redline | 72ef598f8e69e142e21fef23cff48d2e9e49dcd142c12189656eab3269b454eb

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 05:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2059ca7715450dc171f7608325744da.exe
Size

45.0MB
MD5

a2059ca7715450dc171f7608325744da
SHA1

59f73376071e1e81471e8452db1c188340885a2f
SHA256

72ef598f8e69e142e21fef23cff48d2e9e49dcd142c12189656eab3269b454eb
SHA512

8c2ab1eb0e74a35883f35031c80c98ac63301b21350978d3d322aaf1fc9f02fa7f96cf1f824818f04a821c7f50029a8b9d7b423cf488fd9121dfa00cc0f2562b
SSDEEP

786432:m5/faR80BcXAYOuzNYe6NAApOAsExCWUs38wJ/YSGlWfzewb7wrSvMEBE25t:wfiBOAY3j6NB1h/3JJ/YSdfA+vMEBE2r

Score

10^/10

redline xmrig 1 discovery execution exploit infostealer miner pyinstaller

Malware Config

Extracted

Family

redline

Botnet

147.45.78.229:43674

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 1 IoCs

Processes:

resource yara_rule

\??\c:\programdata\1.exe family_redline
XMRig Miner payload 2 IoCs
miner

Processes:

resource yara_rule

C:\Windows\Tasks\ApplicationsFrameHost.exe family_xmrig
C:\Windows\Tasks\ApplicationsFrameHost.exe xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Possible privilege escalation attempt 13 IoCs
exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exe

pid process

3508 icacls.exe
4776 icacls.exe
3488 icacls.exe
2152 icacls.exe
1168 icacls.exe
2152 icacls.exe
2428 icacls.exe
3612 takeown.exe
1208 icacls.exe
232 takeown.exe
4940 takeown.exe
2404 icacls.exe
4608 icacls.exe

resource	yara_rule
\??\c:\programdata\1.exe	family_redline

resource	yara_rule
C:\Windows\Tasks\ApplicationsFrameHost.exe	family_xmrig
C:\Windows\Tasks\ApplicationsFrameHost.exe	xmrig

pid	process
3508	icacls.exe
4776	icacls.exe
3488	icacls.exe
2152	icacls.exe
1168	icacls.exe
2152	icacls.exe
2428	icacls.exe
3612	takeown.exe
1208	icacls.exe
232	takeown.exe
4940	takeown.exe
2404	icacls.exe
4608	icacls.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

migrate.exea2059ca7715450dc171f7608325744da.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	migrate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	a2059ca7715450dc171f7608325744da.exe

Executes dropped EXE 10 IoCs

Processes:

migrate.exeWmiic.exeWmiic.exeWmiic.exeIntelConfigService.exeWrap.exeApplicationsFrameHost.exeSuperfetch.exeMSTask.exeMSTask.exe

pid process

4572 migrate.exe
4372 Wmiic.exe
1168 Wmiic.exe
836 Wmiic.exe
1360 IntelConfigService.exe
3848 Wrap.exe
2192 ApplicationsFrameHost.exe
4332 Superfetch.exe
4400 MSTask.exe
2944 MSTask.exe

pid	process
4572	migrate.exe
4372	Wmiic.exe
1168	Wmiic.exe
836	Wmiic.exe
1360	IntelConfigService.exe
3848	Wrap.exe
2192	ApplicationsFrameHost.exe
4332	Superfetch.exe
4400	MSTask.exe
2944	MSTask.exe

Loads dropped DLL 17 IoCs

Processes:

MSTask.exe

pid	process
2944	MSTask.exe
2944	MSTask.exe
2944	MSTask.exe
2944	MSTask.exe
2944	MSTask.exe
2944	MSTask.exe
2944	MSTask.exe
2944	MSTask.exe
2944	MSTask.exe
2944	MSTask.exe
2944	MSTask.exe
2944	MSTask.exe
2944	MSTask.exe
2944	MSTask.exe
2944	MSTask.exe
2944	MSTask.exe
2944	MSTask.exe

Modifies file permissions 1 TTPs 13 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exe

pid process

2428 icacls.exe
3488 icacls.exe
1208 icacls.exe
4940 takeown.exe
3508 icacls.exe
2152 icacls.exe
4776 icacls.exe
1168 icacls.exe
2152 icacls.exe
3612 takeown.exe
232 takeown.exe
2404 icacls.exe
4608 icacls.exe
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.

Processes:

resource yara_rule

C:\Windows\Tasks\IntelConfigService.exe autoit_exe
C:\Windows\Tasks\Superfetch.exe autoit_exe
Drops file in System32 directory 2 IoCs

Processes:

MSTask.exe

description ioc process

File created \??\c:\windows\system32\v.txt6l1npcxw.tmp MSTask.exe
File created \??\c:\windows\system32\miners.txtifi4473l.tmp MSTask.exe

pid	process
2428	icacls.exe
3488	icacls.exe
1208	icacls.exe
4940	takeown.exe
3508	icacls.exe
2152	icacls.exe
4776	icacls.exe
1168	icacls.exe
2152	icacls.exe
3612	takeown.exe
232	takeown.exe
2404	icacls.exe
4608	icacls.exe

resource	yara_rule
C:\Windows\Tasks\IntelConfigService.exe	autoit_exe
C:\Windows\Tasks\Superfetch.exe	autoit_exe

description	ioc	process
File created	\??\c:\windows\system32\v.txt6l1npcxw.tmp	MSTask.exe
File created	\??\c:\windows\system32\miners.txtifi4473l.tmp	MSTask.exe

