limerat | b8e6b01b8e7598bd8b01bedfe1232eb936a12f852a90a3a545bc2af7e4667c43

Analysis

max time kernel
1050s
max time network
1050s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
17-12-2022 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FINAL.exe
Size

13.2MB
MD5

8c9180cfa2862e68b9beaf9b9e14a1c2
SHA1

09011f6b0b5d48e9bb61e65f10872fe4b344f66a
SHA256

b8e6b01b8e7598bd8b01bedfe1232eb936a12f852a90a3a545bc2af7e4667c43
SHA512

4657b171e3594370a8c9086bd2436b5ec7deaba73975856baafce4391582c6ce45d0820922706e0de3346bb85ffe8854fe419baa88a6cca83b94d67214bdf6c3
SSDEEP

196608:7+ww4z5xjkyIte8YHX0QoLPT7M18ZKhib/sV83V+Uj3iI9NeTA4cxXD4JF:7+x4FSyI88Ekprw1/f8R3roTAY

Score

10^/10

limerat quasar revengerat windowsfirewall ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

windowsfirewall

xmarvel.ddns.net:4782

2.58.56.188:4782

Mutex

hMAbT9pppBWPnLDPSK

Attributes

encryption_key
iZ94RsK8uKM1BvRnYlBk
install_name
wfmsc.exe
log_directory
Logs
reconnect_delay
1
startup_key
windowsdefender
subdirectory
windowsfirewall

Extracted

Family

limerat

Attributes

aes_key
key
antivm
false
c2_url
https://pastebin.com/raw/nW4J6TiP
delay
3
download_payload
false
install
true
install_name
windowsdefender.exe
main_folder
UserProfile
pin_spread
true
sub_folder
\wd\
usb_spread
true

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/844-74-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar
behavioral1/memory/844-75-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar
behavioral1/memory/844-76-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar
behavioral1/memory/844-77-0x000000000044943E-mapping.dmp	family_quasar
behavioral1/memory/844-79-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar
behavioral1/memory/844-81-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

Executes dropped EXE 7 IoCs

Processes:

Blank Grabber.exeM2kZrx0Y7oeB.exewindowsdefender.exeDB8oZUaTmbOF.exeBlank Grabber.exeDECRYPT.exeDECRYPT.exe

pid	Process
268	Blank Grabber.exe
1628	M2kZrx0Y7oeB.exe
1420	windowsdefender.exe
1128	DB8oZUaTmbOF.exe
872	Blank Grabber.exe
1256	DECRYPT.exe
2004	DECRYPT.exe

Drops startup file 2 IoCs

Processes:

FINAL.exewindowsdefender.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Blank Grabber.exe	FINAL.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Blank Grabber.exe	windowsdefender.exe

Loads dropped DLL 14 IoCs

Processes:

FINAL.exeMSBuild.exeM2kZrx0Y7oeB.exewindowsdefender.exeBlank Grabber.exe

pid	Process
828	FINAL.exe
844	MSBuild.exe
844	MSBuild.exe
1628	M2kZrx0Y7oeB.exe
1628	M2kZrx0Y7oeB.exe
844	MSBuild.exe
844	MSBuild.exe
1420	windowsdefender.exe
1420	windowsdefender.exe
872	Blank Grabber.exe
1372
1372
1420	windowsdefender.exe
1420	windowsdefender.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
6	ip-api.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

windowsdefender.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\LimeWALL.jpg"	windowsdefender.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

FINAL.exe

description	pid	Process	procid_target
PID 828 set thread context of 844	828	FINAL.exe	33

Drops file in Program Files directory 64 IoCs

Processes:

