Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 05:25
Behavioral task
behavioral1
Sample
857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe
-
Size
3.2MB
-
MD5
857ee271fe97719273d3a7df9586c7b0
-
SHA1
a815a6730abd1044c011e71a142e7d2aa370ba81
-
SHA256
ba26bbdfefe435d7ccf3bed77eeacdb9078a87468bce53916a05e6ed62091d77
-
SHA512
1bc69d4932d44fcaff533257d9b0ffca80714ec766bd676052d84a2b0e3ae2d71fbb936420d2a243d288a3ee468e9f41667a192ccd4ebd846e7595dbcfea0186
-
SSDEEP
49152:HC0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:HC0Fl8v/qXYrv5tG9uKJGAWl5N
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 376 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4748 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4808 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3408 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 392 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4160 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4608 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2256 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4516 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3488 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 452 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4400 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2228 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 744 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4440 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3644 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1864 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4152 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3324 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 2116 schtasks.exe -
Processes:
fontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exefontdrvhost.exefontdrvhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontdrvhost.exe -
Processes:
resource yara_rule behavioral2/memory/3032-1-0x0000000000E20000-0x000000000115C000-memory.dmp dcrat C:\Windows\Offline Web Pages\fontdrvhost.exe dcrat C:\Program Files\dotnet\shared\wininit.exe dcrat C:\Windows\Offline Web Pages\fontdrvhost.exe dcrat behavioral2/memory/3936-297-0x0000000000630000-0x000000000096C000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2252 powershell.exe 1704 powershell.exe 4076 powershell.exe 2192 powershell.exe 4972 powershell.exe 1488 powershell.exe 4656 powershell.exe 592 powershell.exe 4660 powershell.exe 2188 powershell.exe 940 powershell.exe -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe -
Executes dropped EXE 7 IoCs
Processes:
fontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exepid process 3936 fontdrvhost.exe 4916 fontdrvhost.exe 1500 fontdrvhost.exe 4908 fontdrvhost.exe 436 fontdrvhost.exe 4352 fontdrvhost.exe 4556 fontdrvhost.exe -
Processes:
fontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fontdrvhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fontdrvhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fontdrvhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fontdrvhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe -
Drops file in Program Files directory 25 IoCs
Processes:
857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exedescription ioc process File created C:\Program Files\dotnet\shared\56085415360792 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File created C:\Program Files\Java\jre-1.8\lib\ext\explorer.exe 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft\RCX4B40.tmp 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File created C:\Program Files\dotnet\shared\wininit.exe 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft\55b276f4edf653 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File created C:\Program Files\Java\jre-1.8\lib\ext\7a0fd90576e088 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File opened for modification C:\Program Files\dotnet\shared\RCX4417.tmp 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCX4116.tmp 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCX4117.tmp 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft\StartMenuExperienceHost.exe 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\ext\RCX4D55.tmp 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\5b884080fd4f94 