Analysis Overview
SHA256
f4abbf4717010d698712c6f85944d73755d0fc30a60844fc6d0c9d86822cca38
Threat Level: Known bad
The file c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics was found to be: Known bad.
Malicious Activity Summary
DcRat
Modifies security service
DCRat payload
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Looks up external IP address via web service
Adds Run key to start application
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-14 11:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-14 11:55
Reported
2024-05-14 11:57
Platform
win7-20240508-en
Max time kernel
149s
Max time network
146s
Command Line
Signatures
DcRat
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\Windows\Caches\UpdateWeb2View.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\Network\Connections\NetTraceAgent.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\WBEMAgent = "C:\\Users\\Admin\\AppData\\Roaming\\WBEM\\wbemagents.exe" | C:\ProgramData\Microsoft\Windows\Caches\UpdateWeb2View.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Internet Explorer\ieupdates.exe | C:\ProgramData\Microsoft\Windows\Caches\UpdateWeb2View.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\ieupdates.exe | C:\ProgramData\Microsoft\Windows\Caches\UpdateWeb2View.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\ProgramData\Microsoft\Windows\Caches\UpdateWeb2View.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\ProgramData\Microsoft\Windows\Caches\UpdateWeb2View.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell Set-MpPreference -MAPSReporting 0 >nul
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -MAPSReporting 0
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell Set-MpPreference -MAPSReporting Disabled >nul
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -MAPSReporting Disabled
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im SecHealthUI.exe >nul 2>nul
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SecHealthUI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell Set-MpPreference -UiLockDown 1 >nul 2>nul
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -UiLockDown 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im SecHealthUI.exe >nul 2>nul
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SecHealthUI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell Set-MpPreference -SubmitSamplesConsent 0 >nul
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -SubmitSamplesConsent 0
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start "" "C:\ProgramData\Microsoft\Windows\Caches\UpdateWeb2View.exe" >nul
C:\ProgramData\Microsoft\Windows\Caches\UpdateWeb2View.exe
"C:\ProgramData\Microsoft\Windows\Caches\UpdateWeb2View.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo >nul
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start /b "" "C:\ProgramData\Microsoft\Network\Connections\NetTraceAgent.exe" >nul
C:\ProgramData\Microsoft\Network\Connections\NetTraceAgent.exe
"C:\ProgramData\Microsoft\Network\Connections\NetTraceAgent.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe "$action=New-ScheduledTaskAction -Execute 'C:\ProgramData\Microsoft\Network\Connections\NetTraceAgent.exe'; $trigger = @(New-ScheduledTaskTrigger -AtStartup; New-ScheduledTaskTrigger -AtLogon); $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -DisallowHardTerminate -ExecutionTimeLimit ([TimeSpan]::FromDays(999)); Register-ScheduledTask -TaskName 'NetTraceInfoTask' -taskPath '\Microsoft\Windows\NetTrace' -Action $action -Trigger $trigger -Settings $settings -RunLevel Highest -Description 'Task that checks the NET connection trace.';" >nul
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$action=New-ScheduledTaskAction -Execute 'C:\ProgramData\Microsoft\Network\Connections\NetTraceAgent.exe'; $trigger = @(New-ScheduledTaskTrigger -AtStartup; New-ScheduledTaskTrigger -AtLogon); $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -DisallowHardTerminate -ExecutionTimeLimit ([TimeSpan]::FromDays(999)); Register-ScheduledTask -TaskName 'NetTraceInfoTask' -taskPath '\Microsoft\Windows\NetTrace' -Action $action -Trigger $trigger -Settings $settings -RunLevel Highest -Description 'Task that checks the NET connection trace.';"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting Disabled
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 0
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMnitoring $true
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -UILockdown $true