Drops file in Windows directory 23 IoCs

Processes:

migrate.exeApplicationsFrameHost.exeIntelConfigService.exe

description	ioc	process
File created	C:\Windows\Tasks\MSTask.exe	migrate.exe
File opened for modification	C:\Windows\Tasks\WinRing0x64.sys	migrate.exe
File created	C:\Windows\Tasks\Wrap.exe	migrate.exe
File opened for modification	C:\Windows\Tasks\Wrap.exe	migrate.exe
File created	C:\Windows\Tasks\__tmp_rar_sfx_access_check_240692828	migrate.exe
File created	C:\Windows\Tasks\ApplicationsFrameHost.exe	migrate.exe
File opened for modification	C:\Windows\Tasks\ApplicationsFrameHost.exe	migrate.exe
File opened for modification	C:\Windows\Tasks\run.bat	migrate.exe
File created	C:\Windows\Tasks\WinRing0x64.sys	migrate.exe
File created	C:\Windows\Tasks\MicrosoftPrt.exe	migrate.exe
File opened for modification	C:\Windows\Tasks\config.json	ApplicationsFrameHost.exe
File opened for modification	C:\Windows\Tasks\config.json	migrate.exe
File created	C:\Windows\Tasks\IntelConfigService.exe	migrate.exe
File created	C:\Windows\Tasks\Superfetch.exe	migrate.exe
File created	C:\Windows\Tasks\Wmiic.exe	migrate.exe
File opened for modification	C:\Windows\Tasks\Wmiic.exe	migrate.exe
File opened for modification	C:\Windows\Tasks\MicrosoftPrt.exe	migrate.exe
File opened for modification	C:\Windows\Tasks	IntelConfigService.exe
File created	C:\Windows\Tasks\config.json	migrate.exe
File opened for modification	C:\Windows\Tasks\IntelConfigService.exe	migrate.exe
File opened for modification	C:\Windows\Tasks\MSTask.exe	migrate.exe
File created	C:\Windows\Tasks\run.bat	migrate.exe
File opened for modification	C:\Windows\Tasks\Superfetch.exe	migrate.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

3664 powershell.exe
Detects Pyinstaller 2 IoCs
pyinstaller

Processes:

resource yara_rule

C:\Windows\Tasks\MSTask.exe pyinstaller
C:\Windows\Tasks\MicrosoftPrt.exe pyinstaller
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 6 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

1000 timeout.exe
544 timeout.exe
4672 timeout.exe
3488 timeout.exe
4872 timeout.exe
2224 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

2428 tasklist.exe
Kills process with taskkill 6 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

3260 taskkill.exe
4920 taskkill.exe
4632 taskkill.exe
396 taskkill.exe
3848 taskkill.exe
5060 taskkill.exe
Runs net.exe

pid	process
3664	powershell.exe

resource	yara_rule
C:\Windows\Tasks\MSTask.exe	pyinstaller
C:\Windows\Tasks\MicrosoftPrt.exe	pyinstaller

pid	process
1000	timeout.exe
544	timeout.exe
4672	timeout.exe
3488	timeout.exe
4872	timeout.exe
2224	timeout.exe

pid	process
2428	tasklist.exe

pid	process
3260	taskkill.exe
4920	taskkill.exe
4632	taskkill.exe
396	taskkill.exe
3848	taskkill.exe
5060	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exeIntelConfigService.exe

pid	process
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
4312	powershell.exe
4312	powershell.exe
4312	powershell.exe
3664	powershell.exe
3664	powershell.exe
3664	powershell.exe
4012	powershell.exe
4012	powershell.exe
4012	powershell.exe
3068	powershell.exe
3068	powershell.exe
3068	powershell.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

powershell.exepowershell.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetakeown.exetasklist.exepowershell.exepowershell.exeApplicationsFrameHost.exe

description	pid	process
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	4312	powershell.exe
Token: SeDebugPrivilege	3664	powershell.exe
Token: SeDebugPrivilege	5060	taskkill.exe
Token: SeDebugPrivilege	3260	taskkill.exe
Token: SeDebugPrivilege	4920	taskkill.exe
Token: SeDebugPrivilege	4632	taskkill.exe
Token: SeDebugPrivilege	396	taskkill.exe
Token: SeDebugPrivilege	3848	taskkill.exe
Token: SeTakeOwnershipPrivilege	232	takeown.exe
Token: SeDebugPrivilege	2428	tasklist.exe
Token: SeDebugPrivilege	4012	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeLockMemoryPrivilege	2192	ApplicationsFrameHost.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

IntelConfigService.exeApplicationsFrameHost.exeSuperfetch.exe

pid process

1360 IntelConfigService.exe
1360 IntelConfigService.exe
1360 IntelConfigService.exe
2192 ApplicationsFrameHost.exe
4332 Superfetch.exe
4332 Superfetch.exe
4332 Superfetch.exe

