrote to memory of 2252	2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	114
PID 2592 wrote to memory of 2252	2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	114
PID 2592 wrote to memory of 2748	2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	115
PID 2592 wrote to memory of 2748	2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	115
PID 2592 wrote to memory of 2748	2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	115
PID 2592 wrote to memory of 2380	2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	116
PID 2592 wrote to memory of 2380	2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	116
PID 2592 wrote to memory of 2380	2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	116
PID 2592 wrote to memory of 1680	2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	118
PID 2592 wrote to memory of 1680	2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	118
PID 2592 wrote to memory of 1680	2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	118
PID 2592 wrote to memory of 2068	2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	119
PID 2592 wrote to memory of 2068	2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	119
PID 2592 wrote to memory of 2068	2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	119
PID 2592 wrote to memory of 1772	2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	121
PID 2592 wrote to memory of 1772	2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	121
PID 2592 wrote to memory of 1772	2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	121
PID 2592 wrote to memory of 2548	2592	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe	122

System policy modification 1 TTPs 21 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe"
1⤵
- DcRat
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tu5TicqWzM.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:896
- - C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2592
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2252
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2748
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2380
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1680
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2068
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1772
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2548
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1456
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:876
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2584
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2672
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:892
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Dg5wW3gSHs.bat"
      4⤵
      PID:2840
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:884
    - - C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe
        
        "C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2400
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c7cb01b-2071-4d30-86ff-17439033d1c1.vbs"
        6⤵
        
        PID:2600
        
        C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe
        
        C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3530065-e337-4777-89e6-4c13551d3d07.vbs"
        8⤵
        
        PID:2604
        
        C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe
        
        C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e8121eb-8e55-462c-9929-a28e9cf670a5.vbs"
        10⤵
        
        PID:2564
        
        C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe
        
        C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c231ab6-0b6b-4d56-8376-a9f7a265d795.vbs"
        12⤵
        
        PID:2740
        
        C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe
        
        C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89e8f0f4-0d59-43f0-98dc-995bc47affef.vbs"
        14⤵
        
        PID:2968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47a18edb-86c4-4147-a905-28b0887cb81c.vbs"
        14⤵
        
        PID:1996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2edaa45-9ab1-43a7-8338-c6cb7689de82.vbs"
        12⤵
        
        PID:2416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae69d8f3-4922-42f5-91e7-60d4085d5ab6.vbs"
        10⤵
        
        PID:3012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84ec94ea-41d5-4ddb-b233-7f0711149a3b.vbs"
        8⤵
        
        PID:1708
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2460d63e-a740-4e79-b4db-541d6591a0ff.vbs"
        6⤵
        
        PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\es-ES\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\es-ES\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\es-ES\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Windows\LiveKernelReports\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\LiveKernelReports\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\browser\features\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\features\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\browser\features\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Saved Games\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Saved Games\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics9" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics9" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\9053e1e0f0dc79857427f7ef64fa3530_NeikiAnalytics.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\uninstall\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\uninstall\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\My Documents\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\My Documents\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Default\My Documents\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\Globalization\ELS\Transliteration\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Globalization\ELS\Transliteration\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\ELS\Transliteration\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\TAPI\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\TAPI\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\TAPI\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Windows\ServiceProfiles\LocalService\Desktop\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\Desktop\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Windows\ServiceProfiles\LocalService\Desktop\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2460d63e-a740-4e79-b4db-541d6591a0ff.vbs

Filesize
509B

MD5
e1c11071cdbc31febd05b499adddd293

SHA1
b04f183a67249fa0181897800eac5b0e1c8baba3

SHA256
29bef5bba2d4c71df20fcb3d49dbd3b9945d528343059db7195042997408611e

SHA512
eec39fbda75538fbee950bcaf6e5d30338acbf35818f8ad8932098e26714c57a544abd1084fad1da7455bd02634da2750728a6571b5d74caf8cb5b2c0f768b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3c231ab6-0b6b-4d56-8376-a9f7a265d795.vbs

Filesize
733B

MD5
e1c51305ccd6ee28ec1aca1f63940da2

SHA1
ec915db2b816b299d9879673fae74005adfb4344

SHA256
1af34cf3e5113af9aa75d212742c292762f02c12c961eddc25d456e327ce508a

SHA512
23439d99604c1349cf95219e9b51a860466f7bd867117fd8f71340189123322fa0fafe56a67a4452dc2d590e05fc51ad1b3b05df4a732cdb528f5d6bfce3a7fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e8121eb-8e55-462c-9929-a28e9cf670a5.vbs