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableRealtimeMonitoring -Value 1 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SecurityHealthService' -Name Start -Value 4 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\wscsvc' -Name Start -Value 4 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name DisableBehaviorMonitoring -Value 1 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name DisableOnAccessProtection -Value 1 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name DisableScanOnRealtimeEnable -Value 1 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$action=New-ScheduledTaskAction -Execute 'C:\ProgramData\Microsoft\Network\Connections\NetTraceAgent.exe'; $trigger = @(New-ScheduledTaskTrigger -AtStartup; New-ScheduledTaskTrigger -AtLogon); $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -DisallowHardTerminate -ExecutionTimeLimit ([TimeSpan]::FromDays(999)); Register-ScheduledTask -TaskName 'NetTraceInfoTask' -taskPath '\Microsoft\Windows\NetTrace' -Action $action -Trigger $trigger -Settings $settings -RunLevel Highest -Description 'Task that checks the NET connection trace.';"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting Disabled
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 0
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMnitoring $true
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -UILockdown $true
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableRealtimeMonitoring -Value 1 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SecurityHealthService' -Name Start -Value 4 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\wscsvc' -Name Start -Value 4 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name DisableBehaviorMonitoring -Value 1 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name DisableOnAccessProtection -Value 1 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name DisableScanOnRealtimeEnable -Value 1 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$action=New-ScheduledTaskAction -Execute 'C:\ProgramData\Microsoft\Network\Connections\NetTraceAgent.exe'; $trigger = @(New-ScheduledTaskTrigger -AtStartup; New-ScheduledTaskTrigger -AtLogon); $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -DisallowHardTerminate -ExecutionTimeLimit ([TimeSpan]::FromDays(999)); Register-ScheduledTask -TaskName 'NetTraceInfoTask' -taskPath '\Microsoft\Windows\NetTrace' -Action $action -Trigger $trigger -Settings $settings -RunLevel Highest -Description 'Task that checks the NET connection trace.';"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting Disabled
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 0
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMnitoring $true
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -UILockdown $true
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableRealtimeMonitoring -Value 1 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SecurityHealthService' -Name Start -Value 4 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\wscsvc' -Name Start -Value 4 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name DisableBehaviorMonitoring -Value 1 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name DisableOnAccessProtection -Value 1 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name DisableScanOnRealtimeEnable -Value 1 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$action=New-ScheduledTaskAction -Execute 'C:\ProgramData\Microsoft\Network\Connections\NetTraceAgent.exe'; $trigger = @(New-ScheduledTaskTrigger -AtStartup; New-ScheduledTaskTrigger -AtLogon); $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -DisallowHardTerminate -ExecutionTimeLimit ([TimeSpan]::FromDays(999)); Register-ScheduledTask -TaskName 'NetTraceInfoTask' -taskPath '\Microsoft\Windows\NetTrace' -Action $action -Trigger $trigger -Settings $settings -RunLevel Highest -Description 'Task that checks the NET connection trace.';"
Network
| Country | Destination | Domain | Proto |
| VN | 14.225.208.87:80 | 14.225.208.87 | tcp |
| VN | 14.225.208.87:80 | 14.225.208.87 | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
Files
memory/2376-2-0x0000000074651000-0x0000000074652000-memory.dmp
memory/2376-3-0x0000000074650000-0x0000000074BFB000-memory.dmp
memory/2376-4-0x0000000074650000-0x0000000074BFB000-memory.dmp
memory/2376-5-0x0000000074650000-0x0000000074BFB000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 06c17315717ec95bd609351e3b0de88e |
| SHA1 | d4c5cb2d0887fa75b85893b5aba1ce82de071eb8 |
| SHA256 | 9dcb3313a6132a0ad6737915ebfee89cac3faa12be942b8714c78f6d65146b95 |
| SHA512 | 3f75812c71264c1248f484812206950001398c15cb278493106da83971edc9a09ea106488ab892cc2f4f56665a636fec5306c32b97726062a4035da2ef5e2eb6 |
\ProgramData\Microsoft\Windows\Caches\UpdateWeb2View.exe
| MD5 | 377fc74b249bfc1be3258a6facd9327a |
| SHA1 | 42620e2f8dc6d890d312f81a2337ae40b7a6a73b |
| SHA256 | df016016c94d7ad3f689b994f54f3070a91f2054e808a005a398875164cf7ec1 |
| SHA512 | f075185ca9e2a7fbd801b3aca33e29790630912edbb727d419e039c50a7af3c7578f77ec5e7e607a22291efde54014538b7a321143b95045695d571463a9fa45 |
C:\ProgramData\Microsoft\Network\Connections\NetTraceAgent.exe
| MD5 | a58599f667d687f6eb51bb528a6bb528 |
| SHA1 | 0991f92dc45d82227775f9968d91dcbe703d03a2 |
| SHA256 | b93b33fff6d41f5c0388ec4a1e424db2a304582e998596810f47b9b823ef2807 |
| SHA512 | 2dd48e6042a65c0d7f1af17676ef3cc35dbdf5978c68ca00a1b6e228146bec306411e38e4bbffaf0de172dd7cbdd2993e9cb5c645d4251d420acb0501d39d0b1 |
memory/2908-29-0x0000000000D90000-0x0000000000E56000-memory.dmp