pid	process
1360	IntelConfigService.exe
1360	IntelConfigService.exe
1360	IntelConfigService.exe
2192	ApplicationsFrameHost.exe
4332	Superfetch.exe
4332	Superfetch.exe
4332	Superfetch.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a2059ca7715450dc171f7608325744da.exepowershell.exenet.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4372 wrote to memory of 3024	4372	a2059ca7715450dc171f7608325744da.exe	powershell.exe
PID 4372 wrote to memory of 3024	4372	a2059ca7715450dc171f7608325744da.exe	powershell.exe
PID 4372 wrote to memory of 3024	4372	a2059ca7715450dc171f7608325744da.exe	powershell.exe
PID 4372 wrote to memory of 4312	4372	a2059ca7715450dc171f7608325744da.exe	powershell.exe
PID 4372 wrote to memory of 4312	4372	a2059ca7715450dc171f7608325744da.exe	powershell.exe
PID 4372 wrote to memory of 4312	4372	a2059ca7715450dc171f7608325744da.exe	powershell.exe
PID 4372 wrote to memory of 3664	4372	a2059ca7715450dc171f7608325744da.exe	powershell.exe
PID 4372 wrote to memory of 3664	4372	a2059ca7715450dc171f7608325744da.exe	powershell.exe
PID 4372 wrote to memory of 3664	4372	a2059ca7715450dc171f7608325744da.exe	powershell.exe
PID 3664 wrote to memory of 1624	3664	powershell.exe	net.exe
PID 3664 wrote to memory of 1624	3664	powershell.exe	net.exe
PID 3664 wrote to memory of 1624	3664	powershell.exe	net.exe
PID 1624 wrote to memory of 5088	1624	net.exe	net1.exe
PID 1624 wrote to memory of 5088	1624	net.exe	net1.exe
PID 1624 wrote to memory of 5088	1624	net.exe	net1.exe
PID 3664 wrote to memory of 5060	3664	powershell.exe	taskkill.exe
PID 3664 wrote to memory of 5060	3664	powershell.exe	taskkill.exe
PID 3664 wrote to memory of 5060	3664	powershell.exe	taskkill.exe
PID 3664 wrote to memory of 3260	3664	powershell.exe	taskkill.exe
PID 3664 wrote to memory of 3260	3664	powershell.exe	taskkill.exe
PID 3664 wrote to memory of 3260	3664	powershell.exe	taskkill.exe
PID 3664 wrote to memory of 4920	3664	powershell.exe	taskkill.exe
PID 3664 wrote to memory of 4920	3664	powershell.exe	taskkill.exe
PID 3664 wrote to memory of 4920	3664	powershell.exe	taskkill.exe
PID 3664 wrote to memory of 4632	3664	powershell.exe	taskkill.exe
PID 3664 wrote to memory of 4632	3664	powershell.exe	taskkill.exe
PID 3664 wrote to memory of 4632	3664	powershell.exe	taskkill.exe
PID 3664 wrote to memory of 396	3664	powershell.exe	taskkill.exe
PID 3664 wrote to memory of 396	3664	powershell.exe	taskkill.exe
PID 3664 wrote to memory of 396	3664	powershell.exe	taskkill.exe
PID 3664 wrote to memory of 3848	3664	powershell.exe	taskkill.exe
PID 3664 wrote to memory of 3848	3664	powershell.exe	taskkill.exe
PID 3664 wrote to memory of 3848	3664	powershell.exe	taskkill.exe
PID 3664 wrote to memory of 3824	3664	powershell.exe	cmd.exe
PID 3664 wrote to memory of 3824	3664	powershell.exe	cmd.exe
PID 3664 wrote to memory of 3824	3664	powershell.exe	cmd.exe
PID 3824 wrote to memory of 3612	3824	cmd.exe	takeown.exe
PID 3824 wrote to memory of 3612	3824	cmd.exe	takeown.exe
PID 3824 wrote to memory of 3612	3824	cmd.exe	takeown.exe
PID 3664 wrote to memory of 4208	3664	powershell.exe	schtasks.exe
PID 3664 wrote to memory of 4208	3664	powershell.exe	schtasks.exe
PID 3664 wrote to memory of 4208	3664	powershell.exe	schtasks.exe
PID 3664 wrote to memory of 3800	3664	powershell.exe	cmd.exe
PID 3664 wrote to memory of 3800	3664	powershell.exe	cmd.exe
PID 3664 wrote to memory of 3800	3664	powershell.exe	cmd.exe
PID 3800 wrote to memory of 232	3800	cmd.exe	takeown.exe
PID 3800 wrote to memory of 232	3800	cmd.exe	takeown.exe
PID 3800 wrote to memory of 232	3800	cmd.exe	takeown.exe
PID 3664 wrote to memory of 2248	3664	powershell.exe	cmd.exe
PID 3664 wrote to memory of 2248	3664	powershell.exe	cmd.exe
PID 3664 wrote to memory of 2248	3664	powershell.exe	cmd.exe
PID 4372 wrote to memory of 636	4372	a2059ca7715450dc171f7608325744da.exe	cmd.exe
PID 4372 wrote to memory of 636	4372	a2059ca7715450dc171f7608325744da.exe	cmd.exe
PID 4372 wrote to memory of 636	4372	a2059ca7715450dc171f7608325744da.exe	cmd.exe
PID 636 wrote to memory of 1832	636	cmd.exe	cmd.exe
PID 636 wrote to memory of 1832	636	cmd.exe	cmd.exe
PID 636 wrote to memory of 1832	636	cmd.exe	cmd.exe
PID 1832 wrote to memory of 4872	1832	cmd.exe	chcp.com
PID 1832 wrote to memory of 4872	1832	cmd.exe	chcp.com
PID 1832 wrote to memory of 4872	1832	cmd.exe	chcp.com
PID 1832 wrote to memory of 2428	1832	cmd.exe	tasklist.exe
PID 1832 wrote to memory of 2428	1832	cmd.exe	tasklist.exe
PID 1832 wrote to memory of 2428	1832	cmd.exe	tasklist.exe
PID 1832 wrote to memory of 1700	1832	cmd.exe	find.exe

C:\Users\Admin\AppData\Local\Temp\a2059ca7715450dc171f7608325744da.exe
"C:\Users\Admin\AppData\Local\Temp\a2059ca7715450dc171f7608325744da.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $True
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath c:\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4312

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bgBlAHQAIABzAHQAbwBwACAAdwBtAHMAZQByAHYAaQBjAGUACgB0AGEAcwBrAGsAaQBsAGwAIAAvAGYAIAAvAGkAbQAgAG0AaQBnAHIAYQB0AGUALgBlAHgAZQAKAHQAYQBzAGsAawBpAGwAbAAgAC8AZgAgAC8AaQBtACAASQBuAHQAZQBsAEMAbwBuAGYAaQBnAFMAZQByAHYAaQBjAGUALgBlAHgAZQAKAHQAYQBzAGsAawBpAGwAbAAgAC8AZgAgAC8AaQBtACAATQBTAFQAYQBzAGsALgBlAHgAZQAKAHQAYQBzAGsAawBpAGwAbAAgAC8AZgAgAC8AaQBtACAAUwB1AHAAZQByAGYAZQB0AGMAaAAuAGUAeABlAAoAdABhAHMAawBrAGkAbABsACAALwBmACAALwBpAG0AIABXAG0AaQBpAGMALgBlAHgAZQAKAHQAYQBzAGsAawBpAGwAbAAgAC8AZgAgAC8AaQBtACAAVwByAGEAcAAuAGUAeABlAAoAYwBtAGQAIAAvAGMAIAB0AGEAawBlAG8AdwBuACAALwBGACAAIgBjADoAXAB3AGkAbgBkAG8AdwBzAFwAdABhAHMAawBzACIACgBzAGMAaAB0AGEAcwBrAHMAIAAvAGQAZQBsAGUAdABlACAALwB0AG4AIAAiAFcAaQBuAGQAbwB3AHMAVQBwAGQAYQB0AGUAIgAgAC8ARgAKAGMAbQBkACAALwBjACAAdABhAGsAZQBvAHcAbgAgAC8ARgAgACIAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAbQBpAGcAcgBhAHQAZQAuAGUAeABlACIACgBjAG0AZAAgAC8AYwAgAGQAZQBsACAALwBGACAALwBRACAAIgBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABtAGkAZwByAGEAdABlAC4AZQB4AGUAIgAKAAoA
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3664