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\fontdrvhost.exe 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File opened for modification C:\Program Files\dotnet\shared\wininit.exe 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\fontdrvhost.exe 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\e6c9b481da804f 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft\StartMenuExperienceHost.exe 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File opened for modification C:\Program Files\dotnet\shared\RCX4399.tmp 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\RCX48AE.tmp 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\RCX48BE.tmp 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\ext\explorer.exe 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft\RCX4B41.tmp 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\ext\RCX4D56.tmp 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe -
Drops file in Windows directory 15 IoCs
Processes:
857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exedescription ioc process File opened for modification C:\Windows\Offline Web Pages\fontdrvhost.exe 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File created C:\Windows\IME\IMETC\5940a34987c991 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File opened for modification C:\Windows\SoftwareDistribution\SLS\RCX3CDC.tmp 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File opened for modification C:\Windows\Offline Web Pages\RCX461B.tmp 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File opened for modification C:\Windows\Offline Web Pages\RCX4699.tmp 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File opened for modification C:\Windows\SoftwareDistribution\SLS\SppExtComObj.exe 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File created C:\Windows\Offline Web Pages\5b884080fd4f94 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File opened for modification C:\Windows\IME\IMETC\RCX3F01.tmp 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File opened for modification C:\Windows\SoftwareDistribution\SLS\RCX3CED.tmp 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File created C:\Windows\SoftwareDistribution\SLS\e1ef82546f0b02 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File created C:\Windows\IME\IMETC\dllhost.exe 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File created C:\Windows\Offline Web Pages\fontdrvhost.exe 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File created C:\Windows\SoftwareDistribution\SLS\SppExtComObj.exe 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File opened for modification C:\Windows\IME\IMETC\RCX3F02.tmp 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File opened for modification C:\Windows\IME\IMETC\dllhost.exe 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4808 schtasks.exe 4608 schtasks.exe 3488 schtasks.exe 2352 schtasks.exe 4152 schtasks.exe 4748 schtasks.exe 4160 schtasks.exe 4400 schtasks.exe 2228 schtasks.exe 4440 schtasks.exe 3324 schtasks.exe 2856 schtasks.exe 1864 schtasks.exe 2948 schtasks.exe 2780 schtasks.exe 2772 schtasks.exe 2256 schtasks.exe 4516 schtasks.exe 452 schtasks.exe 3644 schtasks.exe 376 schtasks.exe 3408 schtasks.exe 392 schtasks.exe 744 schtasks.exe -
Modifies registry class 7 IoCs
Processes:
fontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings fontdrvhost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 2188 powershell.exe 2188 powershell.exe 1704 powershell.exe 1704 powershell.exe 4660 powershell.exe 4660 powershell.exe 1488 powershell.exe 1488 powershell.exe 2252 powershell.exe 2252 powershell.exe 4076 powershell.exe 4076 powershell.exe 2192 powershell.exe 2192 powershell.exe 4656 powershell.exe 4656 powershell.