xmrig | 24a163dbbbd12e458bcbcfa3e9707da5c7364369060344f062ef46dbf208169d

Resubmissions

17-07-2021 07:06

210717-1kxa6mzxae 10

17-07-2021 07:00

210717-qdqgcndlqe 10

Analysis

max time kernel
150s
max time network
143s
platform
windows10_x64
resource
win10v20210410
submitted
17-07-2021 07:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

3.3MB
MD5

08684a98326e5e871ee7832859ff16da
SHA1

d43d471b3ba5a29edb0910ac5b8db6ce079fece2
SHA256

24a163dbbbd12e458bcbcfa3e9707da5c7364369060344f062ef46dbf208169d
SHA512

1dacbc24d8acb82df6e9cc2f2659a11c4c7e495557c7ed7767538a6b936aa9b8754957e8c4cff52ac239ad5a122ae18374c92ec9a23cac308dd001ed22a1eee7

Score

10^/10

xmrig discovery miner persistence ransomware upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Executes dropped EXE 5 IoCs

Processes:

miniworld.exeMicroMiniNew.exe9M1B.TMPmstray.exe@[email protected]

pid process

5096 miniworld.exe
4072 MicroMiniNew.exe
1368 9M1B.TMP
4328 mstray.exe
1628 @[email protected]
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
5096	miniworld.exe
4072	MicroMiniNew.exe
1368	9M1B.TMP
4328	mstray.exe
1628	@[email protected]

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

cmd.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\LockComplete.raw => C:\Users\Admin\Pictures\LockComplete.raw.MCNB	cmd.exe
File renamed	C:\Users\Admin\Pictures\RedoImport.raw => C:\Users\Admin\Pictures\RedoImport.raw.MCNB	cmd.exe
File renamed	C:\Users\Admin\Pictures\SyncReceive.raw => C:\Users\Admin\Pictures\SyncReceive.raw.MCNB	cmd.exe
File renamed	C:\Users\Admin\Pictures\UnlockWait.raw => C:\Users\Admin\Pictures\UnlockWait.raw.MCNB	cmd.exe
File renamed	C:\Users\Admin\Pictures\ExportExit.raw => C:\Users\Admin\Pictures\ExportExit.raw.MCNB	cmd.exe
File renamed	C:\Users\Admin\Pictures\FormatComplete.png => C:\Users\Admin\Pictures\FormatComplete.png.MCNB	cmd.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1DCE.tmp\9M1B.TMP	upx
C:\Users\Admin\AppData\Local\Temp\1DCE.tmp\5HB2.TMP	upx
C:\Users\Admin\AppData\Roaming\miniworldcfg\9M1B.TMP	upx
C:\Users\Admin\AppData\Roaming\miniworldcfg\9M1B.TMP	upx
C:\Users\Admin\AppData\Local\Temp\2334.tmp\2Y8U.TMP	upx
C:\Windows\System32\mstray.exe	upx

Loads dropped DLL 1 IoCs

Processes:

MicroMiniNew.exe

pid process

4072 MicroMiniNew.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msfdhs = "C:\\Windows\\system32\\msfdhs.exe"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstray = "C:\\Windows\\system32\\mstray.exe"	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cmd.exeexplorer.exe

description	ioc	process
File opened (read-only)	\??\T:	cmd.exe
File opened (read-only)	\??\W:	cmd.exe
File opened (read-only)	\??\I:	cmd.exe
File opened (read-only)	\??\N:	cmd.exe
File opened (read-only)	\??\P:	cmd.exe
File opened (read-only)	\??\R:	cmd.exe
File opened (read-only)	\??\U:	cmd.exe
File opened (read-only)	\??\V:	cmd.exe
File opened (read-only)	\??\Y:	cmd.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\H:	cmd.exe
File opened (read-only)	\??\K:	cmd.exe
File opened (read-only)	\??\O:	cmd.exe
File opened (read-only)	\??\S:	cmd.exe
File opened (read-only)	\??\X:	cmd.exe
File opened (read-only)	\??\E:	cmd.exe
File opened (read-only)	\??\L:	cmd.exe
File opened (read-only)	\??\M:	cmd.exe
File opened (read-only)	\??\Z:	cmd.exe
File opened (read-only)	\??\F:	cmd.exe
File opened (read-only)	\??\G:	cmd.exe
File opened (read-only)	\??\J:	cmd.exe

Drops file in System32 directory 4 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
File created	C:\Windows\system32\msfdhs.exe	cmd.exe
File opened for modification	C:\Windows\system32\msfdhs.exe	cmd.exe
File created	C:\Windows\system32\mstray.exe	cmd.exe
File opened for modification	C:\Windows\system32\mstray.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1DCE.tmp\miniworld.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\1DCE.tmp\miniworld.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\1DCE.tmp\miniworld.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\1DCE.tmp\miniworld.exe	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	explorer.exe

Delays execution with timeout.exe 6 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

2432 timeout.exe
2808 timeout.exe
4300 timeout.exe
3172 timeout.exe
3212 timeout.exe
408 timeout.exe
Enumerates processes with tasklist 1 TTPs 5 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