memory/2908-40-0x0000000000890000-0x00000000008E8000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 8dff18646bd564e8ca6c671b5876cc30 |
| SHA1 | 7fd2c63047ab11eb177a49412d134957cc9aa8ae |
| SHA256 | 52494bf2f8f222ad90c89683db0d9f8d6bfddc349d44bfb7dc0c4d9ad253084e |
| SHA512 | 61c4428293ce0f85cefd640e535ca55b1ab41a44dd7c5e0df294b805308841ec28fa2d1cc0205d37f020d53b9d318be098d4042a77d6cfabd2fcdb558b7f21fe |
memory/2908-55-0x0000000005060000-0x00000000050C6000-memory.dmp
memory/2908-56-0x0000000000C00000-0x0000000000C0E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 7d8e619d3274bfe2726aa61e1e22b904 |
| SHA1 | 33d3efd6333f0999a141a35c419a94b99b18eb91 |
| SHA256 | 023bcc0e267bdd7148758f7eb15b32002beaae1d19e2a6a666679b214317dcea |
| SHA512 | 726beca385b989a754beabe0c84ed7d2f5df1e4a783da83424db99b6daf73659e91d1e07286d88e90e1cdf8d9a6bddcbfcb60a46a9e748cfec778319e21f1e03 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-14 11:55
Reported
2024-05-14 11:57
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
DcRat
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Microsoft\Network\Connections\NetTraceAgent.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\Windows\Caches\UpdateWeb2View.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\Network\Connections\NetTraceAgent.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\WBEMAgent = "C:\\Users\\Admin\\AppData\\Roaming\\WBEM\\wbemagents.exe" | C:\ProgramData\Microsoft\Windows\Caches\UpdateWeb2View.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Internet Explorer\ieupdates.exe | C:\ProgramData\Microsoft\Windows\Caches\UpdateWeb2View.exe | N/A |
| File created | C:\Program Files\Internet Explorer\ieupdates.exe | C:\ProgramData\Microsoft\Windows\Caches\UpdateWeb2View.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell Set-MpPreference -MAPSReporting 0 >nul
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -MAPSReporting 0
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell Set-MpPreference -MAPSReporting Disabled >nul
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -MAPSReporting Disabled
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im SecHealthUI.exe >nul 2>nul
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SecHealthUI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell Set-MpPreference -UiLockDown 1 >nul 2>nul
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -UiLockDown 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im SecHealthUI.exe >nul 2>nul
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SecHealthUI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell Set-MpPreference -SubmitSamplesConsent 0 >nul
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -SubmitSamplesConsent 0
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start "" "C:\ProgramData\Microsoft\Windows\Caches\UpdateWeb2View.exe" >nul
C:\ProgramData\Microsoft\Windows\Caches\UpdateWeb2View.exe
"C:\ProgramData\Microsoft\Windows\Caches\UpdateWeb2View.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo >nul
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start /b "" "C:\ProgramData\Microsoft\Network\Connections\NetTraceAgent.exe" >nul
C:\ProgramData\Microsoft\Network\Connections\NetTraceAgent.exe
"C:\ProgramData\Microsoft\Network\Connections\NetTraceAgent.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe "$action=New-ScheduledTaskAction -Execute 'C:\ProgramData\Microsoft\Network\Connections\NetTraceAgent.exe'; $trigger = @(New-ScheduledTaskTrigger -AtStartup; New-ScheduledTaskTrigger -AtLogon); $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -DisallowHardTerminate -ExecutionTimeLimit ([TimeSpan]::FromDays(999)); Register-ScheduledTask -TaskName 'NetTraceInfoTask' -taskPath '\Microsoft\Windows\NetTrace' -Action $action -Trigger $trigger -Settings $settings -RunLevel Highest -Description 'Task that checks the NET connection trace.';" >nul
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$action=New-ScheduledTaskAction -Execute 'C:\ProgramData\Microsoft\Network\Connections\NetTraceAgent.exe'; $trigger = @(New-ScheduledTaskTrigger -AtStartup; New-ScheduledTaskTrigger -AtLogon); $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -DisallowHardTerminate -ExecutionTimeLimit ([TimeSpan]::FromDays(999)); Register-ScheduledTask -TaskName 'NetTraceInfoTask' -taskPath '\Microsoft\Windows\NetTrace' -Action $action -Trigger $trigger -Settings $settings -RunLevel Highest -Description 'Task that checks the NET connection trace.';"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting Disabled
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 0
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMnitoring $true
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -UILockdown $true