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" stop wmservice
3⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wmservice
4⤵
PID:5088

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im migrate.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im IntelConfigService.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im MSTask.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im Superfetch.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4632

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im Wmiic.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im Wrap.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3848

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c takeown /F c:\windows\tasks
3⤵
- Suspicious use of WriteProcessMemory
PID:3824

C:\Windows\SysWOW64\takeown.exe
takeown /F c:\windows\tasks
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3612

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /delete /tn WindowsUpdate /F
3⤵
PID:4208

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c takeown /F C:\ProgramData\migrate.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3800

C:\Windows\SysWOW64\takeown.exe
takeown /F C:\ProgramData\migrate.exe
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:232

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /F /Q C:\ProgramData\migrate.exe
3⤵
PID:2248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\programdata\ru.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K "c:\programdata\st.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:4872

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Superfetch.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\SysWOW64\find.exe
find /I /N "Superfetch.exe"
4⤵
PID:1700

C:\Windows\SysWOW64\takeown.exe
takeown /f c:\windows\tasks
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4940

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:1000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $True
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -ExclusionPath c:\
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1168

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "SYSTEM:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2404

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Administrators:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3508

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Users:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2152

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Admin:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4776

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "Admin:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2428

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Tasks" /inheritance:e /grant "EVERYONE:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4608

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:544

\??\c:\programdata\migrate.exe
c:\programdata\migrate.exe -p4432
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\tasks\run.bat" "
5⤵
PID:2248

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 1 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:3488

C:\windows\tasks\Wmiic.exe
"C:\windows\tasks\wmiic.exe" install WMService IntelConfigService.exe
6⤵
- Executes dropped EXE
PID:4372

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 1 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:4872

C:\windows\tasks\Wmiic.exe
"C:\windows\tasks\wmiic" start WMService
6⤵
- Executes dropped EXE
PID:1168

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 2 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:2224

C:\Windows\SysWOW64\net.exe
net start WMService
6⤵
PID:1208

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start WMService
7⤵
PID:1224

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:4672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3840,i,6522675234395427298,2952738987384583032,262144 --variations-seed-version --mojo-platform-channel-handle=1304 /prefetch:8
1⤵
PID:2092

C:\windows\tasks\Wmiic.exe
C:\windows\tasks\Wmiic.exe
1⤵
- Executes dropped EXE
PID:836

C:\windows\tasks\IntelConfigService.exe
"IntelConfigService.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1360

C:\Windows\Tasks\Wrap.exe
C:\Windows\Tasks\Wrap.exe
3⤵
- Executes dropped EXE
PID:3848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\Tasks\ApplicationsFrameHost.exe" --daemonized
4⤵
PID:1632

C:\Windows\Tasks\ApplicationsFrameHost.exe
C:\Windows\Tasks\ApplicationsFrameHost.exe --daemonized
5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "%username%:(R,REA,RA,RD)"
3⤵
PID:956

C:\Windows\system32\icacls.exe
icacls C:\Windows\Tasks /deny "PXHSTPPU$:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "Users:(R,REA,RA,RD)"
3⤵
PID:1112

C:\Windows\system32\icacls.exe
icacls C:\Windows\Tasks /deny "Users:(R,REA,RA,RD)"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "Administrators:(R,REA,RA,RD))"
3⤵
PID:4304

C:\Windows\system32\icacls.exe
icacls C:\Windows\Tasks /deny "Administrators:(R,REA,RA,RD))"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1208

C:\Windows\Tasks\Superfetch.exe
C:\Windows\Tasks\Superfetch.exe
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:4332

C:\Windows\Tasks\MSTask.exe
C:\Windows\Tasks\MSTask.exe
3⤵
- Executes dropped EXE
PID:4400

C:\Windows\Tasks\MSTask.exe
C:\Windows\Tasks\MSTask.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2944

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\migrate.exe
Filesize
44.6MB

MD5
e75a9f4cbcdd27b2537920d6fd9bd551

SHA1
cef1e0f896fc58679bdfb87ba11dc69a1e4948e6

SHA256
c180ab1760e2da0a10de0672901f86d3a0e690b37bfb17f1d7eeaced8faa145d

SHA512
7915bef2c04c865a3f3fc24f49472d27c7be11894ff86a277b8acaabe2f283f9981bf9bb4959e67c0f7fcfd244b47ec2cf56810f0d1d2f68de995fa5abf32337

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
11KB

MD5
483d1d4ce6890d8e8e8c0912a7461a35

SHA1
c5fcc7b405fa30d42aaf5a46b70c0fc7e2ad02d0

SHA256
4f46f2bc8201b7f5323ee3c19ede4fa94419b33d93e4652a05e3dd95743f0ff2

SHA512
8607500a0f00c18f6588510da7691c60e70e95a98a0d41ad68d3d873853962f4d490073a4de9dbed14768d3785f7aa6200b06701862ec4b1f4c52414a7a89e02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
363a15f97cb4c39b5536d9ebcae61e49

SHA1
962b4dc290495e8411b7e8834622a7e431260c30

SHA256
1bc216353592f330b00b0e72c3947f403bc33796b7d984ad6e763a6a507a1a27

SHA512
9b0952df723d86bf03a5d965799dca3c124c5b0e33fe972c3d675d15e6708432c64f934b3772a2f0ffa30b3d52b043441152f6e2aad34e6f58643c5b134bfe64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
c4af9d8e4c4f3f11ebfbfed25566dd7e