4240 tasklist.exe
2124 tasklist.exe
2656 tasklist.exe
4412 tasklist.exe
3696 tasklist.exe

pid	process
2432	timeout.exe
2808	timeout.exe
4300	timeout.exe
3172	timeout.exe
3212	timeout.exe
408	timeout.exe

pid	process
4240	tasklist.exe
2124	tasklist.exe
2656	tasklist.exe
4412	tasklist.exe
3696	tasklist.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchUI.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2728 taskkill.exe

pid	process
2728	taskkill.exe

Modifies registry class 29 IoCs

Processes:

explorer.exeSearchUI.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "132625117264543786"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002c100000000000002000000e50707004100720067006a006200650078000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c0000000000000000000000003adb7d56d97ad70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e50707004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000d8324956d97ad70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e50704004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc7600000000000000000000000033a4c4b1d72dd70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1740 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3600 PING.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

3832 explorer.exe

pid	process
1740	reg.exe

pid	process
3600	PING.EXE

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

taskkill.exeexplorer.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	2728	taskkill.exe
Token: SeShutdownPrivilege	3832	explorer.exe
Token: SeCreatePagefilePrivilege	3832	explorer.exe
Token: SeShutdownPrivilege	3832	explorer.exe
Token: SeCreatePagefilePrivilege	3832	explorer.exe
Token: SeShutdownPrivilege	3832	explorer.exe
Token: SeCreatePagefilePrivilege	3832	explorer.exe
Token: SeShutdownPrivilege	3832	explorer.exe
Token: SeCreatePagefilePrivilege	3832	explorer.exe
Token: SeShutdownPrivilege	3832	explorer.exe
Token: SeCreatePagefilePrivilege	3832	explorer.exe
Token: SeShutdownPrivilege	3832	explorer.exe
Token: SeCreatePagefilePrivilege	3832	explorer.exe
Token: SeShutdownPrivilege	3832	explorer.exe
Token: SeCreatePagefilePrivilege	3832	explorer.exe
Token: SeShutdownPrivilege	3832	explorer.exe
Token: SeCreatePagefilePrivilege	3832	explorer.exe
Token: SeShutdownPrivilege	3832	explorer.exe
Token: SeCreatePagefilePrivilege	3832	explorer.exe
Token: SeShutdownPrivilege	3832	explorer.exe
Token: SeCreatePagefilePrivilege	3832	explorer.exe
Token: SeShutdownPrivilege	3832	explorer.exe
Token: SeCreatePagefilePrivilege	3832	explorer.exe
Token: SeShutdownPrivilege	3832	explorer.exe
Token: SeCreatePagefilePrivilege	3832	explorer.exe
Token: SeShutdownPrivilege	3832	explorer.exe
Token: SeCreatePagefilePrivilege	3832	explorer.exe
Token: SeShutdownPrivilege	3832	explorer.exe
Token: SeCreatePagefilePrivilege	3832	explorer.exe
Token: SeShutdownPrivilege	3832	explorer.exe
Token: SeCreatePagefilePrivilege	3832	explorer.exe
Token: SeDebugPrivilege	4240	tasklist.exe
Token: SeShutdownPrivilege	3832	explorer.exe
Token: SeCreatePagefilePrivilege	3832	explorer.exe
Token: SeShutdownPrivilege	3832	explorer.exe
Token: SeCreatePagefilePrivilege	3832	explorer.exe
Token: SeDebugPrivilege	2124	tasklist.exe
Token: SeDebugPrivilege	2656	tasklist.exe
Token: SeDebugPrivilege	4412	tasklist.exe
Token: SeDebugPrivilege	3696	tasklist.exe

Suspicious use of FindShellTrayWindow 44 IoCs

Processes:

explorer.exe

pid	process
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe

Suspicious use of SendNotifyMessage 42 IoCs

Processes:

explorer.exe

pid	process
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe
3832	explorer.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

MicroMiniNew.exeShellExperienceHost.exeSearchUI.exe@[email protected]

pid	process
4072	MicroMiniNew.exe
4072	MicroMiniNew.exe
2156	ShellExperienceHost.exe
2156	ShellExperienceHost.exe
3300	SearchUI.exe
1628	@[email protected]
1628	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1.execmd.exeminiworld.exe9M1B.TMPcmd.exemstray.execmd.exe