windowsdefender.exe

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core_2.3.0.v20131211-1531.jar	windowsdefender.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Aqtau	windowsdefender.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Rarotonga	windowsdefender.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Casual.gif	windowsdefender.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL097.XML	windowsdefender.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Beirut	windowsdefender.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145212.JPG	windowsdefender.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR6B.GIF	windowsdefender.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libmono_plugin.dll	windowsdefender.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_ja_4.4.0.v20140623020002.jar	windowsdefender.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Palmer	windowsdefender.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Ashgabat	windowsdefender.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libogg_plugin.dll	windowsdefender.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\36.png	windowsdefender.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	windowsdefender.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR21F.GIF	windowsdefender.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.util_1.7.0.v201011041433.jar	windowsdefender.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationTypes.resources.dll	windowsdefender.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Godthab	windowsdefender.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Mawson	windowsdefender.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Xml.Linq.Resources.dll	windowsdefender.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\SETUP.XML	windowsdefender.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_GreenTea.gif	windowsdefender.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR49B.GIF	windowsdefender.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png	windowsdefender.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_ButtonGraphic.png	windowsdefender.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-threaddump.jar	windowsdefender.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\drag.png	windowsdefender.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115843.GIF	windowsdefender.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR31B.GIF	windowsdefender.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR43F.GIF	windowsdefender.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_pressed.png	windowsdefender.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_zh_4.4.0.v20140623020002.jar	windowsdefender.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\vlc.mo	windowsdefender.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03224I.JPG	windowsdefender.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Document.gif	windowsdefender.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\StopIconMask.bmp	windowsdefender.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Perth	windowsdefender.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-down.png	windowsdefender.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\THMBNAIL.PNG	windowsdefender.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02214_.GIF	windowsdefender.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+10	windowsdefender.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+10	windowsdefender.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\gadget.xml	windowsdefender.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCDDSLM.DLL	windowsdefender.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR46F.GIF	windowsdefender.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi	windowsdefender.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\St_Johns	windowsdefender.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\WSSFilesToolHomePageBackground.jpg	windowsdefender.exe
File opened for modification	C:\Program Files\BlockLimit.pptx	windowsdefender.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Clarity.xml	windowsdefender.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Srednekolymsk	windowsdefender.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IdentityModel.Resources.dll	windowsdefender.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_down.png	windowsdefender.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\JdbcOdbc.dll	windowsdefender.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+5	windowsdefender.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-down.png	windowsdefender.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14656_.GIF	windowsdefender.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLWVW.DLL	windowsdefender.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR5F.GIF	windowsdefender.exe
File created	C:\Program Files\Java\jre7\lib\ext\sunjce_provider.jar	windowsdefender.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_ja_4.4.0.v20140623020002.jar	windowsdefender.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml	windowsdefender.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe	windowsdefender.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
520	schtasks.exe
1128	schtasks.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

windowsdefender.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Control Panel\Desktop\WallpaperStyle = "2"	windowsdefender.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Control Panel\Desktop\TileWallpaper = "0"	windowsdefender.exe

Modifies registry class 3 IoCs

Processes:

rundll32.exerundll32.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_Classes\Local Settings	rundll32.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

DECRYPT.exeDECRYPT.exe

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	DECRYPT.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	DECRYPT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	DECRYPT.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000019000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	DECRYPT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	DECRYPT.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	DECRYPT.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

FINAL.exewindowsdefender.exeDECRYPT.exeDECRYPT.exe

pid	Process
828	FINAL.exe
828	FINAL.exe
1420	windowsdefender.exe
1420	windowsdefender.exe
1420	windowsdefender.exe
1420	windowsdefender.exe
1420	windowsdefender.exe
1420	windowsdefender.exe
1420	windowsdefender.exe
1420	windowsdefender.exe
1420	windowsdefender.exe
1420	windowsdefender.exe
1420	windowsdefender.exe
1420	windowsdefender.exe
1420	windowsdefender.exe
1420	windowsdefender.exe
1420	windowsdefender.exe
1420	windowsdefender.exe
1420	windowsdefender.exe
1420	windowsdefender.exe
1420	windowsdefender.exe
1420	windowsdefender.exe
1420	windowsdefender.exe
1420	windowsdefender.exe
1420	windowsdefender.exe
1420	windowsdefender.exe
1420	windowsdefender.exe
1420	windowsdefender.exe
1420	windowsdefender.exe
1420	windowsdefender.exe
1420	windowsdefender.exe
1420	windowsdefender.exe
1420	windowsdefender.exe
1420	windowsdefender.exe
2004	DECRYPT.exe
1256	DECRYPT.exe
2004	DECRYPT.exe
1256	DECRYPT.exe
2004	DECRYPT.exe
1256	DECRYPT.exe
2004	DECRYPT.exe
1256	DECRYPT.exe
1420	windowsdefender.exe
2004	DECRYPT.exe
1256	DECRYPT.exe
2004	DECRYPT.exe
1256	DECRYPT.exe
2004	DECRYPT.exe
1256	DECRYPT.exe
2004	DECRYPT.exe
1256	DECRYPT.exe
2004	DECRYPT.exe
1256	DECRYPT.exe
2004	DECRYPT.exe
1256	DECRYPT.exe
2004	DECRYPT.exe
1256	DECRYPT.exe
2004	DECRYPT.exe
1256	DECRYPT.exe
2004	DECRYPT.exe
1256	DECRYPT.exe
1420	windowsdefender.exe
2004	DECRYPT.exe
1256	DECRYPT.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid	Process
588	AcroRd32.exe