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exedescription pid process Token: SeDebugPrivilege 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe Token: SeDebugPrivilege 2188 powershell.exe Token: SeDebugPrivilege 1704 powershell.exe Token: SeDebugPrivilege 4660 powershell.exe Token: SeDebugPrivilege 1488 powershell.exe Token: SeDebugPrivilege 4656 powershell.exe Token: SeDebugPrivilege 2252 powershell.exe Token: SeDebugPrivilege 4076 powershell.exe Token: SeDebugPrivilege 2192 powershell.exe Token: SeDebugPrivilege 940 powershell.exe Token: SeDebugPrivilege 592 powershell.exe Token: SeDebugPrivilege 4972 powershell.exe Token: SeDebugPrivilege 3936 fontdrvhost.exe Token: SeDebugPrivilege 4916 fontdrvhost.exe Token: SeDebugPrivilege 1500 fontdrvhost.exe Token: SeDebugPrivilege 4908 fontdrvhost.exe Token: SeDebugPrivilege 436 fontdrvhost.exe Token: SeDebugPrivilege 4352 fontdrvhost.exe Token: SeDebugPrivilege 4556 fontdrvhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exefontdrvhost.exeWScript.exefontdrvhost.exeWScript.exefontdrvhost.exeWScript.exefontdrvhost.exeWScript.exefontdrvhost.exeWScript.exefontdrvhost.exeWScript.exefontdrvhost.exedescription pid process target process PID 3032 wrote to memory of 4660 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 3032 wrote to memory of 4660 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 3032 wrote to memory of 592 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 3032 wrote to memory of 592 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 3032 wrote to memory of 4656 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 3032 wrote to memory of 4656 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 3032 wrote to memory of 1704 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 3032 wrote to memory of 1704 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 3032 wrote to memory of 1488 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 3032 wrote to memory of 1488 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 3032 wrote to memory of 4972 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 3032 wrote to memory of 4972 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 3032 wrote to memory of 2252 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 3032 wrote to memory of 2252 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 3032 wrote to memory of 940 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 3032 wrote to memory of 940 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 3032 wrote to memory of 2192 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 3032 wrote to memory of 2192 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 3032 wrote to memory of 2188 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 3032 wrote to memory of 2188 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 3032 wrote to memory of 4076 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 3032 wrote to memory of 4076 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 3032 wrote to memory of 3936 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe fontdrvhost.exe PID 3032 wrote to memory of 3936 3032 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe fontdrvhost.exe PID 3936 wrote to memory of 2772 3936 fontdrvhost.exe WScript.exe PID 3936 wrote to memory of 2772 3936 fontdrvhost.exe WScript.exe PID 3936 wrote to memory of 1760 3936 fontdrvhost.exe WScript.exe PID 3936 wrote to memory of 1760 3936 fontdrvhost.exe WScript.exe PID 2772 wrote to memory of 4916 2772 WScript.exe fontdrvhost.exe PID 2772 wrote to memory of 4916 2772 WScript.exe fontdrvhost.exe PID 4916 wrote to memory of 4108 4916 fontdrvhost.exe WScript.exe PID 4916 wrote to memory of 4108 4916 fontdrvhost.exe WScript.exe PID 4916 wrote to memory of 2188 4916 fontdrvhost.exe WScript.exe PID 4916 wrote to memory of 2188 4916 fontdrvhost.exe WScript.exe PID 4108 wrote to memory of 1500 4108 WScript.exe fontdrvhost.exe PID 4108 wrote to memory of 1500 4108 WScript.exe fontdrvhost.exe PID 1500 wrote to memory of 4760 1500 fontdrvhost.exe WScript.exe PID 1500 wrote to memory of 4760 1500 fontdrvhost.exe WScript.exe PID 1500 wrote to memory of 3608 1500 fontdrvhost.exe WScript.exe PID 1500 wrote to memory of 3608 1500 fontdrvhost.exe WScript.exe PID 4760 wrote to memory of 4908 4760 WScript.exe fontdrvhost.exe PID 4760 wrote to memory of 4908 4760 WScript.exe fontdrvhost.exe PID 4908 wrote to memory of 4336 4908 fontdrvhost.exe WScript.exe PID 4908 wrote to memory of 4336 4908 fontdrvhost.exe WScript.exe PID 4908 wrote to memory of 1952 4908 fontdrvhost.exe WScript.exe PID 4908 wrote to memory of 1952 4908 fontdrvhost.exe WScript.exe PID 4336 wrote to memory of 436 4336 WScript.exe