description	pid	process	target process
PID 4436 wrote to memory of 4972	4436	1.exe	cmd.exe
PID 4436 wrote to memory of 4972	4436	1.exe	cmd.exe
PID 4972 wrote to memory of 5080	4972	cmd.exe	reg.exe
PID 4972 wrote to memory of 5080	4972	cmd.exe	reg.exe
PID 4972 wrote to memory of 5096	4972	cmd.exe	miniworld.exe
PID 4972 wrote to memory of 5096	4972	cmd.exe	miniworld.exe
PID 4972 wrote to memory of 5096	4972	cmd.exe	miniworld.exe
PID 5096 wrote to memory of 4072	5096	miniworld.exe	MicroMiniNew.exe
PID 5096 wrote to memory of 4072	5096	miniworld.exe	MicroMiniNew.exe
PID 5096 wrote to memory of 4072	5096	miniworld.exe	MicroMiniNew.exe
PID 4972 wrote to memory of 3600	4972	cmd.exe	PING.EXE
PID 4972 wrote to memory of 3600	4972	cmd.exe	PING.EXE
PID 4972 wrote to memory of 1368	4972	cmd.exe	9M1B.TMP
PID 4972 wrote to memory of 1368	4972	cmd.exe	9M1B.TMP
PID 4972 wrote to memory of 1368	4972	cmd.exe	9M1B.TMP
PID 1368 wrote to memory of 1700	1368	9M1B.TMP	cmd.exe
PID 1368 wrote to memory of 1700	1368	9M1B.TMP	cmd.exe
PID 1700 wrote to memory of 1740	1700	cmd.exe	reg.exe
PID 1700 wrote to memory of 1740	1700	cmd.exe	reg.exe
PID 1700 wrote to memory of 2108	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 2108	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 2240	1700	cmd.exe	cacls.exe
PID 1700 wrote to memory of 2240	1700	cmd.exe	cacls.exe
PID 1700 wrote to memory of 2432	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 2432	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 2428	1700	cmd.exe	cacls.exe
PID 1700 wrote to memory of 2428	1700	cmd.exe	cacls.exe
PID 1700 wrote to memory of 2656	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 2656	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 2688	1700	cmd.exe	cacls.exe
PID 1700 wrote to memory of 2688	1700	cmd.exe	cacls.exe
PID 1700 wrote to memory of 2732	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 2732	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 2808	1700	cmd.exe	cacls.exe
PID 1700 wrote to memory of 2808	1700	cmd.exe	cacls.exe
PID 1700 wrote to memory of 4400	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 4400	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 4412	1700	cmd.exe	cacls.exe
PID 1700 wrote to memory of 4412	1700	cmd.exe	cacls.exe
PID 1700 wrote to memory of 4396	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 4396	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 4384	1700	cmd.exe	cacls.exe
PID 1700 wrote to memory of 4384	1700	cmd.exe	cacls.exe
PID 1700 wrote to memory of 212	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 212	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 192	1700	cmd.exe	cacls.exe
PID 1700 wrote to memory of 192	1700	cmd.exe	cacls.exe
PID 1700 wrote to memory of 940	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 940	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 4136	1700	cmd.exe	cacls.exe
PID 1700 wrote to memory of 4136	1700	cmd.exe	cacls.exe
PID 1700 wrote to memory of 1916	1700	cmd.exe	reg.exe
PID 1700 wrote to memory of 1916	1700	cmd.exe	reg.exe
PID 1700 wrote to memory of 2728	1700	cmd.exe	taskkill.exe
PID 1700 wrote to memory of 2728	1700	cmd.exe	taskkill.exe
PID 1700 wrote to memory of 3832	1700	cmd.exe	explorer.exe
PID 1700 wrote to memory of 3832	1700	cmd.exe	explorer.exe
PID 1700 wrote to memory of 4328	1700	cmd.exe	mstray.exe
PID 1700 wrote to memory of 4328	1700	cmd.exe	mstray.exe
PID 1700 wrote to memory of 4328	1700	cmd.exe	mstray.exe
PID 4328 wrote to memory of 3980	4328	mstray.exe	cmd.exe
PID 4328 wrote to memory of 3980	4328	mstray.exe	cmd.exe
PID 3980 wrote to memory of 3212	3980	cmd.exe	timeout.exe
PID 3980 wrote to memory of 3212	3980	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4436

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1DCE.tmp\1DCF.tmp\1DD0.bat C:\Users\Admin\AppData\Local\Temp\1.exe"
2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4972

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "msfdhs" /t REG_SZ /d "C:\Windows\system32\msfdhs.exe" /f
3⤵
- Adds Run key to start application
PID:5080

C:\Users\Admin\AppData\Local\Temp\1DCE.tmp\miniworld.exe
C:\Users\Admin\AppData\Local\Temp\1DCE.tmp\miniworld.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096

C:\Users\Admin\AppData\Roaming\miniworldgame4399\MicroMiniNew.exe
C:\Users\Admin\AppData\Roaming\miniworldgame4399\MicroMiniNew.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4072

C:\Windows\system32\PING.EXE
ping -n 120 127.0.0.1
3⤵
- Runs ping.exe
PID:3600

C:\Users\Admin\AppData\Roaming\miniworldcfg\9M1B.TMP
C:\Users\Admin\AppData\Roaming\miniworldcfg\9M1B.TMP
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2334.tmp\2335.tmp\2336.bat C:\Users\Admin\AppData\Roaming\miniworldcfg\9M1B.TMP"
4⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\system32\reg.exe
reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msfdhs /f
5⤵
- Modifies registry key
PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
5⤵
PID:2108

C:\Windows\system32\cacls.exe
cacls "C:\Users\Admin\Music\*.*" /e /d everyone
5⤵
PID:2240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
5⤵
PID:2432

C:\Windows\system32\cacls.exe
cacls "C:\Users\Admin\Downloads\*.*" /e /d everyone
5⤵
PID:2428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
5⤵
PID:2656

C:\Windows\system32\cacls.exe
cacls "C:\Users\Admin\Links\*.*" /e /d everyone
5⤵
PID:2688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
5⤵
PID:2732

C:\Windows\system32\cacls.exe
cacls "C:\Users\Admin\Favorites\*.*" /e /d everyone
5⤵
PID:2808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
5⤵
PID:4400

C:\Windows\system32\cacls.exe
cacls "C:\Users\Admin\Documents\*.*" /e /d everyone
5⤵
PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
5⤵
PID:4396

C:\Windows\system32\cacls.exe
cacls "C:\Users\Admin\Videos\*.*" /e /d everyone
5⤵
PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
5⤵
PID:212