Suspicious behavior: RenamesItself 2 IoCs

Processes:

windowsdefender.exe

pid	Process
1420	windowsdefender.exe
1420	windowsdefender.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

FINAL.exeMSBuild.exewindowsdefender.exevssvc.exeDECRYPT.exeDECRYPT.exe

description	pid	Process
Token: SeDebugPrivilege	828	FINAL.exe
Token: SeDebugPrivilege	844	MSBuild.exe
Token: SeDebugPrivilege	1420	windowsdefender.exe
Token: SeDebugPrivilege	1420	windowsdefender.exe
Token: SeBackupPrivilege	1800	vssvc.exe
Token: SeRestorePrivilege	1800	vssvc.exe
Token: SeAuditPrivilege	1800	vssvc.exe
Token: SeDebugPrivilege	2004	DECRYPT.exe
Token: SeDebugPrivilege	1256	DECRYPT.exe

Suspicious use of FindShellTrayWindow 55 IoCs

Processes:

DllHost.exeDECRYPT.exeDECRYPT.exe

pid	Process
1056	DllHost.exe
1056	DllHost.exe
1056	DllHost.exe
1256	DECRYPT.exe
1256	DECRYPT.exe
1256	DECRYPT.exe
1256	DECRYPT.exe
1256	DECRYPT.exe
1256	DECRYPT.exe
1256	DECRYPT.exe
1256	DECRYPT.exe
1256	DECRYPT.exe
1256	DECRYPT.exe
1256	DECRYPT.exe
1256	DECRYPT.exe
1256	DECRYPT.exe
1256	DECRYPT.exe
1256	DECRYPT.exe
1256	DECRYPT.exe
2004	DECRYPT.exe
2004	DECRYPT.exe
2004	DECRYPT.exe
2004	DECRYPT.exe
2004	DECRYPT.exe
2004	DECRYPT.exe
2004	DECRYPT.exe
2004	DECRYPT.exe
2004	DECRYPT.exe
2004	DECRYPT.exe
2004	DECRYPT.exe
2004	DECRYPT.exe
2004	DECRYPT.exe
2004	DECRYPT.exe
2004	DECRYPT.exe
2004	DECRYPT.exe
2004	DECRYPT.exe
2004	DECRYPT.exe
2004	DECRYPT.exe
2004	DECRYPT.exe
2004	DECRYPT.exe
2004	DECRYPT.exe
2004	DECRYPT.exe
2004	DECRYPT.exe
2004	DECRYPT.exe
2004	DECRYPT.exe
2004	DECRYPT.exe
2004	DECRYPT.exe
2004	DECRYPT.exe
2004	DECRYPT.exe
2004	DECRYPT.exe
2004	DECRYPT.exe
2004	DECRYPT.exe
2004	DECRYPT.exe
2004	DECRYPT.exe
2004	DECRYPT.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

AcroRd32.exe

pid	Process
588	AcroRd32.exe
588	AcroRd32.exe
588	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