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableRealtimeMonitoring -Value 1 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SecurityHealthService' -Name Start -Value 4 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\wscsvc' -Name Start -Value 4 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name DisableBehaviorMonitoring -Value 1 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name DisableOnAccessProtection -Value 1 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name DisableScanOnRealtimeEnable -Value 1 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$action=New-ScheduledTaskAction -Execute 'C:\ProgramData\Microsoft\Network\Connections\NetTraceAgent.exe'; $trigger = @(New-ScheduledTaskTrigger -AtStartup; New-ScheduledTaskTrigger -AtLogon); $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -DisallowHardTerminate -ExecutionTimeLimit ([TimeSpan]::FromDays(999)); Register-ScheduledTask -TaskName 'NetTraceInfoTask' -taskPath '\Microsoft\Windows\NetTrace' -Action $action -Trigger $trigger -Settings $settings -RunLevel Highest -Description 'Task that checks the NET connection trace.';"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting Disabled
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 0
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMnitoring $true
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -UILockdown $true
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableRealtimeMonitoring -Value 1 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SecurityHealthService' -Name Start -Value 4 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\wscsvc' -Name Start -Value 4 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name DisableBehaviorMonitoring -Value 1 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name DisableOnAccessProtection -Value 1 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name DisableScanOnRealtimeEnable -Value 1 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$action=New-ScheduledTaskAction -Execute 'C:\ProgramData\Microsoft\Network\Connections\NetTraceAgent.exe'; $trigger = @(New-ScheduledTaskTrigger -AtStartup; New-ScheduledTaskTrigger -AtLogon); $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -DisallowHardTerminate -ExecutionTimeLimit ([TimeSpan]::FromDays(999)); Register-ScheduledTask -TaskName 'NetTraceInfoTask' -taskPath '\Microsoft\Windows\NetTrace' -Action $action -Trigger $trigger -Settings $settings -RunLevel Highest -Description 'Task that checks the NET connection trace.';"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting Disabled
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 0
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMnitoring $true
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -UILockdown $true
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableRealtimeMonitoring -Value 1 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SecurityHealthService' -Name Start -Value 4 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\wscsvc' -Name Start -Value 4 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name DisableBehaviorMonitoring -Value 1 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name DisableOnAccessProtection -Value 1 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name DisableScanOnRealtimeEnable -Value 1 -PropertyType DWORD -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$action=New-ScheduledTaskAction -Execute 'C:\ProgramData\Microsoft\Network\Connections\NetTraceAgent.exe'; $trigger = @(New-ScheduledTaskTrigger -AtStartup; New-ScheduledTaskTrigger -AtLogon); $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -DisallowHardTerminate -ExecutionTimeLimit ([TimeSpan]::FromDays(999)); Register-ScheduledTask -TaskName 'NetTraceInfoTask' -taskPath '\Microsoft\Windows\NetTrace' -Action $action -Trigger $trigger -Settings $settings -RunLevel Highest -Description 'Task that checks the NET connection trace.';"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.227:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| BE | 88.221.83.227:443 | www.bing.com | tcp |
| VN | 14.225.208.87:80 | 14.225.208.87 | tcp |
| US | 8.8.8.8:53 | 87.208.225.14.in-addr.arpa | udp |
| VN | 14.225.208.87:80 | 14.225.208.87 | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/1664-0-0x00000000752DE000-0x00000000752DF000-memory.dmp
memory/1664-1-0x0000000002370000-0x00000000023A6000-memory.dmp
memory/1664-3-0x0000000004F10000-0x0000000005538000-memory.dmp
memory/1664-2-0x00000000752D0000-0x0000000075A80000-memory.dmp
memory/1664-4-0x00000000752D0000-0x0000000075A80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e1y3diqv.s5h.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1664-14-0x0000000005790000-0x00000000057B2000-memory.dmp
memory/1664-15-0x0000000005830000-0x0000000005896000-memory.dmp
memory/1664-16-0x0000000005910000-0x0000000005976000-memory.dmp
memory/1664-17-0x0000000005980000-0x0000000005CD4000-memory.dmp
memory/1664-18-0x00000000058A0000-0x00000000058BE000-memory.dmp
memory/1664-19-0x0000000005D50000-0x0000000005D9C000-memory.dmp
memory/1664-21-0x00000000710F0000-0x000000007113C000-memory.dmp
memory/1664-20-0x0000000006C30000-0x0000000006C62000-memory.dmp