C:\Windows\system32\cacls.exe
cacls "C:\Users\Admin\Pictures\*.*" /e /d everyone
5⤵
PID:192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
5⤵
PID:940

C:\Windows\system32\cacls.exe
cacls "C:\Users\Admin\Desktop\*.*" /e /d everyone
5⤵
PID:4136

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "mstray" /t REG_SZ /d "C:\Windows\system32\mstray.exe" /f
5⤵
- Adds Run key to start application
PID:1916

C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Windows\explorer.exe
explorer.exe
5⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3832

C:\Windows\system32\mstray.exe
C:\Windows\system32\mstray.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2910.tmp\2911.tmp\2912.bat C:\Windows\system32\mstray.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\system32\timeout.exe
timeout /t 3
7⤵
- Delays execution with timeout.exe
PID:3212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
7⤵
PID:644

C:\Windows\system32\tasklist.exe
tasklist
8⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4240

C:\Windows\system32\find.exe
find /i "@[email protected]"
8⤵
PID:4232

C:\MiniworldRansom\@[email protected]
C:\MiniworldRansom\@[email protected]
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1628

C:\Windows\system32\timeout.exe
timeout /t 3
7⤵
- Delays execution with timeout.exe
PID:408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
7⤵
PID:2080

C:\Windows\system32\tasklist.exe
tasklist
8⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\system32\find.exe
find /i "@[email protected]"
8⤵
PID:2268

C:\Windows\system32\timeout.exe
timeout /t 3
7⤵
- Delays execution with timeout.exe
PID:2432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
7⤵
PID:2636

C:\Windows\system32\tasklist.exe
tasklist
8⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\system32\find.exe
find /i "@[email protected]"
8⤵
PID:2700

C:\Windows\system32\timeout.exe
timeout /t 3
7⤵
- Delays execution with timeout.exe
PID:2808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
7⤵
PID:4400

C:\Windows\system32\tasklist.exe
tasklist
8⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Windows\system32\find.exe
find /i "@[email protected]"
8⤵
PID:4408

C:\Windows\system32\timeout.exe
timeout /t 3
7⤵
- Delays execution with timeout.exe
PID:4300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
7⤵
PID:4424

C:\Windows\system32\tasklist.exe
tasklist
8⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\Windows\system32\find.exe
find /i "@[email protected]"
8⤵
PID:4360

C:\Windows\system32\timeout.exe
timeout /t 3
7⤵
- Delays execution with timeout.exe
PID:3172

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3300

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MiniworldRansom\@[email protected]
MD5
4fa99da1c78cfaa53253e55043e5f5d4

SHA1
ba8f4be3e782283cc0bacd20eab8a50960bd27a7

SHA256
a65554fbc7aded7f05894923c699c17b909f810a0a4ddf60cf053f07a190db85

SHA512
146da3fc2ca5825b04ceb398ae8d4e711ca77f6f3be6fb5ae7d35030b300e24d00ea8acbe8db2f5ecaebdaa07e7e3e1a84db595d07d061c1dc30d4291feb697f

Download Submit
C:\MiniworldRansom\@[email protected]
MD5
4fa99da1c78cfaa53253e55043e5f5d4

SHA1
ba8f4be3e782283cc0bacd20eab8a50960bd27a7

SHA256
a65554fbc7aded7f05894923c699c17b909f810a0a4ddf60cf053f07a190db85

SHA512
146da3fc2ca5825b04ceb398ae8d4e711ca77f6f3be6fb5ae7d35030b300e24d00ea8acbe8db2f5ecaebdaa07e7e3e1a84db595d07d061c1dc30d4291feb697f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1DCE.tmp\1DCF.tmp\1DD0.bat
MD5
7866a5a1582f206546bf8c8c89f74671

SHA1
e05c6d1ea5e8f25e61f15150a3c75d25a1cc1e94

SHA256
327288a7f22e769ccc62e9b33885872785239d1341166660edd7b727839e67c5

SHA512
53dce31e13ff1fbeb4621d89508499787041e34f201d09bb1a66c4f9650eae4cf431da663da8b19ac04f1a7bc4b01c27ce1e1ba36e544515111673a63f3281f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1DCE.tmp\5HB2.TMP
MD5
de756b93882386b7ef059489d1e56ca0

SHA1
de7acd75203c104ef7ea3fbc3aa1ebdc72e585e2

SHA256
de6d189d084d07e0981df8e4a7956f6019f9e696180de0a4dea29aa4eca42ea0

SHA512
c8c2e603c5140043bba22f15f34a3be21a933d4aa39ec79b34813c58023e0ab3172ba1f25da74c54179f3f4ba4fe442b3d1d8684baf15057ef407f81b6f05a57

Download Submit
C:\Users\Admin\AppData\Local\Temp\1DCE.tmp\9M1B.TMP
MD5
15f71f76e53975f8276b6736741342f3

SHA1
b185723d4b783392dc0229cee1b3d682662cea37

SHA256
d455b4adb3367a9f0dc67c1f4ff2371d5495eac4db016fbabe4fe8e3d61b2a06

SHA512
4ad2b8f1220188ece7b66f9480f72fd90212ff75bb587d557187b6ed0039bfe7f74f957fc5ca3c5fa88457736eb78a93a64332c3b81e75e624dc777077681e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\1DCE.tmp\miniworld.exe
MD5
bae388b46046dbc75bbb71c7cde7d347