FINAL.exeMSBuild.exeM2kZrx0Y7oeB.exewindowsdefender.exevbc.exevbc.exevbc.exe

description	pid	Process	procid_target
PID 828 wrote to memory of 268	828	FINAL.exe	28
PID 828 wrote to memory of 268	828	FINAL.exe	28
PID 828 wrote to memory of 268	828	FINAL.exe	28
PID 828 wrote to memory of 268	828	FINAL.exe	28
PID 828 wrote to memory of 588	828	FINAL.exe	29
PID 828 wrote to memory of 588	828	FINAL.exe	29
PID 828 wrote to memory of 588	828	FINAL.exe	29
PID 828 wrote to memory of 588	828	FINAL.exe	29
PID 828 wrote to memory of 844	828	FINAL.exe	33
PID 828 wrote to memory of 844	828	FINAL.exe	33
PID 828 wrote to memory of 844	828	FINAL.exe	33
PID 828 wrote to memory of 844	828	FINAL.exe	33
PID 828 wrote to memory of 844	828	FINAL.exe	33
PID 828 wrote to memory of 844	828	FINAL.exe	33
PID 828 wrote to memory of 844	828	FINAL.exe	33
PID 828 wrote to memory of 844	828	FINAL.exe	33
PID 828 wrote to memory of 844	828	FINAL.exe	33
PID 844 wrote to memory of 520	844	MSBuild.exe	35
PID 844 wrote to memory of 520	844	MSBuild.exe	35
PID 844 wrote to memory of 520	844	MSBuild.exe	35
PID 844 wrote to memory of 520	844	MSBuild.exe	35
PID 844 wrote to memory of 1628	844	MSBuild.exe	37
PID 844 wrote to memory of 1628	844	MSBuild.exe	37
PID 844 wrote to memory of 1628	844	MSBuild.exe	37
PID 844 wrote to memory of 1628	844	MSBuild.exe	37
PID 1628 wrote to memory of 1128	1628	M2kZrx0Y7oeB.exe	38
PID 1628 wrote to memory of 1128	1628	M2kZrx0Y7oeB.exe	38
PID 1628 wrote to memory of 1128	1628	M2kZrx0Y7oeB.exe	38
PID 1628 wrote to memory of 1128	1628	M2kZrx0Y7oeB.exe	38
PID 1628 wrote to memory of 1420	1628	M2kZrx0Y7oeB.exe	40
PID 1628 wrote to memory of 1420	1628	M2kZrx0Y7oeB.exe	40
PID 1628 wrote to memory of 1420	1628	M2kZrx0Y7oeB.exe	40
PID 1628 wrote to memory of 1420	1628	M2kZrx0Y7oeB.exe	40
PID 844 wrote to memory of 1128	844	MSBuild.exe	41
PID 844 wrote to memory of 1128	844	MSBuild.exe	41
PID 844 wrote to memory of 1128	844	MSBuild.exe	41
PID 844 wrote to memory of 1128	844	MSBuild.exe	41
PID 1420 wrote to memory of 1828	1420	windowsdefender.exe	42
PID 1420 wrote to memory of 1828	1420	windowsdefender.exe	42
PID 1420 wrote to memory of 1828	1420	windowsdefender.exe	42
PID 1420 wrote to memory of 1828	1420	windowsdefender.exe	42
PID 1420 wrote to memory of 1872	1420	windowsdefender.exe	44
PID 1420 wrote to memory of 1872	1420	windowsdefender.exe	44
PID 1420 wrote to memory of 1872	1420	windowsdefender.exe	44
PID 1420 wrote to memory of 1872	1420	windowsdefender.exe	44
PID 1872 wrote to memory of 1124	1872	vbc.exe	46
PID 1872 wrote to memory of 1124	1872	vbc.exe	46
PID 1872 wrote to memory of 1124	1872	vbc.exe	46
PID 1872 wrote to memory of 1124	1872	vbc.exe	46
PID 1420 wrote to memory of 2036	1420	windowsdefender.exe	47
PID 1420 wrote to memory of 2036	1420	windowsdefender.exe	47
PID 1420 wrote to memory of 2036	1420	windowsdefender.exe	47
PID 1420 wrote to memory of 2036	1420	windowsdefender.exe	47
PID 2036 wrote to memory of 1844	2036	vbc.exe	49
PID 2036 wrote to memory of 1844	2036	vbc.exe	49
PID 2036 wrote to memory of 1844	2036	vbc.exe	49
PID 2036 wrote to memory of 1844	2036	vbc.exe	49
PID 1420 wrote to memory of 304	1420	windowsdefender.exe	50
PID 1420 wrote to memory of 304	1420	windowsdefender.exe	50
PID 1420 wrote to memory of 304	1420	windowsdefender.exe	50
PID 1420 wrote to memory of 304	1420	windowsdefender.exe	50
PID 304 wrote to memory of 1408	304	vbc.exe	52
PID 304 wrote to memory of 1408	304	vbc.exe	52
PID 304 wrote to memory of 1408	304	vbc.exe	52

C:\Users\Admin\AppData\Local\Temp\FINAL.exe
"C:\Users\Admin\AppData\Local\Temp\FINAL.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:828
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Blank Grabber.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Blank Grabber.exe"
  2⤵
  - Executes dropped EXE
  PID:268
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Blank Grabber.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Blank Grabber.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:872
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\CPN BIBLE.pdf"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "windowsdefender" /sc ONLOGON /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:520
- - C:\Users\Admin\AppData\Local\Temp\M2kZrx0Y7oeB.exe
    "C:\Users\Admin\AppData\Local\Temp\M2kZrx0Y7oeB.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\wd\windowsdefender.exe'"
      4⤵
      Creates scheduled task(s)
      PID:1128
  - - C:\Users\Admin\wd\windowsdefender.exe
      "C:\Users\Admin\wd\windowsdefender.exe"
      4⤵
      Executes dropped EXE
      Drops startup file
      Loads dropped DLL
      Sets desktop wallpaper using registry
      Drops file in Program Files directory
      Modifies Control Panel
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: RenamesItself
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1420
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r4kdfde2\r4kdfde2.cmdline"
        5⤵
        