memory/1664-32-0x00000000752D0000-0x0000000075A80000-memory.dmp
memory/1664-31-0x0000000006BF0000-0x0000000006C0E000-memory.dmp
memory/1664-33-0x0000000006E70000-0x0000000006F13000-memory.dmp
memory/1664-34-0x00000000752D0000-0x0000000075A80000-memory.dmp
memory/1664-35-0x00000000075E0000-0x0000000007C5A000-memory.dmp
memory/1664-36-0x0000000006FA0000-0x0000000006FBA000-memory.dmp
memory/1664-37-0x0000000007010000-0x000000000701A000-memory.dmp
memory/1664-38-0x0000000007220000-0x00000000072B6000-memory.dmp
memory/1664-39-0x00000000071A0000-0x00000000071B1000-memory.dmp
memory/1664-40-0x00000000071E0000-0x00000000071EE000-memory.dmp
memory/1664-41-0x00000000071F0000-0x0000000007204000-memory.dmp
memory/1664-42-0x00000000072E0000-0x00000000072FA000-memory.dmp
memory/1664-43-0x00000000072C0000-0x00000000072C8000-memory.dmp
memory/1664-46-0x00000000752D0000-0x0000000075A80000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
memory/2648-48-0x00000000752D0000-0x0000000075A80000-memory.dmp
memory/2648-49-0x00000000752D0000-0x0000000075A80000-memory.dmp
memory/2648-50-0x00000000752D0000-0x0000000075A80000-memory.dmp
memory/2648-51-0x0000000006110000-0x0000000006464000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bcbf09b656253df526c9f77b4fed9661 |
| SHA1 | 04c0a21bc09c1f787efbdbdc8f7bd7e3444fdd97 |
| SHA256 | b886384f8a02a698a8845a373f4bcb276b137a323b5b00115279d8954754d42c |
| SHA512 | 5eb285bc8730d1d3e16ec4edac9bf4bdfcbf694b39845aed62f14a7e854bd0651ee4fad7e64036cf511d19573cb20b928f41968138023c3698eb48648872efeb |
memory/2648-62-0x00000000710F0000-0x000000007113C000-memory.dmp
memory/2648-72-0x00000000752D0000-0x0000000075A80000-memory.dmp
memory/2648-73-0x00000000752D0000-0x0000000075A80000-memory.dmp
memory/2648-75-0x00000000752D0000-0x0000000075A80000-memory.dmp
memory/4580-85-0x0000000006160000-0x00000000064B4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c615faf05b2f236ee0c1e38d7a70b84b |
| SHA1 | 14846a635dae6b96122cdb3aa44194c3ab73535a |
| SHA256 | 2353e191a05930ab8e5a26c08a54b64e233b7b1b89fa2127c64cf2ad01f28a9c |
| SHA512 | 5ed48c1f0152542068fbe23cfe26621d121b62c3ed1b80b759cbe68aef7147f7205fe67f82e081732fcd2d6e2c50d5d92c9f1ef205ab8cf1cbbe829395240941 |
memory/4580-87-0x00000000710F0000-0x000000007113C000-memory.dmp
memory/3400-107-0x0000000005980000-0x0000000005CD4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 667e42960008505d1baf6188bd49f8d1 |
| SHA1 | d78dcbe225ab6313ce2c10cdf7d1cb5b11a939fd |
| SHA256 | ca563292a7839eab828b788d377062cc934729e5d0993705092bae246f31c634 |
| SHA512 | 814d071753cba0f64453fea122dc44b5d0517a947adaaecc6de0dea9f70d6a4a8c8e7cd7c6f0b1ebadb74b514fab58e80bc6590098cf1da0655e5361704c09ce |
memory/3400-109-0x00000000710F0000-0x000000007113C000-memory.dmp
C:\ProgramData\Microsoft\Windows\Caches\UpdateWeb2View.exe
| MD5 | 377fc74b249bfc1be3258a6facd9327a |
| SHA1 | 42620e2f8dc6d890d312f81a2337ae40b7a6a73b |
| SHA256 | df016016c94d7ad3f689b994f54f3070a91f2054e808a005a398875164cf7ec1 |
| SHA512 | f075185ca9e2a7fbd801b3aca33e29790630912edbb727d419e039c50a7af3c7578f77ec5e7e607a22291efde54014538b7a321143b95045695d571463a9fa45 |
memory/4408-124-0x00000000002F0000-0x00000000003B6000-memory.dmp
memory/4408-126-0x0000000005240000-0x00000000057E4000-memory.dmp
memory/4408-127-0x0000000004C90000-0x0000000004D22000-memory.dmp
C:\ProgramData\Microsoft\Network\Connections\NetTraceAgent.exe
| MD5 | a58599f667d687f6eb51bb528a6bb528 |
| SHA1 | 0991f92dc45d82227775f9968d91dcbe703d03a2 |
| SHA256 | b93b33fff6d41f5c0388ec4a1e424db2a304582e998596810f47b9b823ef2807 |
| SHA512 | 2dd48e6042a65c0d7f1af17676ef3cc35dbdf5978c68ca00a1b6e228146bec306411e38e4bbffaf0de172dd7cbdd2993e9cb5c645d4251d420acb0501d39d0b1 |
memory/4408-131-0x0000000004C70000-0x0000000004C7A000-memory.dmp
memory/4408-132-0x0000000005120000-0x0000000005178000-memory.dmp
memory/4472-145-0x0000000006110000-0x0000000006464000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c9f16d0b9a8993d794e52c771599963c |
| SHA1 | 783e327771430714a2556a1a982111744c50eaeb |
| SHA256 | 2fe7419fca81f6cf4981dcceadd6826bba6f5144e8f75c18fb51102a79a6014c |
| SHA512 | fb15e0df1c58808c23cb415056d9bc783121ed877e638c4d8231c17d36f2fa00b5e613e5742b64072cb5dad956db96380b10bcb54c4ef2c39a1b7ca084ddf0f5 |
memory/4472-147-0x00000000065A0000-0x00000000065EC000-memory.dmp
memory/4472-157-0x00000000706B0000-0x00000000706FC000-memory.dmp
memory/4472-167-0x0000000007730000-0x00000000077D3000-memory.dmp
memory/4408-168-0x0000000006110000-0x0000000006176000-memory.dmp
memory/4408-178-0x00000000064E0000-0x00000000064EE000-memory.dmp
memory/4472-179-0x0000000007930000-0x0000000007941000-memory.dmp
memory/2928-189-0x00000000706B0000-0x00000000706FC000-memory.dmp
memory/2304-208-0x00000000706B0000-0x00000000706FC000-memory.dmp
memory/2928-218-0x0000000007760000-0x0000000007774000-memory.dmp
memory/3424-228-0x00000000706B0000-0x00000000706FC000-memory.dmp
memory/3988-247-0x00000000706B0000-0x00000000706FC000-memory.dmp
memory/4408-257-0x0000000007040000-0x0000000007202000-memory.dmp