Filesize
733B

MD5
cc878f82682b7c44cfc915a278aaf2d1

SHA1
1dd3d1ead42ee5120a1c2e0b46ea9126300bb8f5

SHA256
49775b2883dd9ef5732d159e35a837990ec7600d7b00fdb492a634f94af58dcd

SHA512
75624021e5f17694170a8299f0aa2516ec12fe007968cd555ddc17d2534dfcbe35a0e4e275c8e85ab1c542e7f784bb437d485f907bc87c8e3dad7ed5a34cd0e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\4c7cb01b-2071-4d30-86ff-17439033d1c1.vbs

Filesize
733B

MD5
9814ae6fe9fe19363eee016caa3139ed

SHA1
800483d4fcb75a17607b645e62b655ac3c928479

SHA256
f1818fe679a941111d395bb8359e57ae610587c5acd15be50d8d7a675ce871aa

SHA512
b0b02779dc1cafea3bf042050442da18b4d8cf7b8497004848094daf884105877cb9b68c9ea187f7321b068f1d850eccba060bcc274f137d6bf27a6f5e4a968c

Download Submit
C:\Users\Admin\AppData\Local\Temp\89e8f0f4-0d59-43f0-98dc-995bc47affef.vbs

Filesize
733B

MD5
bae2fdebb3fade0d41f05df1339d6934

SHA1
a645dce2874efcb56483e6bad76c82123455f719

SHA256
f99d0f8f7e693578b46c1bc137557eed44849807097aa64eea89cfe24e21d677

SHA512
03235aaea4b8ef7ec6a30b8e6b417e8aeb258e949b4b5992c7291d0563a4f3e33a7f0ddb36c44486e5a830121e2d729a38022a96787f398c0e5c87d1cb8de76d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dg5wW3gSHs.bat

Filesize
222B

MD5
13814caeb82fb165f4a2cf62c6c178bc

SHA1
ab9f0847dd91e0975ff62e4ea437408702d2ae32

SHA256
48912b51debafbed5ff94fbad22e3e962b447598cc79318eaf019da6a402c87d

SHA512
fd17403df6c3db98608832fcd8b9f81a0d5db2045a67fd280fa7d3851e2cb5c792c99d22984f1f17eb38cc7515d9fcc719cfb791a03da104315d48e8212e58df

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCX1BEB.tmp

Filesize
3.2MB

MD5
9053e1e0f0dc79857427f7ef64fa3530

SHA1
93298ff5140f6ba9724e31dda271148cd73c7511

SHA256
5e18fece13e186284ad707df63c1d44b117dbffd5da5b814ebf1a68647679c5b

SHA512
9bbcb60546639f4b995a817978c4f3331933fbf7dd409c2b1d06c84aeef1b437cd8e750abdf8dccafb558f5d68fe2f98f42feaeb01ccbee8934147f575cf5657

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3530065-e337-4777-89e6-4c13551d3d07.vbs

Filesize
733B

MD5
a45ae3474dc577103be7d6243b01b7c5

SHA1
e41dee895be260dc2ca1a0b5fd3508852ada9c03

SHA256
abdec34aeabc77202f41e40d1a7546c4ca52060398f6aade6101fe2b9e06e8d1

SHA512
89e0a4fe419fd20c6e1a92ddf49d6d1f252d8b5a4b56e81aadfa4dbbcfb1dad685768c691bbf5b6437858ad6a75788ba1b50e19d07cda8e605750783c5c976f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tu5TicqWzM.bat

Filesize
250B

MD5
1c75ad7367c828441792b6de4b6d76a4

SHA1
680df368e002a0a67d2005939769c71782f43609

SHA256
1d329ca402c54c36d8fc43d9f6d227e7f9d9983d67cadcb9c34cb9bc2a5fcc9f

SHA512
2b609129e2d4ac38d10ed985546fab3aaf9bcd97572779c41b44c27dd7cd384ba6cb7773f7f4eacdec8e17b2d1682ee2875ed7bc1ebf521a28811785b6ec4b8d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cf771a0383b69e3172be65ee549e8078

SHA1
88de047f37ae566c61319a3a662b07483c9ebe6b

SHA256
788ff5217822feb73affdf2b8879b32b9c751a5c9b530c2a604e055f3c867f9f

SHA512
40eada9e6a3872b4f48b92ff6dcf2078bb2b859f377870a5c4de9bf37900158fbff02f28defa8a288f3551aa38b06816e73ac11be31bacf758a1681bdf0f404b