        PID:1828
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nnsvajed\nnsvajed.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1872
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES38AF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc38AE.tmp"
        6⤵
        
        PID:1124
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2zjoefnw\2zjoefnw.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2036
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A35.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3A34.tmp"
        6⤵
        
        PID:1844
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4ojp0r3u\4ojp0r3u.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:304
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C57.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3C56.tmp"
        6⤵
        
        PID:1408
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\READ-ME-NOW.txt
        5⤵
        
        PID:888
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\READ-ME-NOW.txt
        5⤵
        
        PID:672
    - - C:\Users\Admin\Desktop\DECRYPT.exe
        
        "C:\Users\Admin\Desktop\DECRYPT.exe"
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:1256
    - - C:\Users\Admin\Desktop\DECRYPT.exe
        
        "C:\Users\Admin\Desktop\DECRYPT.exe"
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:2004
- - C:\Users\Admin\AppData\Local\Temp\DB8oZUaTmbOF.exe
    "C:\Users\Admin\AppData\Local\Temp\DB8oZUaTmbOF.exe"
    3⤵
    - Executes dropped EXE
    PID:1128

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1056

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk.Lime
1⤵
- Modifies registry class
PID:204

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Public\Desktop\Firefox.lnk.Lime
1⤵
- Modifies registry class
PID:1864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

Modify Registry

Scripting

Web Service

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

Filesize
1.4MB

MD5
f9da8860a6202ae38b1fc78a699df59a

SHA1
c499ec1f6e3940d941dd4d8e5edadbee9d279d58

SHA256
3ba1a276ed5b6f2c8b00907369a407efe010df9263bef375cafe1d01c9fe6474

SHA512
dfe1d3669582686fcb340161a32a86f2c767e773a0cb79f898f1bf76828637e8a8cbfd5ab596d4f0c6da9bfcc0325378b5297e36b4db8eb26b7b69118ae05997

Download Submit
C:\Program Files\Mozilla Firefox\firefox.exe

Filesize
562KB

MD5
09a429e92702c01a0e7a6c237174a201

SHA1
95acf1be8c635895137f1da04b93f9128f7b9a8e

SHA256
6048a6db71b46348f9b5c877955fb6738b08233e98919a69f1602075a7fee325

SHA512
45ca9656d24fb8b2c95efb3d8b752fad8911e36306e4146ecd0f2e58aab3d5dcca5d6a98315f46d121f29baabd2870c1f6fa0930de319d966403f91bfd4246b2

Download Submit
C:\Users\Admin\AppData\Local\GDIPFONTCACHEV1.DAT

Filesize
8KB

MD5
50c8e81a65e9295c3de849d25bc485d0

SHA1
2e3699a4a9a4bf91e8612b9aad757e272ee73b8d

SHA256
dda7ee0c6cf034f96231f39da20be7a581bb8468257ecf72d1dd649c4f338bac

SHA512
44daa75979074211a87d16cb426d19af48c51b35ebfd57535d2282b63a12fdfea4b84b5c14a4bf722e431ac570f1cf6b797d87665e12da65774d91f62d2bccfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\2zjoefnw\2zjoefnw.0.vb

Filesize
226B

MD5
5639995e6ec443645bd47e6d6f5fcc0b

SHA1
b2b16b82456c951bb598477f9358dca95eaca9b2

SHA256
8a923c0867d8b7b580733c020c9640e23d60d7d7e2a0f72229ca7344ea73472b

SHA512
d68a25ca35d40879ca627e43661576bc2e9193653e5fe7fecaaa442349a844a0d89f9acb11bb37678d5c823d72e4c4dcc26bd6cfb29799d18cae7d3abd72db50

Download Submit
C:\Users\Admin\AppData\Local\Temp\2zjoefnw\2zjoefnw.cmdline

Filesize
299B

MD5
b534b05fc35a9ed620b8464a708282a8

SHA1
0e0861a7f7c9ee22651290794192c13193ffab92

SHA256
4ef91fa49d3c6940734c5ce3dc0b9120ab0aba24b918e3d999ebfb7bc33a4fce

SHA512
be83effa7180fc1085301ff2db4f2aae69d4a490ebd90f377f84b94b52cd1e5facf559efa4c6153c4c09a1fb6a8b590c80888d9f397909168323c67ad25574e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ojp0r3u\4ojp0r3u.0.vb