SHA1
2f29c1788b4ec4a50e9c7b165fd40a931950638c

SHA256
409607b463d6bdb1feb2be7179cab037e450b1a503694ff8efdeec285c572d58

SHA512
24a9863fe782cacd357604e37c32fc1986626d261d5a0f9e37a24cc6111eb6a037c820ba30bd5fd66801f2c1b2f9cb28254f20ef07cea26fda9c9baad569d16b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1DCE.tmp\miniworld.exe
MD5
bae388b46046dbc75bbb71c7cde7d347

SHA1
2f29c1788b4ec4a50e9c7b165fd40a931950638c

SHA256
409607b463d6bdb1feb2be7179cab037e450b1a503694ff8efdeec285c572d58

SHA512
24a9863fe782cacd357604e37c32fc1986626d261d5a0f9e37a24cc6111eb6a037c820ba30bd5fd66801f2c1b2f9cb28254f20ef07cea26fda9c9baad569d16b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2334.tmp\2335.tmp\2336.bat
MD5
e9b7f5e881a2acedaed2ab8a383ae868

SHA1
007dd77306674371ac941350e391f76b95d75892

SHA256
7f46a26b89ef1c5f291b2b5a389160ff00c072e90e8796a0ccd0818476fa7e43

SHA512
bdeb27b48621b5cef41c3c9329ba64c47347d6ee6489177ab2a9ca3a4529bd823f760dcec3d3f030bba517c6accc89d3277c6699a08d32fc33bec6b6e1860acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2334.tmp\2Y8U.TMP
MD5
a8b1f3a1ff16facab894394044460a67

SHA1
84807917cd43a75d295340263f34cde7655f90db

SHA256
c35eecb5533a63a7f9f0e32ce559f679e7207448f5be5ccbb2c368cd20aeaab1

SHA512
47fb76a21cecc65474ccd9c6b355afbb61aa482671a61682b6b2759f995bdaf166b97f6153513e7058beb107a24637254f854d58a34bacca80931558d4bd2425

Download Submit
C:\Users\Admin\AppData\Local\Temp\2334.tmp\3R9J.TMP
MD5
4fa99da1c78cfaa53253e55043e5f5d4

SHA1
ba8f4be3e782283cc0bacd20eab8a50960bd27a7

SHA256
a65554fbc7aded7f05894923c699c17b909f810a0a4ddf60cf053f07a190db85

SHA512
146da3fc2ca5825b04ceb398ae8d4e711ca77f6f3be6fb5ae7d35030b300e24d00ea8acbe8db2f5ecaebdaa07e7e3e1a84db595d07d061c1dc30d4291feb697f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2334.tmp\@[email protected]
MD5
d2d51c6d6cc1cdd77ef953437e55086c

SHA1
2b4d4a9ff45540c137a426ea93d508c8364e1e9e

SHA256
6266559ecd24ef4be236373a0b059415d24ad689ad0a60ba7ee0ca0ee99d31b9

SHA512
440eb2ebb00a3008bf40d2a1a59ce88ca49db30c9fe8179e0947e5b75d6007678e54fc4c2bd1df6f5dfdc4629e7fa99d0039154b9d0904b8ef142f7e681aa7da

Download Submit
C:\Users\Admin\AppData\Local\Temp\2334.tmp\background.jpg
MD5
8caeb0ab9e567bbe2bb1d3a6f8871782

SHA1
c7a5522eccaab5c0d435cf32a982c24ec69ceda3

SHA256
1fead54464769a95c719c665083cd6022c2f8f85d8b865f5481a7ad09d4c1631

SHA512
3d2bb691304c873a8ace9ea8909cd466278487ac2af87fbbb973038e3d0e5bd24e74f85ef7158c1f44290ac21e52ad1ed3bfa1fa061c9fda0165f085c7880619

Download Submit
C:\Users\Admin\AppData\Local\Temp\2910.tmp\2911.tmp\2912.bat
MD5
3f8ac701a1bdb8ce5a89f49c3071aff4

SHA1
84e76f63cf9f91495a5e7eb9220f10c51e4d828f

SHA256
2354202cdaf8d417b682ba1440e84f0aea6495fa4268fb306647a2ea22df9d56

SHA512
1a884548f1fb52d770ee2e1d88282bbc81a0bdbd67087e401efc7ede3afd3f3bc7424100a1e21cd718930d06671af3fe7a51e8812309846a6c9d2b3b49894045

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\4399ÃÔÄãÊÀ½ç\minigame.lnk
MD5
0864e914572c89f7e3525dcc22afb037

SHA1
a925c26abec00b3aecfa043910252dcc81152d0e

SHA256
ab566f85f963bf683891780fd9b2ba03c5c64bd158637777f9c02609a8c22523

SHA512
6a87515dda5a5d7d5f62547db8a69d35b262e736a2e74627df0dbbb249cdf18413edc0d33cef4e4ce338bc6f2615a64275f092395a815f49c80fd3224284a457

Download Submit
C:\Users\Admin\AppData\Roaming\miniworldcfg\9M1B.TMP
MD5
15f71f76e53975f8276b6736741342f3