Download Submit
memory/876-225-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/876-226-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/1136-302-0x00000000000F0000-0x000000000042C000-memory.dmp

Filesize
3.2MB

Download
memory/1536-96-0x0000000001C90000-0x0000000001C98000-memory.dmp

Filesize
32KB

Download
memory/1536-95-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/1592-314-0x00000000013B0000-0x00000000016EC000-memory.dmp

Filesize
3.2MB

Download
memory/1592-315-0x0000000000AD0000-0x0000000000B26000-memory.dmp

Filesize
344KB

Download
memory/2228-14-0x0000000002400000-0x000000000240C000-memory.dmp

Filesize
48KB

Download
memory/2228-0-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

Filesize
4KB

Download
memory/2228-20-0x000000001A9D0000-0x000000001A9DC000-memory.dmp

Filesize
48KB

Download
memory/2228-21-0x000000001A9E0000-0x000000001A9EC000-memory.dmp

Filesize
48KB

Download
memory/2228-22-0x000000001A9F0000-0x000000001A9FC000-memory.dmp

Filesize
48KB

Download
memory/2228-25-0x000000001AA20000-0x000000001AA2E000-memory.dmp

Filesize
56KB

Download
memory/2228-24-0x000000001AA10000-0x000000001AA1A000-memory.dmp

Filesize
40KB

Download
memory/2228-23-0x000000001AA00000-0x000000001AA08000-memory.dmp

Filesize
32KB

Download
memory/2228-28-0x000000001AA50000-0x000000001AA5C000-memory.dmp

Filesize
48KB

Download
memory/2228-27-0x000000001AA40000-0x000000001AA4E000-memory.dmp

Filesize
56KB

Download
memory/2228-26-0x000000001AA30000-0x000000001AA38000-memory.dmp

Filesize
32KB

Download
memory/2228-29-0x000000001AA60000-0x000000001AA68000-memory.dmp

Filesize
32KB

Download
memory/2228-30-0x000000001AA70000-0x000000001AA7A000-memory.dmp

Filesize
40KB

Download
memory/2228-31-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2228-32-0x000000001AB80000-0x000000001AB8C000-memory.dmp

Filesize
48KB

Download
memory/2228-18-0x000000001A910000-0x000000001A922000-memory.dmp

Filesize
72KB

Download
memory/2228-17-0x0000000002430000-0x0000000002438000-memory.dmp

Filesize
32KB

Download
memory/2228-16-0x0000000002420000-0x000000000242C000-memory.dmp

Filesize
48KB

Download
memory/2228-15-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/2228-19-0x000000001A940000-0x000000001A94C000-memory.dmp

Filesize
48KB

Download
memory/2228-141-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2228-1-0x0000000000930000-0x0000000000C6C000-memory.dmp

Filesize
3.2MB

Download
memory/2228-13-0x000000001A8C0000-0x000000001A916000-memory.dmp

Filesize
344KB

Download
memory/2228-12-0x00000000023F0000-0x00000000023FA000-memory.dmp

Filesize
40KB

Download
memory/2228-11-0x00000000023E0000-0x00000000023F0000-memory.dmp

Filesize
64KB

Download
memory/2228-10-0x00000000023D0000-0x00000000023D8000-memory.dmp

Filesize
32KB

Download
memory/2228-2-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2228-3-0x00000000003D0000-0x00000000003DE000-memory.dmp

Filesize
56KB

Download
memory/2228-9-0x0000000002330000-0x0000000002346000-memory.dmp

Filesize
88KB

Download
memory/2228-8-0x0000000002320000-0x0000000002330000-memory.dmp

Filesize
64KB

Download
memory/2228-4-0x0000000000460000-0x000000000046E000-memory.dmp

Filesize
56KB

Download
memory/2228-7-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/2228-6-0x00000000022F0000-0x000000000230C000-memory.dmp

Filesize
112KB

Download
memory/2228-5-0x0000000000920000-0x0000000000928000-memory.dmp

Filesize
32KB

Download
memory/2400-279-0x0000000000CC0000-0x0000000000CD2000-memory.dmp

Filesize
72KB

Download
memory/2400-278-0x0000000000F10000-0x000000000124C000-memory.dmp

Filesize
3.2MB

Download
memory/2592-149-0x0000000000FF0000-0x000000000132C000-memory.dmp

Filesize
3.2MB

Download
memory/3040-290-0x0000000000320000-0x000000000065C000-memory.dmp

Filesize
3.2MB

Download