Filesize
230B

MD5
849f7b4df3866e46d0df46942d689d57

SHA1
bb55bfbb5f9fcda3e86f76c7b6691c9a82dcce3b

SHA256
7a9c3db556b2fdd7b2d2465d24cabc92132f60710a01f7d5bc1950679f8ad79e

SHA512
a3293f90e5dee706668e03c3449a17e8c390dd3136648aacea81d1e7225115114aa041ed5ef9741e90e76995a3436486ebbfbba62979423349026ace0825b489

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ojp0r3u\4ojp0r3u.cmdline

Filesize
306B

MD5
5600159303d3b489003f92a9f31a35c7

SHA1
7c1b883e5881d3b3747ff14bfcf22cf295f2d1b8

SHA256
130b6f28fbfe30db5083f208b626b096bb9dde6a2c1ff0b6ca39001300e393da

SHA512
e67a4281cbbfbf4f55f104ebdc8a316c3eb0e7743310ac2755f7e68eee28f05cd972a7c3a7f4b6a8a1e080b96813e1ee65b18e1abeca47463a33945a4a079eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB8oZUaTmbOF.exe

Filesize
28KB

MD5
7fcdcaa0df4e732f66a9bd29a93aca61

SHA1
0da1dda6bf065a634763df786f65b9b89dcec290

SHA256
95348accec5a3e7e3f424db8fe57135063692c02f80bcc035f69f747f942c9e6

SHA512
eedd7cf4bbb454d437f39e6374b685f82954d8da8be4cfdae51dac2ee14471261088cc571d470a8bbda70bedaf379fcb13c9da70628e5ceb6292e53ae886d742

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB8oZUaTmbOF.exe

Filesize
28KB

MD5
7fcdcaa0df4e732f66a9bd29a93aca61

SHA1
0da1dda6bf065a634763df786f65b9b89dcec290

SHA256
95348accec5a3e7e3f424db8fe57135063692c02f80bcc035f69f747f942c9e6

SHA512
eedd7cf4bbb454d437f39e6374b685f82954d8da8be4cfdae51dac2ee14471261088cc571d470a8bbda70bedaf379fcb13c9da70628e5ceb6292e53ae886d742

Download Submit
C:\Users\Admin\AppData\Local\Temp\M2kZrx0Y7oeB.exe

Filesize
28KB

MD5
7fcdcaa0df4e732f66a9bd29a93aca61

SHA1
0da1dda6bf065a634763df786f65b9b89dcec290

SHA256
95348accec5a3e7e3f424db8fe57135063692c02f80bcc035f69f747f942c9e6

SHA512
eedd7cf4bbb454d437f39e6374b685f82954d8da8be4cfdae51dac2ee14471261088cc571d470a8bbda70bedaf379fcb13c9da70628e5ceb6292e53ae886d742

Download Submit
C:\Users\Admin\AppData\Local\Temp\M2kZrx0Y7oeB.exe

Filesize
28KB

MD5
7fcdcaa0df4e732f66a9bd29a93aca61

SHA1
0da1dda6bf065a634763df786f65b9b89dcec290

SHA256
95348accec5a3e7e3f424db8fe57135063692c02f80bcc035f69f747f942c9e6

SHA512
eedd7cf4bbb454d437f39e6374b685f82954d8da8be4cfdae51dac2ee14471261088cc571d470a8bbda70bedaf379fcb13c9da70628e5ceb6292e53ae886d742

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES38AF.tmp

Filesize
5KB

MD5
03fd3286c8279a7fe1ecefaae2d59e11

SHA1
bc8912356d66394ec9fe2300b111206be947a685

SHA256
0a0639ad77af85259fad13803186243a738746105506f546e716d7f4b758ba15

SHA512
a55fc8fec28299527433db6eb79c61bf22de3302889a2cf1ad32a329a01e8966e0b9758c32d752347ccbf707e96ffc2740a79fa7d5caac5c92bc64f7e172a095

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3A35.tmp

Filesize
5KB

MD5
ac85beb9c531ff4b1fe969f824a3c2d9

SHA1
aa34d7cf486422fed6a9c56621591e6a3c10448b

SHA256
e53f8ecfd3a81e5d56eed21e0422df34e1f89863f5e65166a34a9c09a5b5282d

SHA512
0330c63684a4d544685ddf8e36f4cb8ac9bee8cd7339da7884946656e59bfe72523004b72092e9c9d1cb154b9eb8c584d727474c80e23ca13f8ae49c60b0618d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3C57.tmp