fontdrvhost.exe PID 4336 wrote to memory of 436 4336 WScript.exe fontdrvhost.exe PID 436 wrote to memory of 844 436 fontdrvhost.exe WScript.exe PID 436 wrote to memory of 844 436 fontdrvhost.exe WScript.exe PID 436 wrote to memory of 4160 436 fontdrvhost.exe WScript.exe PID 436 wrote to memory of 4160 436 fontdrvhost.exe WScript.exe PID 844 wrote to memory of 4352 844 WScript.exe fontdrvhost.exe PID 844 wrote to memory of 4352 844 WScript.exe fontdrvhost.exe PID 4352 wrote to memory of 4152 4352 fontdrvhost.exe WScript.exe PID 4352 wrote to memory of 4152 4352 fontdrvhost.exe WScript.exe PID 4352 wrote to memory of 2856 4352 fontdrvhost.exe WScript.exe PID 4352 wrote to memory of 2856 4352 fontdrvhost.exe WScript.exe PID 4152 wrote to memory of 4556 4152 WScript.exe fontdrvhost.exe PID 4152 wrote to memory of 4556 4152 WScript.exe fontdrvhost.exe PID 4556 wrote to memory of 3324 4556 fontdrvhost.exe WScript.exe PID 4556 wrote to memory of 3324 4556 fontdrvhost.exe WScript.exe PID 4556 wrote to memory of 2900 4556 fontdrvhost.exe WScript.exe PID 4556 wrote to memory of 2900 4556 fontdrvhost.exe WScript.exe -
System policy modification 1 TTPs 24 IoCs
Processes:
fontdrvhost.exe857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3032 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4076
-
-
C:\Windows\Offline Web Pages\fontdrvhost.exe"C:\Windows\Offline Web Pages\fontdrvhost.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3936 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb146de3-f490-45cb-b8da-3cc43b2b168d.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\Offline Web Pages\fontdrvhost.exe"C:\Windows\Offline Web Pages\fontdrvhost.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4916 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6996dda1-fa2e-4f02-86af-bc6947a5e7fd.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\Offline Web Pages\fontdrvhost.exe"C:\Windows\Offline Web Pages\fontdrvhost.exe"6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1500 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93d53960-2fb3-476d-98e9-ed7c6309ecf8.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\Offline Web Pages\fontdrvhost.exe"C:\Windows\Offline Web Pages\fontdrvhost.exe"8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4908 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39eb1c80-1c3f-49bf-ab0d-0426b4b80b6a.vbs"9⤵
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\Offline Web Pages\fontdrvhost.exe"C:\Windows\Offline Web Pages\fontdrvhost.exe"10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:436 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5adfa961-521b-4a1b-957b-1b028c305ac3.vbs"11⤵
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\Offline Web Pages\fontdrvhost.exe"C:\Windows\Offline Web Pages\fontdrvhost.exe"12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4352 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\877794ec-c394-488f-9263-a2718a7d7df0.vbs"13⤵
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\Offline Web Pages\fontdrvhost.exe"C:\Windows\Offline Web Pages\fontdrvhost.exe"14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4556 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97a8278b-354d-4548-ae14-2c15b69577a9.vbs"15⤵PID:3324
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0c93835-c5ca-4b76-94c9-43421d76d0f8.vbs"15⤵PID:2900
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6eaca409-40fa-452e-a315-3c747ffee63d.vbs"13⤵PID:2856
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a1470ba-11f3-483d-ad67-6b8e9523efdf.vbs"11⤵PID:4160
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\491e2dc5-b229-45c8-a2c3-33175ac82fd8.vbs"9⤵PID:1952
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11fd0a3c-eeab-4b7c-95ca-91435b96eb2d.vbs"7⤵PID:3608
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af6891dc-0fde-4e47-a6c5-e2f4a342facf.vbs"5⤵PID:2188
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a40b1f81-bc61-4c34-9e64-f3228d9997c6.vbs"3⤵PID:1760