SHA1
b185723d4b783392dc0229cee1b3d682662cea37

SHA256
d455b4adb3367a9f0dc67c1f4ff2371d5495eac4db016fbabe4fe8e3d61b2a06

SHA512
4ad2b8f1220188ece7b66f9480f72fd90212ff75bb587d557187b6ed0039bfe7f74f957fc5ca3c5fa88457736eb78a93a64332c3b81e75e624dc777077681e02

Download Submit
C:\Users\Admin\AppData\Roaming\miniworldcfg\9M1B.TMP
MD5
15f71f76e53975f8276b6736741342f3

SHA1
b185723d4b783392dc0229cee1b3d682662cea37

SHA256
d455b4adb3367a9f0dc67c1f4ff2371d5495eac4db016fbabe4fe8e3d61b2a06

SHA512
4ad2b8f1220188ece7b66f9480f72fd90212ff75bb587d557187b6ed0039bfe7f74f957fc5ca3c5fa88457736eb78a93a64332c3b81e75e624dc777077681e02

Download Submit
C:\Users\Admin\AppData\Roaming\miniworldgame4399\MicroMiniNew.exe
MD5
0ad083f1ab7f60a008b32b061585cd30

SHA1
d793b1c480dd34ed8cf5614df04980e1675476d1

SHA256
b02107806809c0a7cdf58dc12269e3d7490f29bb1f0e1e98bb09c33fe05ec515

SHA512
cc0a12c8ad1fe800247f8de15fca1cd1001a8c08186e35fb2096cd55f25c8d8f9510fce073538a3423b5f4959881c677c7de3273cca861567d01e2829167adaa

Download Submit
C:\Users\Admin\AppData\Roaming\miniworldgame4399\MicroMiniNew.exe
MD5
0ad083f1ab7f60a008b32b061585cd30

SHA1
d793b1c480dd34ed8cf5614df04980e1675476d1

SHA256
b02107806809c0a7cdf58dc12269e3d7490f29bb1f0e1e98bb09c33fe05ec515

SHA512
cc0a12c8ad1fe800247f8de15fca1cd1001a8c08186e35fb2096cd55f25c8d8f9510fce073538a3423b5f4959881c677c7de3273cca861567d01e2829167adaa

Download Submit
C:\Users\Admin\AppData\Roaming\miniworldgame4399\configbase.ini
MD5
ce5a8f0dee9325fb9fdacc3414ee6f7d

SHA1
8ee29de24d1da1b38d280585af2bb4bd6055ff9e

SHA256
624cccda01537346133fd1c582854b40662e106c1da9f28c00d59fe5fb1a2177

SHA512
fe75c935a3275d61aaa9d00e01746f0b64825c4e717eb26c1125202c1a85b2a780d86e937427fe80652b1a3afc3f6a45136340cf56327c110b4d9c82b327e74a

Download Submit
C:\Users\Admin\AppData\Roaming\miniworldgame4399\configload.ini
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\miniworldgame4399\iworld.cfg
MD5
be9daf97fdd47f20ad2bee8204af3a77

SHA1
972d17598b7ee2e3831bdc1d631f9df0379320df

SHA256
5b6d8ddac6b84d99d9fec6e752a4f10211504469eacf1d3fcccf66d72960a1a4

SHA512
a3d075902ae741beb4072c0bd8a5436381770b3f016ff35bc627437ce746d24b097ff54225455975c4bd7995d50be47e6fde5fcdcae1c446ac2e6862951cb139

Download Submit
C:\Users\Admin\AppData\Roaming\miniworldgame4399\miniworld.ico
MD5
4f4d64d85a5de8dbd878eb500f382c24

SHA1
b7c5bd63219f1064dc3a89962583932cd2c814b8

SHA256
79190dbfb16e0db887cc9242ee926ba4ece5917ca95d661ef899969cd980fe7b

SHA512
384d5d31ae1e7c2c143975da066e7662e0eeb3853472607be3bcf5a2571c4fb9569e84aaffa51b06870763177ee6dfb7a8c76b494307982fd1884e67985050e3

Download Submit
C:\Users\Admin\AppData\Roaming\miniworldgame4399\pluginres\min_d.png
MD5
f5fc331014a665ad411853230edee24d

SHA1
5f68ee4a608dbb93814a2f0b19e5decac8f7a66f

SHA256
eefe5954750f6581d2565f997c91e217e015feb94d6cc6afb5a1cd3274ae7f4f

SHA512
35d7f2b9213b17504cd4f5c90407c48d0d7a4188ab89cf728f93555eb003ba233b64d64e3fcae85bf6a14bb0231957deb8bc3f6759b310028b74406449623a2c

Download Submit
C:\Users\Admin\AppData\Roaming\miniworldgame4399\pluginres\min_n.png
MD5
4aa66ddc1d6b29451572cf87a4266b3d

SHA1
216cf850cf161b908ccd9353fa8b64a0c65c57d5

SHA256
296d3d4ca8370140c2a1076d75fe9ea212c8f5d4fa9b19c595f348fcebba9527

SHA512
07db33f69a3de9a9a67b9e43ce9bf6310b662e1256d10c759e1bb0fe7fbbeafde4956ffda5ac78fda5f8d459f0895fa658d11af964421c616362ec405c5067f7

Download Submit
C:\Users\Admin\AppData\Roaming\miniworldgame4399\pluginres\min_o.png
MD5
a74c17afe0499a91fc330cc9ac87e806