Filesize
5KB

MD5
5ca38334d49b84423028e891d4ae2452

SHA1
14976440eb5483523befbca65e8d50fbe3b8f74c

SHA256
51f8f054f670b087cab665a2d8f9d3717252873e2fc6969f9abd16c8e2e01b13

SHA512
647ac23a8f097b916ed7ab6dec93d91c0dbfe11e963e56fd42bd20270f881e96af2867457d24734d9ee7967e851406f8cbd760f906f99cdfc3328f4d80de8ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_github.com..Blank_c2682\python311.dll

Filesize
1.6MB

MD5
8534c15a4eb10120c60c9233d2693dec

SHA1
126a52080ecaec660bfd56f8e3c76fb0f8b664c8

SHA256
fd6e6c75180af0d08c9e78831229468c7047003dd995303004f66891fccec392

SHA512
1064b385a5d5f7e8061913321bca64865ed5569b4629b6a2728852ade84857f6f370d823b86542fa5943d1548ec55e65029eba7a94285a6d3c00d106c0e868a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nnsvajed\nnsvajed.0.vb

Filesize
227B

MD5
317082e9d2a099d1e4c68153cfc5d3d8

SHA1
01ae6d01eafbb000be600268c0df056a12ef4e9d

SHA256
1a5b4c4e13822aa49c0be5541c38c8d73254e2092c4bd8bba7313ae8f8b98b09

SHA512
3a5c61d1e6810cf0d24b97fc742a3c130d643ffec2f3db28d6d4c3b9940c97eb5272e9eff08ccc3cdb706fddde925248bd7452d627f8dca07f9f26b37fa71260

Download Submit
C:\Users\Admin\AppData\Local\Temp\nnsvajed\nnsvajed.cmdline

Filesize
301B

MD5
e01116cdbf46f8fac1aaae22c27d1861

SHA1
8c366c2cf3f27e6ff4d1e50e5701af10a05b652e

SHA256
d664810da469336a56a72a7e3ef05c1c95b6ff55ebbc34e05357b44d0fb5c3f8

SHA512
b208a833b3d94f4e6b826db372e917a0efd19903e0e2b636856324ec0d474b15e0e475b87c0e3c244701abb1118662fcb3f8323e33ee89252dd1410b6096d0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\r4kdfde2\r4kdfde2.0.vb

Filesize
223B

MD5
5a1790f90159ca90dcadc30280727b3e

SHA1
59ac615c862d894e9dea2fcfad1fa9ec46fd868e

SHA256
bfa0c7065d21ea491ece8a42bff0908a41d7f0236a07913d7221e2f1089de76f

SHA512
c54d9ea3b4c9b9d83a27bde06ed09c8cc4278f980bba72623e70539daa0b7e0c6923c7fa9a2cfdeb4b6be93ccae57c9925531892079b910c771ed358269c5df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\r4kdfde2\r4kdfde2.cmdline

Filesize
293B

MD5
3148b5aa5d674f230af6f9b952438515

SHA1
63b03d9308ed05393ed6f6854da36366363ba87c

SHA256
e348cd0523b7c909ea7146aea737474ddee2ba0839dd4fb1294552095f12c2d1

SHA512
78641a46d7ae09f2f88cd737a7d256e24830ea1a6adc159cc8327b8b32fffafa0a4c24d5f18eff901290e00f447cdd572001517b4a9e2ff8b577005d6ab65ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc38AE.tmp

Filesize
4KB

MD5
afe48426876eedacfdba91eb5176ecf8

SHA1
9da744cfff5427e51c2e7d091408539e03d80a05

SHA256
387dee5276fe1bb1c2c247e24436b03af42c504b6c4c48ed74ddaeae63c7cd6e

SHA512
f22abfb811911e8fdf4cb4df9d980beb9350e3be987debd4989b4a9afb0b0c45966600f013f2822adf26328335a6e39fe2326063aae8c24df5a3fcc9fcc9c926

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3A34.tmp

Filesize
4KB

MD5
a3487b776d060a4552667931e5382936

SHA1
fe13f9c7c180fac565d5f4ce2c88b1fb8b8023ed

SHA256
d12f09ec4b6d340bfbc6ab928f127a1482e3fd6a4eff6ec090875cdfad642f45

SHA512
e06e4ea67baf67314ae42e23c9737c675f07528c9c66a0ddfc42084be4a0f086c97f10c75015c7f93bdf229e0790136844af227562107627de5b2af00d69985e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3C56.tmp