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Windows\SoftwareDistribution\SLS\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\SLS\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Windows\SoftwareDistribution\SLS\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\IME\IMETC\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\IME\IMETC\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\IME\IMETC\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\dotnet\shared\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\dotnet\shared\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\dotnet\shared\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\Offline Web Pages\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre-1.8\lib\ext\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\lib\ext\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre-1.8\lib\ext\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2856
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5cabcdf952989b1dcf1b586df3edbc36d
SHA15c8ac76273f3b1a08c4489b82719c7fdf03f24cd
SHA2568fd73e3ddbcf491d5420e7de32c35823f6b2b81705c4cdb0766616c862fcff70
SHA512906405863779c66e38b365ce0bd1c942c5a482c19c32cad11ca391bdc444f0b1fcc0b456d26e958dc50ffd730dc52654e0378f9f090d9688524979cd07d51271
-
Filesize
1KB
MD549b64127208271d8f797256057d0b006
SHA1b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA2562a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
720B
MD510ad04f438918aa61f8d68d813d239e4
SHA1a6e2c1022e306db266293684fb11a984371ce5c5
SHA256c14dde9a2502239511087c3d84c307a36c933c988f732cf01bd3e8be3dd5ce9e
SHA512ffa145cff80336323a7699c2239bb71561965ffd9dd933781a8f9c989d282c7c981e493fa05e8b4ace33ab5fad4db0920feb685daf7af636cea06ed68acb45b3
-
Filesize
719B
MD5500d969219a1b78b46ccf71efb4a9ae5
SHA13b5ff74cfee5e0a2b49bf946245d1176a955db2b
SHA2567f5071aa438514db1dc7909e5f75326b7785ad12a2465dea0e48180600f476da
SHA512c4576df0f318015b353ddf506365494b84d2441f67592f934c5753df7ad893d9973a6401904acf123ce8d2606907b7eccacbb4df873b2c6778675c79cb7904f7
-
Filesize
720B
MD54b4b888228078efe9c1117b2e797bd0a
SHA1f219e9c2546f551c34272756a8d6cc5548f7eb44
SHA256f1b39bcd210df30160a30febb9baa27c614baa8d539cec66f0bf80616551d778
SHA5123dffb50e88e6c2d2a5fb12976d7ac5d3a41c649ef0341c92dc71664a50c4f6bc2fa4b02d5db5d02b860b9934d5f8818b2f7fbcbabc8d1472e2487571ca89da3b
-
Filesize
720B
MD57d102d6e9348f2f8af743b6c14528db4
SHA19aefe7bd690927d98c464fe2b3ad16fb7d2dd5cd
SHA25620e866fc6192f2c3bcd7c8a571a40c45cc56766906858116813da2aa72991868
SHA512be07d352d6fcf33ff5429e18149db86ef69a5e5a7eaae30620275222dc6f393dd15151bdaeab7fa3fe092590b0fee4dab471a145ad3b9a6766306e5408ceb592
-
Filesize
720B
MD5f9afc1708a1c9cc03292fae89514d39a
SHA13479a0ee9571ae2d88e71f8728ae564014a114e4
SHA25646d1aa129237b641ee2cca72791ef77163291594c944c8b42af4103e204845f6
SHA512c6c53f60ce4e429df63ee115ce7444f0052b6868790a19089132941a4451688dafc818df34bbe7e63d708d161e78c10f65463ff25bfa569387d8f1a9daf430f1
-
Filesize
720B
MD59bf8190e99968221f24843cce7b37bc4
SHA1dd382136e22b9eba85f71f262e6a641579553faf
SHA256f3e8ec0b04804add0e8a0055592d90196a460bfe8c4dfcf947ee0366f624a60f
SHA51214b23af230b1848f4e7c961f6ea4eac3641b16420070199c051d5afc6dce36b4882be418a817fb2d5cf563d06e208bd9ab55ed621630c3dc81fd142092a4005f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
496B
MD54f7b81c12ab5a7a3f26633c268149aa5
SHA17ae140e9d9c3184aaf64a2925891b20b1306ad19
SHA256b3b55938d085ed03e82c620d6eba6764a02be786e79264d7ebd546563ec7febb
SHA51202b1fddc637fedeb8cd85a485191b742414f03791dd9cbec8088c25694b915bff4be468a720c8ddba1884040357b774fe02a8cfff378a5448bed5e5b662c4ffb
-
Filesize
720B
MD5b8aa3a30aa85ea689e75a1a5219ca0e7
SHA11b5309a9db78991d794295fc94ffb04ba1fce683
SHA2563276b9eac3291f16ee8845e6b7612a48aac2362a990ffc2a482a46b3dc860d14
SHA512ea0e30b6ce6168a1829a964110941c096f1c703c0e8de7a9165769c9942ec2b330b0621b79cd084a9d2629ec7f66a0414604eb659ab307bf80d6b43511f41516
-
Filesize
3.2MB
MD52bd5876b597219f632c54705251c99a2
SHA190f6f22512e2297f43eb8104d492bf54f66d8a69
SHA25652ab03f6941c21fb953f011d4f3de15c92fc566229ce42b1b2b1672c85683d6d
SHA512ade4bff02bc00fbb137e9a450b612583685c9ffffaa222d4b48d98568fe76fedfa7d7a7201aa9630b70a02dc8ce106b5fc81be6dcd7ed4bbd46e5f51961d2881
-
Filesize
3.2MB
MD5857ee271fe97719273d3a7df9586c7b0
SHA1a815a6730abd1044c011e71a142e7d2aa370ba81
SHA256ba26bbdfefe435d7ccf3bed77eeacdb9078a87468bce53916a05e6ed62091d77
SHA5121bc69d4932d44fcaff533257d9b0ffca80714ec766bd676052d84a2b0e3ae2d71fbb936420d2a243d288a3ee468e9f41667a192ccd4ebd846e7595dbcfea0186