SHA1
d2f374c1737edd4d80c51d2e6185ac4e94560327

SHA256
626fa01e5a7d8c03cd1611304480765fff7d6c21e505b2fd9f165f5d919329be

SHA512
5c65605800bd1faefe7b67c810582ecea723742bfc3ebb498e046a96db383e7e26358ac0985b845a7ddac7dc5ef03bd480297f66e36e21216be369496789481a

Download Submit
C:\Users\Admin\AppData\Roaming\miniworldgame4399\pluginres\progress.png
MD5
ed625e96d3b25264b479c9aac6f5d05c

SHA1
9a724ddf49b3112e58df6d96e00f0b645698535d

SHA256
ec9e8f05b87d8a886a329ff6167e56d411ae0effc30fe376e0a1ce929d80c3eb

SHA512
0bf3e9a76b7bcb91291720456d76a0342c26ff1ad060b3d53b14ea15d0c4affb103ddf97d95c0c95efbf4f9d72bc43ecd2e7b79fb05374d1a80fdc202b268014

Download Submit
C:\Users\Admin\AppData\Roaming\miniworldgame4399\pluginres\progressBk.png
MD5
ca240697cb1c9812162e418dec891060

SHA1
591e4b63bdf84b1f110509bf4f25426a790b6081

SHA256
693621b6c27b406e9d72f570bde86948ba0555b843df5c91045178e7ed1b0b4d

SHA512
245a9d42c87909633e4eda535288a9c5d1443e15eca63dbdaa8229c1dca70240a782b16367ead2682fd9f54619301876eb66e649c3c731ef3ce60728e57ea682

Download Submit
C:\Users\Admin\AppData\Roaming\miniworldgame4399\pluginres\quit_d.png
MD5
1d1b1ebe64bb941cb4e0271f49dfaa85

SHA1
27d2c5a125691e5c2283d3f7183769edba84b2f5

SHA256
3f8cfe42591c5e62e2912bb9dc3fba59aebbf41cff4a39b799ba1bae71bf5386

SHA512
4afc5f71b5297adc91614d325496a2cc049970df56db3d7f257f5dce9c8d1e4da802bf8ff098eebc5f897d038e09bbcd232b7cecc7ae5c7c4528d9bcc1f5afb1

Download Submit
C:\Users\Admin\AppData\Roaming\miniworldgame4399\pluginres\quit_n.png
MD5
344e680ba78618cfe32aa47809327636

SHA1
319d83047b7b0234049c3fd3d2ec47265c0785a6

SHA256
01be4079f7b15cc97033f74908663fd10f5d1562452541690a0f30e66bf8482a

SHA512
d852fa9d19a0ec55a1e0dc2fd9aea0fcb4085a567ddf47b22295e795321662ff3edd38f562f2c8af6facc77dd8bf8e0e11724c1f9e5fc24b286642d58994f676

Download Submit
C:\Users\Admin\AppData\Roaming\miniworldgame4399\pluginres\quit_o.png
MD5
2742e08c12a45ddbe9b0b0822216c378

SHA1
9a078511c4dd05a92ed95f6a90c0d7e4e58d5400

SHA256
ae18079d9fb79f3ba83cd1fed72c09e9e3940a9aab2e9a167daeba0eda049fb3

SHA512
738de9afcd49d332fb0c107adf9236cad575ccfa54c505978c2fd62ebd8a81ff62b515060b64641746b51ab1aaaa057b9603d02fb1940ceafad9f0b168b51aef

Download Submit
C:\Users\Admin\AppData\Roaming\miniworldgame4399\pluginres\start.png
MD5
12c6368cb25e4e407002cd652223792c

SHA1
36bb70ca245512d6c3e09c8fcf46adf86dc1b983

SHA256
be537cc3adb595d8739f01049e05f5636f52057591ace371101ecc4141b7d270

SHA512
541339b7ddcecc52d064ea8ea1113f84b1332a3b287ac6826e9bae049ae20a98e97d9a9c553d8a44d3610b9fd53f080665e2cfb8d599d0577a50eae07ff1637b

Download Submit
C:\Users\Admin\AppData\Roaming\miniworldgame4399\start.mnw
MD5
16fa73eb3867b9dd16194ae843c65ca3

SHA1
94abe7de3ab4e1fcf91646fb1e206b92e1058d87

SHA256
34afe6c9f1455b6d580a4d0365d7397ab7c0ca2fd7f974df3a9aad969c2158e4

SHA512
3805097122581e8b82de793870cb461732ce76eec061411dde8d9da300fdcf9c9d22072ea33f255d8306d16fd89f27b042f225b16538d339dca1127c59fafdd0

Download Submit
C:\Users\Admin\desktop\4399ÃÔÄãÊÀ½ç.lnk
MD5
ac1266779a95e95af3fcc6c8d1661530

SHA1
7b48443990f22a00f79d78d1ff416e3febe7c2fd

SHA256
669d50289e672a1deffb210fc9138b7a26f23b79e49d454357a47a0ce112939c

SHA512
31f5fe94909c8b260127126e8f93d3ebc0066de51c6c9d8e6596a33fab63c259795133bce5d56b93de05a986cebbb837dbacc1c85cd45f7b2479ad21f9ef1558