SHA1
4c9faa95ffc8fdc54bf73f4ac663064e68e67765

SHA256
ca61d2e25f9dd19eb59017a3a05cedebb0f9c91b6e88201baafc7ccd0786a054

SHA512
1fe05a2e8b1ca57630ee2ed525cbdd308dc43c98ab238efd3edf6551aa92b0f2e3282a2b548f1f61a788ea41f05f2ba2850b8efe4a8ed1b5d7ce7b35aa2b9ec5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
3211b1f473532e70618f1d58da5a9ff6

SHA1
309f2d5c930882f295aa995f644238e62092187f

SHA256
4abaa69a277e88ffe8cb8340c0dc8cd8b7e6f109f8094f529aad86196db41845

SHA512
bd72c458f27a7161c9367d2ee251d32b936f976df5b1eb14c7b7f8cc33cafea430526a5fb77794c7903d0b9f0f16127cc4b11913362c0541a33d16cac3435151

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ywb1oslz.jns.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
6KB

MD5
878118c23415178dd4be78cb0733559f

SHA1
94a60592a58392e8aea758904067130ce52547e0

SHA256
8430e7e9c949b2f3fa92dbad77078fa9bc3d7a8e61f3fe28bb35e1194789e9fd

SHA512
f2c91646028b8caa4cc05f06e8d095388cb2f5c5aa8a04df6bec4df8cbdccd6930d569194ab8af37c87aa3fada099681c291ed60bc01dd9f61595d3d3a8b20dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
6KB

MD5
617b3fd833c3fe0d345342834a6026dc

SHA1
f60abea2339ef2450094f9dc0a0d404f60044ea1

SHA256
111133b322e1986df5dc4cfd9641f8f281b0266789ffccd012a9bee18b707870

SHA512
5f3d0962ececdb51c4658d96ea7265f0711f02bfa308618ae754ce0b15b077dea2bac973292be3fd6fc63518819fa78a5e9da4c8c8a9c8d66ffb4e95b7fa5562

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
6KB

MD5
b6223e45b69fcc6684ec1ea78d31bbae

SHA1
e9565452839a067ed3cbfa49ab4569d1686d4798

SHA256
9bd000d6ded4e77cfdd526cbb526a6d818cafd52960bdd5254860740e5e71499

SHA512
bbac4916d3358d62f896ce702151f82082ebf5ef263fca0c26f59322a964bb9752f10d9842f93208d5901724ee64dd2e3071d049b6dbb8c7de948071917817f6

Download Submit
C:\Windows\TEMP\_MEI44002\_cffi_backend.cp38-win_amd64.pyd
Filesize
177KB

MD5
77b5d28b725596b08d4393786d98bd27

SHA1
e3f00478de1d28bc7d2e9f0b552778be3e32d43b

SHA256
f7a00ba343d6f1ea8997d95b242fbbd70856ec2b98677d5f8b52921b8658369c

SHA512
d44415d425f7423c3d68df22b72687a2d0da52966952e20d215553aa83de1e7a5192ec918a3d570d6c2362eb5500b56b87e3ffbc0b768bfa064585aea2a30e9d

Download Submit
C:\Windows\TEMP\_MEI44002\_ctypes.pyd
Filesize
120KB

MD5
f1e33a8f6f91c2ed93dc5049dd50d7b8

SHA1
23c583dc98aa3f6b8b108db5d90e65d3dd72e9b4

SHA256
9459d246df7a3c638776305cf3683946ba8db26a7de90df8b60e1be0b27e53c4

SHA512
229896da389d78cbdf2168753ed7fcc72d8e0e62c6607a3766d6d47842c0abd519ac4f5d46607b15e7ba785280f9d27b482954e931645337a152b8a54467c6a5

Download Submit
C:\Windows\TEMP\_MEI44002\_queue.pyd
Filesize
27KB

MD5
44b72e0ad8d1e1ec3d8722088b48c3c5

SHA1
e0f41bf85978dd8f5abb0112c26322b72c0d7770

SHA256
4aa1bbde1621c49edab4376cf9a13c1aa00a9b0a9905d9640a2694ef92f77d5e

SHA512
05853f93c6d79d8f9c96519ce4c195b9204df1255b01329deaa65e29bd3e988d41454cd305e2199404f587e855737879c330638f2f07bff11388a49e67ba896c

Download Submit
C:\Windows\TEMP\_MEI44002\_ssl.pyd
Filesize
115KB

MD5
8ee827f2fe931163f078acdc97107b64

SHA1
149bb536f3492bc59bd7071a3da7d1f974860641

SHA256
eaeefa6722c45e486f48a67ba18b4abb3ff0c29e5b30c23445c29a4d0b1cd3e4

SHA512
a6d24e72bf620ef695f08f5ffde70ef93f42a3fa60f7c76eb0f521393c595717e05ccb7a61ae216c18fe41e95fb238d82637714cf5208ee8f1dd32ae405b5565

Download Submit
C:\Windows\TEMP\_MEI44002\base_library.zip
Filesize
821KB

MD5
e187fce3f6d3f4ba450630147421a885

SHA1
18241f2097f7d53cfb6b118fae1f9cd31d169d07

SHA256
1f908e12fba42af4ad0ade6fa7f1dbc617afe7837271911056af266d895e596a

SHA512
7837a3b28993422d067643efe17c5f573dbd4c4b3e6d915e691e7557c259146a3fddb104da5306b63be59a81446d1dfea5317b5e62cbce6a5aaa8dc700b42874

Download Submit
C:\Windows\TEMP\_MEI44002\libffi-7.dll
Filesize
32KB

MD5
4424baf6ed5340df85482fa82b857b03

SHA1
181b641bf21c810a486f855864cd4b8967c24c44

SHA256
8c1f7f64579d01fedfde07e0906b1f8e607c34d5e6424c87abe431a2322eba79

SHA512
8adb94893ada555de2e82f006ab4d571fad8a1b16ac19ca4d2efc1065677f25d2de5c981473fabd0398f6328c1be1ebd4d36668ea67f8a5d25060f1980ee7e33