memory/4408-276-0x0000000007840000-0x0000000007D6C000-memory.dmp
memory/540-277-0x00000000706B0000-0x00000000706FC000-memory.dmp
memory/3656-287-0x00000000063D0000-0x00000000063F2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4a49e89642f6568483ae05187ccedfe1 |
| SHA1 | 1fc134ca4a6195a1f716fca530b8a9de8b6e3d08 |
| SHA256 | 2b497d1859dabcfeb4212aac53eef839c122211aa479aee5b5978429d79a0860 |
| SHA512 | c87692e151932c7c93d6464d852e3cdd83d44a1d2b12e15b43cca0584efa3eb2505b706543cf4ac32259fd446e064e6e1570d6bd64229815da197969d427688c |
memory/4416-345-0x00000000706B0000-0x00000000706FC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a6b9b0050f5130aafc5d5bb97e99942a |
| SHA1 | 7715a46967840fa67a858315a9e096196e228e69 |
| SHA256 | 12cb285d5d02d7232b2351ab97e4aae5b0f2dff95479c301e618bdfd3712bf85 |
| SHA512 | 28508a4f05f4412b0aa4ad9b5e5148726bca702b99a5bb8be88176947462ea559316f453eb04211a7092619db4fce0fae06fdf55ba4c79bfefdf5fb52a3c32b6 |
memory/2764-357-0x00000000706B0000-0x00000000706FC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 38e5aee9ecd9a1cefa73997f16511af0 |
| SHA1 | cd35e64d0f3e238647ef5a06aa022df94ac0f87c |
| SHA256 | 4a44f851be6790a5b73ee2bcb852ad6ba428969aa615720809ddec18c35ac20d |
| SHA512 | 95262b6447ba7c117c7ba9325faa1ef6282752336f1363f5b3a61fc28d82eaf4a0edd105e745b9e2afed10ae6b216498c492ee10edbd57c37268124b3ba85ae3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fa6f487a9ca37bebe1d04065966b1a58 |
| SHA1 | d02b12a3fbd171299674af74942da41ab9740d90 |
| SHA256 | 157e5e10dc2b661da55e1bcd2772a2e10cbe6e7c733e8078612ff2f4bc818213 |
| SHA512 | aac8b973900c102512efe6cc87a67683e94421a74ff3c566df8e05891dc5bbe6a917994da926639570d9e148c4da9ae945e80f91ef894bb054f9ba8e647766bb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c3639018394785a708a45918fc00650a |
| SHA1 | ffa4b22279ad21ea5f109a546f15d3804ca9ad7d |
| SHA256 | 161d6aa925925b7aedf035371e67d6b05877134c788cce2cafd843b67a146397 |
| SHA512 | a528af30369f037b00fbbc2eedeadfcfc718027598854099ecc3c98a4f4c587e5c28a029cef923b2992b8329c219f2c587ab3442a46e61a1a0bc94a5ae9337cf |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 666189e85acdcecccae9f9e56b4a9bca |
| SHA1 | e7d98f92242651f2e9b2ea1b1714a1aedcb91e54 |
| SHA256 | abe6618e963332e307ccb72e09878969a03937829b1ceb6f9b5fecc0fc090ef6 |
| SHA512 | 3529363516fe87b01f1fb57efd17017530fac1bddd21fdca0cdd9ad42c45cdc7da45d6b43fc6f70d4a9ba522640ff74bc5651a35cd9ccfbbfeac05b32f83836a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 62025d45524e57f805855fa92453bae8 |
| SHA1 | 847cc81eb5cb74e0567c37340bd03d1ebf68be39 |
| SHA256 | 564c82d8e73fe0896b58e145608046559b2d30c4f9a3c02df7a45a10db6d1b41 |
| SHA512 | 6dc0b2f415b921e0e9c408774a0bab18f4ceaeabba0fc8953708ec21aeb2e0d38cadb90d75decf0a6a55a458b0a440379ce2350c118c13b8010d573bed3cae8f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d75596074e947b2b96fd8cbd2cf8ee04 |
| SHA1 | 2c9b0f0cc9605405cc95964510ed93cef0016752 |
| SHA256 | b1a3769c0285115bcc771153c0a67e0c6eaef19967c47aa22bbd3a4f7deb9ec3 |
| SHA512 | ddc8e4c2177ab699e799d2c440e0eaa67305346b245dc0b257c3ef5713afad100729dd6a3f166c391936d543dd47afceae1a4fc98c46147491846199852d5359 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1b012ee0fe395f909fa79280a0d9213f |
| SHA1 | 0f554ad2ad1025991b768410a2e16dcf5833afb3 |
| SHA256 | 3fe7dc1c49ed2baddda8e141666d3c1425ac3981761adccf8cd296e69eb6a00d |
| SHA512 | 394341a410d282c04a22da9aa091c090007bed825df6a485b007d15fcd8be74ade4b2014b52b347260b0ecfc9b4c074cefc9e6b4dc6fb5ea3d4ba3252901bb29 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0ba640557867cfda98ecb79e687dd9bd |
| SHA1 | 5c03ae2728c65df25a6321618a02343fa11827aa |
| SHA256 | f32f55729a135620f6da53ec23cd07e43c6c02a30cc3fa7a33eeea18b2b5fb3f |
| SHA512 | 402343cd1754c0e1b3a985758f898e829ff07536aa48f43c7c0141581355a0266a0ce981233e5ef5ed1a616a65849fe3b768c873c54f694795856d6a4535e7b0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1c589d50a78b08eaa580d8eafc7103b9 |
| SHA1 | f0dae5f8fda16bdbb095655f8e91f3f447cc2a9e |
| SHA256 | 236bc7fa2aa90f4499e4f818338b8400b76f89c90af0ef9b1ae091e1bb11cb6b |
| SHA512 | 3706c3b667185101ded7e7ca728027cbcbbbbfc20b2fcbd8f754e3cc60cd3df9b3c64d2598fad682130b2a3719fcb61eae8b799ea5404224b84921598df575df |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5c9b354d90e49515d771b080a19a7c6c |
| SHA1 | 28218270643862dcfed7b6e9f0b1e444f83bc7fd |
| SHA256 | 73b43edd448ced4445aa3307cf3f22242353d01d782a90500c683d44225f46b4 |
| SHA512 | b4fb5f2c2834f8d9ddb423b3103dae59c9b086f01996f0d3019c1aac1c97123a8f21df53e6cc24ad380b8ebc5f0764be80a9397fc40feb6fd4fee57e7f7471a8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b2c99f95147775337869043c90e61fdc |
| SHA1 | 9fce2c9400054ef081d9433067b0240333667aa4 |
| SHA256 | 6f90867c11dedd0dce59edd47e47c9cb3971caa0b3306808bc598cd9dbe46ce3 |
| SHA512 | d21a5966b951770d920770de91b4045c30acbe7a6d6b85f620ee4318322c86d2771a2af92e30af29c9e3d3c0c728c78356d82bc4f078bd3cc5e1c5941ef6dd64 |
memory/4700-406-0x0000000006520000-0x0000000006874000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4f66842424ecd5aeafc2898efecb3d79 |