Download Submit
C:\Users\Public\Desktop\@[email protected]
MD5
4fa99da1c78cfaa53253e55043e5f5d4

SHA1
ba8f4be3e782283cc0bacd20eab8a50960bd27a7

SHA256
a65554fbc7aded7f05894923c699c17b909f810a0a4ddf60cf053f07a190db85

SHA512
146da3fc2ca5825b04ceb398ae8d4e711ca77f6f3be6fb5ae7d35030b300e24d00ea8acbe8db2f5ecaebdaa07e7e3e1a84db595d07d061c1dc30d4291feb697f

Download Submit
C:\Windows\System32\mstray.exe
MD5
a8b1f3a1ff16facab894394044460a67

SHA1
84807917cd43a75d295340263f34cde7655f90db

SHA256
c35eecb5533a63a7f9f0e32ce559f679e7207448f5be5ccbb2c368cd20aeaab1

SHA512
47fb76a21cecc65474ccd9c6b355afbb61aa482671a61682b6b2759f995bdaf166b97f6153513e7058beb107a24637254f854d58a34bacca80931558d4bd2425

Download Submit
\Users\Admin\AppData\Roaming\miniworldgame4399\start.mnw
MD5
16fa73eb3867b9dd16194ae843c65ca3

SHA1
94abe7de3ab4e1fcf91646fb1e206b92e1058d87

SHA256
34afe6c9f1455b6d580a4d0365d7397ab7c0ca2fd7f974df3a9aad969c2158e4

SHA512
3805097122581e8b82de793870cb461732ce76eec061411dde8d9da300fdcf9c9d22072ea33f255d8306d16fd89f27b042f225b16538d339dca1127c59fafdd0

Download Submit
memory/192-160-0x0000000000000000-mapping.dmp

Download
memory/212-159-0x0000000000000000-mapping.dmp

Download
memory/408-185-0x0000000000000000-mapping.dmp

Download
memory/644-179-0x0000000000000000-mapping.dmp

Download
memory/940-162-0x0000000000000000-mapping.dmp

Download
memory/1368-141-0x0000000000000000-mapping.dmp

Download
memory/1628-182-0x0000000000000000-mapping.dmp

Download
memory/1700-144-0x0000000000000000-mapping.dmp

Download
memory/1740-146-0x0000000000000000-mapping.dmp

Download
memory/1916-168-0x0000000000000000-mapping.dmp

Download
memory/2080-186-0x0000000000000000-mapping.dmp

Download
memory/2108-147-0x0000000000000000-mapping.dmp

Download
memory/2124-187-0x0000000000000000-mapping.dmp

Download
memory/2240-148-0x0000000000000000-mapping.dmp

Download
memory/2268-188-0x0000000000000000-mapping.dmp

Download
memory/2428-150-0x0000000000000000-mapping.dmp

Download
memory/2432-189-0x0000000000000000-mapping.dmp

Download
memory/2432-149-0x0000000000000000-mapping.dmp

Download
memory/2636-190-0x0000000000000000-mapping.dmp

Download
memory/2656-151-0x0000000000000000-mapping.dmp

Download
memory/2656-191-0x0000000000000000-mapping.dmp

Download
memory/2688-152-0x0000000000000000-mapping.dmp

Download
memory/2700-192-0x0000000000000000-mapping.dmp

Download
memory/2728-169-0x0000000000000000-mapping.dmp

Download
memory/2732-153-0x0000000000000000-mapping.dmp

Download
memory/2808-193-0x0000000000000000-mapping.dmp

Download
memory/2808-154-0x0000000000000000-mapping.dmp

Download
memory/3172-201-0x0000000000000000-mapping.dmp

Download
memory/3212-175-0x0000000000000000-mapping.dmp

Download
memory/3600-125-0x0000000000000000-mapping.dmp

Download
memory/3696-199-0x0000000000000000-mapping.dmp

Download
memory/3832-177-0x0000000002060000-0x0000000002061000-memory.dmp

Filesize
4KB

Download
memory/3832-170-0x0000000000000000-mapping.dmp

Download
memory/3980-173-0x0000000000000000-mapping.dmp

Download
memory/4072-122-0x0000000000000000-mapping.dmp

Download
memory/4136-163-0x0000000000000000-mapping.dmp

Download
memory/4232-181-0x0000000000000000-mapping.dmp

Download
memory/4240-180-0x0000000000000000-mapping.dmp

Download
memory/4300-197-0x0000000000000000-mapping.dmp

Download
memory/4328-171-0x0000000000000000-mapping.dmp

Download
memory/4360-200-0x0000000000000000-mapping.dmp

Download
memory/4384-158-0x0000000000000000-mapping.dmp

Download
memory/4396-157-0x0000000000000000-mapping.dmp

Download
memory/4400-155-0x0000000000000000-mapping.dmp

Download
memory/4400-194-0x0000000000000000-mapping.dmp

Download
memory/4408-196-0x0000000000000000-mapping.dmp

Download
memory/4412-195-0x0000000000000000-mapping.dmp

Download
memory/4412-156-0x0000000000000000-mapping.dmp

Download
memory/4424-198-0x0000000000000000-mapping.dmp

Download
memory/4972-114-0x0000000000000000-mapping.dmp

Download
memory/5080-118-0x0000000000000000-mapping.dmp

Download
memory/5096-119-0x0000000000000000-mapping.dmp

Download