Download Submit
C:\Windows\TEMP\_MEI44002\python38.dll
Filesize
4.0MB

MD5
d2a8a5e7380d5f4716016777818a32c5

SHA1
fb12f31d1d0758fe3e056875461186056121ed0c

SHA256
59ab345c565304f638effa7c0236f26041fd06e35041a75988e13995cd28ace9

SHA512
ad1269d1367f587809e3fbe44af703c464a88fa3b2ae0bf2ad6544b8ed938e4265aab7e308d999e6c8297c0c85c608e3160796325286db3188a3edf040a02ab7

Download Submit
C:\Windows\TEMP\_MEI44002\unicodedata.pyd
Filesize
1.0MB

MD5
4c0d43f1a31e76255cb592bb616683e7

SHA1
0a9f3d77a6e064baebacacc780701117f09169ad

SHA256
0f84e9f0d0bf44d10527a9816fcab495e3d797b09e7bbd1e6bd666ceb4b6c1a8

SHA512
b8176a180a441fe402e86f055aa5503356e7f49e984d70ab1060dee4f5f17fcec9c01f75bbff75ce5f4ef212677a6525804be53646cc0d7817b6ed5fd83fd778

Download Submit
C:\Windows\Tasks\ApplicationsFrameHost.exe
Filesize
5.5MB

MD5
93ceef4357070a8ddc0beac173547ec1

SHA1
1e9bf45a790b5a818730de750dc6e2ffe6c35f7c

SHA256
4d084a7e0c656d038d3176e97a4f807d094ce78f6b1f92a6ada7b93cf6a7cf03

SHA512
611c22d55f2830f0556170144d6e0be64cf5bbd6ebe80323cf2944fe8860c9babac9439bff75626e10499b012c178feae3d80fe9939fec402115c3f184825cf6

Download Submit
C:\Windows\Tasks\IntelConfigService.exe
Filesize
1.8MB

MD5
58e4115267b276452edc1f541e3a8198

SHA1
ec40b6cce5c9a835563c17da81997e8010ac9cad

SHA256
713120bac7807f6fc0a6050135556c0614a66be2fb476cfe163877f3d03b4d08

SHA512
3def4b7f7fbeab01826eb733174bca64860f8bfbad3baec361b65b07b4558e28830fcc2deb264622199f9474277f04e562830bc5f0bf8a0e7932d002f1a812c5

Download Submit
C:\Windows\Tasks\MSTask.exe
Filesize
8.5MB

MD5
92a9c0ef09f955f9f1bca837d7aa493f

SHA1
9292e187f09c271393be635220a75b11c03c469d

SHA256
95c101a0164af189cc282eb2d67e143b42e6d57d7ef396d59715a355a3162b96

SHA512
c906db5cec598254d5584040b02dfb7b813b94d63af6af90f3ab7014a89409677d6ca78d4f544b3415058c09ba6c972e7cf8da4b1aa04f954a4689b4a70cbf3f

Download Submit
C:\Windows\Tasks\MicrosoftPrt.exe
Filesize
32.6MB

MD5
02484a615e581a9a431e20df300faed4

SHA1
d855e2c9338b1508577b3e831cc89838c2768647

SHA256
16d2f6194d1b1989fbef4572055dbf62a0d6a2570b316ac15722192f1c559a50

SHA512
7b69e3e47863ec7edfa03fa1f25a15c90ee84aec520ff08d8834b010eb58532f444daa81056b3dcc7d77f42eb0f390b8490cb59a705fa24b6674a088d796fe57

Download Submit
C:\Windows\Tasks\Superfetch.exe
Filesize
1.6MB

MD5
362ffce5c7c480702a615f1847191f62

SHA1
75aceaea1dfba0735212c2ab5cafc49257927f73

SHA256
9e24c7b4604aa3022325b62154ac80dc76533fa96a3418d8e15d28c998fb9c53

SHA512
9a71825a4e111c89e193f799f5cd0f38bf753137bf669040254eb5ecfbeb1e7fb161451320592832381b6ae7a95b015ef8e9192ab10ad41e113bad35dde7d15f

Download Submit
C:\Windows\Tasks\WinRing0x64.sys
Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Windows\Tasks\Wmiic.exe
Filesize
365KB

MD5
a18bfe142f059fdb5c041a310339d4fd

SHA1
8ab2b0ddc897603344de8f1d4cc01af118a0c543

SHA256
644c9745d1d2f679db73fcb717dd37e180e19d5b0fc74575e4cefe4f543f2768

SHA512
c30d46781b17c4bb0610d3af4b5acc223394d02f9fbb1fbb55811ae2efe49fd29a7e9626737c4b24194c73c58fe1b577a858559a7e58d93c3660ac680f19eaf8

Download Submit
C:\Windows\Tasks\Wrap.exe
Filesize
362KB

MD5
39adb356036e91008843b83efb61131d

SHA1
59a38a196a2aa4c90100b1b8cc806e5582e0d4de

SHA256
1cf2bdb1cdd34bb50d60f21b8208041913747b8deca5f26aa187d2e8c0e9a105

SHA512
e606b15ee26d78b16851ec955a6c80759919937ab19c9b7b69d52747d0170524ee595f7ff15d881a412b45865e92439da9f3e5dceee004529bbf186a8510264a

Download Submit
C:\Windows\Tasks\config.json
Filesize
3KB

MD5
059e303d9b3cfc5c3fdb9165e0868d2c

SHA1
4e2996981ce135afd309d1b107045b98f20193e3

SHA256
b11f0b3ab14221942f68f0393102520c05a5316e56bba63d6e9cd92b0ffbb4f2

SHA512
1d4ba2a23fc6b8e8f261a900d0ff56c00bac5ad7272ef2ed9d87640eef3550eaa03c401e1c761dc31da8a3b3062f526b9cd7d5b528404290775f9020de154c1a