| SHA1 | 9b97bc608c5e27b19b9b5d84b4a3cc2f8799f3ee |
| SHA256 | 1520bc4eee1a18f51c6af6c624826f34514ea1efde19a797e5806ac742ba2309 |
| SHA512 | b1bfa3e473ca27dc5c2e35d22f560231abebf8eabd8458de445079f50697412e6525ccee9df9eeff026bfbbc21d8207dd524b7c569e0361b3585fe7bf31b14e7 |
memory/4700-408-0x0000000006990000-0x00000000069DC000-memory.dmp
memory/4700-409-0x0000000070C20000-0x0000000070C6C000-memory.dmp
memory/4700-419-0x0000000007B10000-0x0000000007BB3000-memory.dmp
memory/4700-429-0x0000000007E90000-0x0000000007EA1000-memory.dmp
memory/4700-430-0x0000000007EE0000-0x0000000007EF4000-memory.dmp
memory/552-431-0x0000000070C20000-0x0000000070C6C000-memory.dmp
memory/4668-459-0x0000000070C20000-0x0000000070C6C000-memory.dmp
memory/640-478-0x0000000070C20000-0x0000000070C6C000-memory.dmp
memory/1588-497-0x0000000070C20000-0x0000000070C6C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | af55ddd44baa3c6123ae081af92ee559 |
| SHA1 | 1eda02d21bc6be35cc23450050b80203b81e6886 |
| SHA256 | 16eddd2f671c1980d6858cf6ef82e8b517bfb42edb21bc85cc986dbe921cd625 |
| SHA512 | 8f9d876c4e899a883cb22a89fc721bbc58445c2686dcfffce9790faba201082e3e31282434e2e178eb8f4d56198dd7d96bc929d6951b6a5fcc78ef85dc9900fc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f585bab75e34e1fa80218ed062e0d86a |
| SHA1 | eb00e958c2c93450b410c1910bb5a672d8be6e81 |
| SHA256 | fd6b757c86a7c254ea189a2d095e638de4de9d9a2cf01143278fc88cc90b3f96 |
| SHA512 | 85ff9f11084bb62a76df0fa793a8c2e88d96c0f3c9c206613d0d4a052767bb45b2fe6a5bec76c7f60a9f48d03a844e7dbe546a05b2ecf44ead35fadbee496427 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d9cf606aa988909afd24cd8755956243 |
| SHA1 | 54911e383b30ef9d64003d05912efdb366565a15 |
| SHA256 | cd948575ef99fe55795f102a8efc20c47705533ebc57126805070c965e2dca8b |
| SHA512 | 118d697b305c96a894c8c9d1c288188a88f645d9af7b11bf781336ba059ff4a39bb1e8d5bac138ba3dd0fd474d58fb2eda29d95c2ede87cbfc6977af891141e8 |
memory/1932-591-0x0000000070C20000-0x0000000070C6C000-memory.dmp
memory/1916-601-0x0000000070C20000-0x0000000070C6C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f92c785310813569d7262d1301308bcd |
| SHA1 | 37d3c0e6d5d3653630e914452fb999e1a680b28e |
| SHA256 | 7dd53dd1e8ec26cea42ae3c20150958a7f791d8790fc1bf5a321a392fe8b7558 |
| SHA512 | 3fe26d856aa7b77a822e7fa82c53e59a65f68b2fb1c6f980717c3902a54c1a9ef3e00579c6d458375c6dc6f5fc2e6488df8db983b371d7fc4b994df38b2a3009 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | adcf9d7281165e865bae1172ec202351 |
| SHA1 | 7029438e40e649a088712ba0a05a0749918f6db5 |
| SHA256 | f913af08006bd0d15ae381c501f5d45310d5c435c08d02d63a25d853c4a409f0 |
| SHA512 | de76db90e5d98186fb2fa1c4d7df93b27b86e6178616171a9ac83d2876194eeda89669814755099c45ea0d1149ee90b33c8f0deacabd960987bc9504c155e8dd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5dbd53aa63a532ab65ae78252eacc443 |
| SHA1 | 1e4b33fa2aa6ec98aa9b3ab8dec12b4bcc9bf9af |
| SHA256 | 00de94e4398f9fb4f25132686b95ef94a7bfcdd40f7bb9d518d8a0bf9d1e8d9a |
| SHA512 | f7ac73b093bb4a8627f4d20e4e2a33bd41f86b54d5f92acac2a4d4ba6dabf0a328a59e08610fcc9e1c4776af89cea773f9d1df557a81e0b68a1694d0b9d386b5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 204a982aba5bba6cf155c562e69b0545 |
| SHA1 | 7a4849320a6d47702b0567fe6bd262fa80cc4dee |
| SHA256 | 5420bdf22b7dc172d087970e6481b446af6220e7c568ee01696b1d4ef55a610a |
| SHA512 | a89c467197fb355a43dc73e83f22fb72a93e2432072f7013e0457307b10677557457c1ad4d266522419deffe55472c4b60473dd9c888a70c189df7c1d2763866 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d1f6de379b8afbfce2a6c9628739748a |
| SHA1 | 7de15488a1b904080f6583c7541083e970f07056 |
| SHA256 | 1d273ad3c4424c75b730eb0964e62ea492645d0df2a114174fbd6e273e59e0ff |
| SHA512 | 2d6877f062ae804090369da31af67b95b9676b2042ed00727f3fabe917cb4842f37358de36af73fefc762f83d76fb8a57691181c391ff76b149bcd056e0acdf5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 92340e316c96d86e11beb2299fb1b45d |
| SHA1 | 709351b0b1c325258e8f6d811a565ebf18c01493 |
| SHA256 | 625ceb1f3484580c31762d146892b6071af128430271251780a4d88abce107c9 |
| SHA512 | 3d8f9fbee3617a5aef2289bfb4d879e29f24594847da3339491639b08ba9818725cfee7626174e2cad82c59a65ef610d59c1ee71bf5a5bcd2e14d69b380245e7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f8b1588bc64630c7d5cd9d34da768900 |
| SHA1 | 1de90a69ac6e4e32e6f7b292194fee93db9d46cc |
| SHA256 | 32b4aa6723b1f2488a76be57a2a6d8f2b60f8b6b8df8aff5a69933113389bb3b |
| SHA512 | b014dd4fa123a7b1fef8cbe0dcabff6da0f2ed189dd86e0995b3408176f086d1438df1ab42249170dccd0310eac7e7ba2be3e10369186da319ab9ef6dada6361 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 195a338a356ff27e2319e2c5e49f6061 |
| SHA1 | fe2e1c81312b343ee1faf58d5e219ab46e918f58 |
| SHA256 | 64f202bb66dbef7cc69df91c9d30e83c09d4574f97307f8be902422edae1ef7a |
| SHA512 | b475d56879cebf49de0aca5d19f506c4296eabbbf3d339e53e7a62a7166d82f33e0f841c814fbc388b262d53f6219c4ad48965b386fecad86ea0b5ec1336978b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cab9627fcd523949b98a4242915c6430 |