Download Submit
C:\Windows\Temp\_MEI44002\VCRUNTIME140.dll
Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Windows\Temp\_MEI44002\_bz2.pyd
Filesize
82KB

MD5
3dc8af67e6ee06af9eec52fe985a7633

SHA1
1451b8c598348a0c0e50afc0ec91513c46fe3af6

SHA256
c55821f5fdb0064c796b2c0b03b51971f073140bc210cbe6ed90387db2bed929

SHA512
da16bfbc66c8abc078278d4d3ce1595a54c9ef43ae8837ceb35ae2f4757b930fe55e258827036eba8218315c10af5928e30cb22c60ff69159c8fe76327280087

Download Submit
C:\Windows\Temp\_MEI44002\_hashlib.pyd
Filesize
44KB

MD5
a6448bc5e5da21a222de164823add45c

SHA1
6c26eb949d7eb97d19e42559b2e3713d7629f2f9

SHA256
3692fc8e70e6e29910032240080fc8109248ce9a996f0a70d69acf1542fca69a

SHA512
a3833c7e1cf0e4d181ac4de95c5dfa685cf528dc39010bf0ac82864953106213eccff70785021ccb05395b5cf0dcb89404394327cd7e69f820d14dfa6fba8cba

Download Submit
C:\Windows\Temp\_MEI44002\_lzma.pyd
Filesize
246KB

MD5
37057c92f50391d0751f2c1d7ad25b02

SHA1
a43c6835b11621663fa251da421be58d143d2afb

SHA256
9442dc46829485670a6ac0c02ef83c54b401f1570d1d5d1d85c19c1587487764

SHA512
953dc856ad00c3aec6aeab3afa2deb24211b5b791c184598a2573b444761db2d4d770b8b807ebba00ee18725ff83157ec5fa2e3591a7756eb718eba282491c7c

Download Submit
C:\Windows\Temp\_MEI44002\_socket.pyd
Filesize
77KB

MD5
d6bae4b430f349ab42553dc738699f0e

SHA1
7e5efc958e189c117eccef39ec16ebf00e7645a9

SHA256
587c4f3092b5f3e34f6b1e927ecc7127b3fe2f7fa84e8a3d0c41828583bd5cef

SHA512
a8f8fed5ea88e8177e291b708e44b763d105907e9f8c9e046c4eebb8684a1778383d1fba6a5fa863ca37c42fd58ed977e9bb3a6b12c5b8d9ab6ef44de75e3d1e

Download Submit
C:\Windows\Temp\_MEI44002\libcrypto-1_1.dll
Filesize
3.2MB

MD5
bf83f8ad60cb9db462ce62c73208a30d

SHA1
f1bc7dbc1e5b00426a51878719196d78981674c4

SHA256
012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d

SHA512
ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e

Download Submit
C:\Windows\Temp\_MEI44002\libssl-1_1.dll
Filesize
670KB

MD5
fe1f3632af98e7b7a2799e3973ba03cf

SHA1
353c7382e2de3ccdd2a4911e9e158e7c78648496

SHA256
1ce7ba99e817c1c2d71bc88a1bdd6fcad82aa5c3e519b91ebd56c96f22e3543b

SHA512
a0123dfe324d3ebf68a44afafca7c6f33d918716f29b063c72c4a8bd2006b81faea6848f4f2423778d57296d7bf4f99a3638fc87b37520f0dcbeefa3a2343de0

Download Submit
C:\Windows\Temp\_MEI44002\psutil\_psutil_windows.pyd
Filesize
65KB

MD5
01f9d30dd889a3519e3ca93fe6efee70

SHA1
ebf55adbd8cd938c4c11d076203a3e54d995aeff

SHA256
a66444a08a8b9ceafa05daefeb32aa1e65c8009a3c480599f648fa52a20afb7d

SHA512
76fed302d62bb38a39e0bf6c9038730e83b6afffa2f36e7a62b85770d4847ea6c688098061945509a1fdb799fb7f5c88699f94e7da1934f88a9c3b6a433ee9ef

Download Submit
C:\Windows\Temp\_MEI44002\python3.dll
Filesize
57KB

MD5
7acec875d5672e7aa148b8c40df9aa49

SHA1
96b8cfabe0cfa3df32995919ac77cfdeec26f1f2

SHA256
d96858e433f45917499dbf5e052e56f079ff9ae259fd3caa025c3b1daf852891

SHA512
1208da62fe82b779ec822ad702f9ca4321b34ee590c28e10efe9a2db6d582bfdcae01ab2431c1a98714ef0c60434d64c58f3db31bf5886efbb943adc70d6e975

Download Submit
C:\Windows\Temp\_MEI44002\select.pyd
Filesize
26KB

MD5
6ae54d103866aad6f58e119d27552131

SHA1
bc53a92a7667fd922ce29e98dfcf5f08f798a3d2

SHA256
63b81af5d3576473c17ac929bea0add5bf8d7ea95c946caf66cbb9ad3f233a88

SHA512
ff23f3196a10892ea22b28ae929330c8b08ab64909937609b7af7bfb1623cd2f02a041fd9fab24e4bc1754276bdafd02d832c2f642c8ecdcb233f639bdf66dd0

Download Submit
C:\programdata\ru.bat
Filesize
32B

MD5
11e08b5abf3f1675f99c96f78c128b23

SHA1
40d6dd08262ef959328aec4dc5ed07532232037c

SHA256
50ac09332ff9d6521244b4f9cf6fd9cc489b3324ed1316e07f6a5904230397e7

SHA512
3005767016b4c5da031fb2ac5288b01821d54768b5e099e1157d4fa4621a078d589e54d9c5c89ded58ac3ca94395dacbf1d840f9210f909d3c9dfe8092de8ff9

Download Submit
C:\windows\tasks\run.bat
Filesize
566B

MD5
ec04f50bc9bccb2484db435653f949e7

SHA1
9a898ab38e980caa44504ebb400ee01ce2d46a3f

SHA256
806a3fedd93ad066f918e6edda5a464fd4c13390501bba9bef8c7e2f0d6b8ba4

SHA512
c6e98899eb2d2fdae8e67c0f63de4c9a3bd956343909f07063f128fb6ff488855045f4e7feb3ade6d5e76eb1a59d0f22e4213457717a70616a41bfc5544583da

Download Submit
\??\c:\programdata\1.exe
Filesize
297KB

MD5
809bd9b203cf2ea6fe29d7074ae1c246

SHA1
1efd4ba7ac8c7317f4d01e409a580dc02ced6306

SHA256
663bc369d3051824e2b2f9e05accb8e9e4be86afc59d5b2aa26a3a5ee150370a

SHA512
6bc93e02e192ab03c448bf7a982fc5af0a1a5df5e2bd9cacdebb9279119845f43ddc68011194c7317021f75ad37ba7c1603c77af09bdfe2febfbaca0fffe8249

Download Submit
\??\c:\programdata\st.bat
Filesize
1KB

MD5
4050181042859e45ecfa6f224afa79df

SHA1
e72c9c8ba589b42a82792d8f7e794b79d8e831e3

SHA256
9df0ff284989b10162cffb51d9873c6743ffb83f6d7c4b869a8193e6d6ac63e9

SHA512
de2740437a431403ac89577f1f570a78269f0f24c58b531e7522542e60a668d7da355be3a126ac2fc4472282c0b06d8b217ec62f04ed5e6aab0ba9c8d27c54ce

Download Submit
memory/2192-203-0x00000243A2620000-0x00000243A2640000-memory.dmp

Filesize
128KB

Download
memory/3024-34-0x0000000072F60000-0x0000000073710000-memory.dmp

Filesize
7.7MB

Download
memory/3024-4-0x00000000058A0000-0x0000000005EC8000-memory.dmp

Filesize
6.2MB

Download
memory/3024-3-0x0000000005230000-0x0000000005266000-memory.dmp

Filesize
216KB

Download
memory/3024-38-0x0000000008000000-0x000000000867A000-memory.dmp

Filesize
6.5MB

Download
memory/3024-5-0x0000000072F60000-0x0000000073710000-memory.dmp

Filesize
7.7MB

Download
memory/3024-6-0x0000000072F60000-0x0000000073710000-memory.dmp

Filesize
7.7MB

Download
memory/3024-7-0x0000000005F40000-0x0000000005F62000-memory.dmp

Filesize
136KB

Download
memory/3024-14-0x0000000006050000-0x00000000060B6000-memory.dmp

Filesize
408KB

Download
memory/3024-40-0x0000000007A50000-0x0000000007A5A000-memory.dmp

Filesize
40KB

Download
memory/3024-13-0x0000000005FE0000-0x0000000006046000-memory.dmp

Filesize
408KB

Download
memory/3024-49-0x0000000072F60000-0x0000000073710000-memory.dmp

Filesize
7.7MB

Download
memory/3024-46-0x0000000007D00000-0x0000000007D08000-memory.dmp

Filesize
32KB

Download
memory/3024-45-0x0000000007D20000-0x0000000007D3A000-memory.dmp

Filesize
104KB

Download
memory/3024-44-0x0000000007C30000-0x0000000007C44000-memory.dmp

Filesize
80KB

Download
memory/3024-43-0x0000000007C20000-0x0000000007C2E000-memory.dmp

Filesize
56KB

Download
memory/3024-42-0x0000000007BE0000-0x0000000007BF1000-memory.dmp

Filesize
68KB

Download
memory/3024-2-0x0000000072F6E000-0x0000000072F6F000-memory.dmp

Filesize
4KB

Download
memory/3024-41-0x0000000007C60000-0x0000000007CF6000-memory.dmp

Filesize
600KB

Download
memory/3024-19-0x00000000060C0000-0x0000000006414000-memory.dmp

Filesize
3.3MB

Download
memory/3024-20-0x0000000006690000-0x00000000066AE000-memory.dmp

Filesize
120KB

Download
memory/3024-33-0x0000000006C60000-0x0000000006C7E000-memory.dmp

Filesize
120KB

Download
memory/3024-37-0x0000000072F60000-0x0000000073710000-memory.dmp

Filesize
7.7MB

Download
memory/3024-36-0x0000000072F60000-0x0000000073710000-memory.dmp

Filesize
7.7MB

Download
memory/3024-35-0x0000000007880000-0x0000000007923000-memory.dmp

Filesize
652KB

Download
memory/3024-22-0x0000000006C80000-0x0000000006CB2000-memory.dmp

Filesize
200KB

Download
memory/3024-39-0x0000000005440000-0x000000000545A000-memory.dmp

Filesize
104KB

Download
memory/3024-21-0x00000000066C0000-0x000000000670C000-memory.dmp

Filesize
304KB

Download
memory/3024-23-0x000000006F830000-0x000000006F87C000-memory.dmp

Filesize
304KB

Download
memory/3068-148-0x0000000070D20000-0x0000000070D6C000-memory.dmp

Filesize
304KB

Download
memory/3664-94-0x0000000006080000-0x00000000063D4000-memory.dmp

Filesize
3.3MB

Download
memory/4012-121-0x0000000005DD0000-0x0000000006124000-memory.dmp

Filesize
3.3MB

Download
memory/4012-123-0x0000000006490000-0x00000000064DC000-memory.dmp

Filesize
304KB

Download
memory/4012-136-0x0000000007910000-0x0000000007924000-memory.dmp

Filesize
80KB

Download
memory/4012-135-0x00000000078D0000-0x00000000078E1000-memory.dmp

Filesize
68KB

Download
memory/4012-134-0x0000000007630000-0x00000000076D3000-memory.dmp

Filesize
652KB

Download
memory/4012-124-0x0000000070D20000-0x0000000070D6C000-memory.dmp

Filesize
304KB

Download
memory/4312-68-0x000000006F830000-0x000000006F87C000-memory.dmp

Filesize
304KB

Download
memory/4312-66-0x0000000005AE0000-0x0000000005E34000-memory.dmp

Filesize
3.3MB

Download