| SHA1 | bade3cfd49809711d5d6e2eb5008854d30d4595e |
| SHA256 | 4572742e0a9e8b57178197d7fc98eb9882d156c80ae988472dcda7e60b9a53e7 |
| SHA512 | aff32e969e9becde3da18197e39b3f2549d1462a01e322d2576185fd551ab589e974e867f99fb9eeb5b973ebd1688649644ef5d308cc8ca5c165b3f425fdfdde |
memory/4076-642-0x0000000070C20000-0x0000000070C6C000-memory.dmp
memory/3748-661-0x0000000070C20000-0x0000000070C6C000-memory.dmp
memory/2788-689-0x0000000070C20000-0x0000000070C6C000-memory.dmp
memory/4128-708-0x0000000070C20000-0x0000000070C6C000-memory.dmp
memory/4364-730-0x0000000070C20000-0x0000000070C6C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 323070eec72e6c4122264ee1f3213597 |
| SHA1 | 816d00ea0a8ae3ed87d9f8c7dfb114a4ff3451fa |
| SHA256 | 536e7a03d3b248433128be21590f376b5d52d61328a423d7035d8ec611cbe896 |
| SHA512 | c938c195f457d22f6f7b00f0af8489e90b5b65424b26d372129dbd358021a881801eed3245a1bf5ae1664cd7fe6ab56976ab87b7f0e3b7cb54fac9962efa41a2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c548fca2874dcf39fc5b88dac5d7b73f |
| SHA1 | 18836cc426b615b55ae56f93418a403875b373b7 |
| SHA256 | e761f7c52d6baa3bc274510be77890ee364edba9d8c2ce7c65e7fb17298e7091 |
| SHA512 | 9d374471934d6a9dcbcc8681cc8b3d39729e41de8a5bd288006748288626eed20d6b6d9c29026898163594ec3ed02fb03b338442f95482a4f93e0381a5856bc6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 57d7533770ae050bd4fa98ff8876a5da |
| SHA1 | 8f503cb2786aceb521f4caf27783e1adab6908ff |
| SHA256 | 9b43720435009857f658ffbb4b961cfb907cdd675ac975590362e19a9a332241 |
| SHA512 | 809bb84a681ea330a3775b62085f6a14670a2da6c5ce7236c2f62dcc6783875000474d422fbc8c88dab6d7211c146de844ad4c80d7bc9cd3b3c1d2daf94db8f0 |
memory/4168-821-0x0000000070C20000-0x0000000070C6C000-memory.dmp
memory/3112-831-0x0000000070C20000-0x0000000070C6C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fd6193e7f06b3c6aea452decf1d86dee |
| SHA1 | 28b33dcdac21ae7f97d37a92e148ee4808507351 |
| SHA256 | 3c56f451b050c2ebca7badc07538a26bd0d3d2c29f6b28f7daec6e31542c3d59 |
| SHA512 | 4caa53b67b38d4b5da035f6be89b46f6910d3d7d60ce65311c6f8427313d4dd9b8956baeef6e8d8463c79f6540ddc5adc7accb8417e5f7fb9797422b088002d5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ba98dcebae4537940d4dd75175d65127 |
| SHA1 | 24e80502a65d35b1a705c4dc8a71b38301e0768c |
| SHA256 | 7670900a3f99498eba3dd89220e1548055b00b1d3be6d8bcb34b3c9f2534afae |
| SHA512 | 6a4cff2181cd3ccf13ee18d90aa0d501ccc18a8639b3af3a8d54539f9201b7bacec1d4f67e47b15b84567a5846aa5b8f200a8010b27d497b6c423b3e27a892ec |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | aa1f7d3ff24490eefa2f3f4b4a5c5ffd |
| SHA1 | b6e5f1b825709d386b01e0dc7ff42a50c5f90e1a |
| SHA256 | a720bdbcce9a842cbb3881a2f8799231ad331819618a2333f1e77cff326f1afc |
| SHA512 | eeaef0fd6b2a6193a27ae3c2092e2e68af171035558fa220c69b8388415772f610634903909d263a35175cae54a7e27c80d3ad3361cfbde8c0e880ffc16a5cad |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e9dc81de520ce50716f55147e1bfc4bf |
| SHA1 | 4cde30472d484b7909e94a082c09049c308b6eaa |
| SHA256 | 9fbfdf7259debe894633a9d9b5b94fac62dd4b0f111f1598f8aa70736d1288ef |
| SHA512 | ef817647781eca09968448c6bfd6a2fc8ad3d44db6ecc2743ffed6d0154ea93428603d0a326c22b20862b177da7316f60ef020d4601da16ee581f6fa7a8a9d9b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 29ab50c0db0c67817d14d14e9a61d8f4 |
| SHA1 | f3d7682253863a6b41fe549bcca4b86be4ebd975 |
| SHA256 | cba0edb7d7f936356e9f4836fcc2844c756536a1711def8d5c849df25d600d75 |
| SHA512 | 9550a294ba1c9f0f13597ebcae8608a1bd25807b1894b00ee285dc650fa9ccf4d5a4692992cf87268e6e6807e50b4f61c6591baac683951b9014c8cbe57cb92e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2951ada0a4c84457178a826f3410c08a |
| SHA1 | c8af452a7332d5641f5f70140864e9bd4ae90d51 |
| SHA256 | 362299f4bad9c82b46ccf0099682f1731a1adc7ec75318aa2c3bd97b943c7802 |
| SHA512 | 2dd7d7d50316a3f2152d4c128f962c0a3937caa083ca3d4fbae3a88afa955ecfc70aab8049c733a04023e02bf278cf9f240af456405c87cddec7d9bdd1af803f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 306f89a922ae9ada6c5b7a380b8ed169 |
| SHA1 | 663659b9e503e0795ec5b5d3f219a6821b8ee895 |
| SHA256 | dd0c298d5b4c7d2fe621c4cd214e67cb599fcfb4ca4d7a1cb61fc34ce85bedb6 |
| SHA512 | 9f86ac61f2661d4fe6401ad7db6b61eabffd171603d4e126920b14487d7227074969b797eb023daf2b8cb830b73ecccc1677db3d206eb1e793d3d651dc595679 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4e56f63ec7e1a4d9adc05891374bd2e8 |
| SHA1 | c92176ca1f2486765c690be5503d7f5b02198c64 |
| SHA256 | 77b81b52c8df7484b370e2ab0d1e8d352d79b204dadf741717aeda1c61269378 |
| SHA512 | 88cd9e6bb871e393c79f6e1150a4f0ffbaf7fbad4fb258499fbf51425bdaa17281f8f37a685847f1ef7bed514175313c847b164e53b46c323514c12a050cb47e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b23eefb121de7a49a74080f1d73cf5cd |
| SHA1 | d5b7b2399bec01822817c5c5e7ca43150d3b3c32 |
| SHA256 | 100915e7382da08e7ebe82ba8fe156e50950825c5fb21e633705c19abd47c465 |
| SHA512 | c6211eff2db9956d1e33dd1af9c6ff3141782c38a195ffd7fabc9f5a6cbf7a724386847f7a6738d9429dbf511cffc91ca5071cc5c3b731c0e7df5d10d5b85cf5 |