Filesize
4KB

MD5
eb7a3f68ceac4a230a060cd5056dcc5a

SHA1
b84047c053b4e1ace70fb47df7d6ffba8551370e

SHA256
d7150437b76b84dc43c2919a4b52015c07e12771269ea8ff1c386499acd8042e

SHA512
91339d546e1bce6bb0730c77041932e1e37a006484fd7a3fd2c8de4784df41bfa0b573559159d2f9aa0aec83ffcf7c909b7ad31b5242e983bdaf2edeb1ed8cdc

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
dfc437052a9dc782cd05c0bd30d96743

SHA1
2c72ca5135cffc46f87c876cc31b7d168a048405

SHA256
fad3317c5bb310e9884616e10c784864ed23cc949777de33be7345b766f635c2

SHA512
9fa7822b2fbd27d47df753f05f6ce790f16994387d1c73bf2d6963dbad555071f5e7e70faf28b13283cc3240d822c9611f079478dc85e7a38cfe6b4beda83a91

Download Submit
C:\Users\Admin\AppData\Roaming\Lime\EXE\Internet Explorer.exe

Filesize
10KB

MD5
fe02f5cf93b341ab166fe4297592aaff

SHA1
3eb39ca179a136cab8d6e65829d4783809140352

SHA256
4d19372ed4d5553d54b236738a7ce1790f9a2949bd4fbf91e57dbe0bf294ece1

SHA512
52045e536de1fa23d8fdd63dd6b505570fdfd494c8e9044b6aea5ed386ec115bb50938e7094f094aa355a5bea9d47d50cba9e40780e874cb18832f3d2dfd6927

Download Submit
C:\Users\Admin\AppData\Roaming\Lime\EXE\Windows Explorer.exe

Filesize
10KB

MD5
5fa87e17255fdc462c52b245adbf669a

SHA1
6c7acef880890ace33088c9b9017358c45de96bd

SHA256
bead024ec768ca8693c2ff7a77b30059c58cb3baaa9468e91697b4bd2e897bc7

SHA512
06d7facff7d0d2715bef9a4c4c18791a5f31ced6ad53b0e2d7e1376cceb050eef32c930491072d91471a06c9544497ada1cec8c3748cbdf18ea337b0035f3a3f

Download Submit
C:\Users\Admin\AppData\Roaming\Lime\EXE\Windows Media Player.exe

Filesize
10KB

MD5
178a57d57c25c477ce672e343af4b940

SHA1
395fe64afb3508bed980f6c3c251a13e151d2bc8

SHA256
1e9b58ccba930fab6b4fc068d6212eefa3af9d044561d247eaa60e98440614a2

SHA512
7d871f3bb1a1815cd8ef55f7fa6dc27e5739e8ec4ee43271ed053948d00b0357f7223d13c1c485296e0493e32d4266ffe230caed9f9d41d50b73f6bc957ab367

Download Submit
C:\Users\Admin\AppData\Roaming\Lime\ICO\GoogleChrome.ico

Filesize
6B

MD5
ed5a964e00f4a03ab201efe358667914

SHA1
d5d5370bbe3e3ce247c6f0825a9e16db2b8cd5c5

SHA256
025fc246f13759c192cbbae2a68f2b59b6478f21b31a05d77483a87e417906dd

SHA512
7f3b68419e0914cec2d853dcd8bbb45bf9ed77bdde4c9d6f2ea786b2ba99f3e49560512fbb26dd3f0189b595c0c108d32eb43f9a6f13bbc35b8c16b1561bd070

Download Submit
C:\Users\Admin\AppData\Roaming\Lime\ICO\InternetExplorer.ico

Filesize
4KB

MD5
2d14fe9fa6d3f40a6ecef5d5446a763a

SHA1
f312cd8312a41c5aed3bb609be3f7e9a1bc4f0f5

SHA256
03549b1b39e9b471c0c95a9dc673fd0c5be53ccfe81cf7811580aa59f2ed4fbb

SHA512
562f34d14216f50a7641afd2d927ee2ee0512389b097112d111a88709241f9e777d79e7f1a3ef5dd172d6efbb68d65f0161e13020baeb74ff4c16b060e4111df

Download Submit
C:\Users\Admin\AppData\Roaming\Lime\ICO\WindowsExplorer.ico

Filesize
4KB

MD5
ee136b4101d0e996d462c2c5de0beb95

SHA1
65cfa6ea0637548488e869ed8ac02c87906c0a5b

SHA256
d8b40d56ccc920590d12e1bb90c39e608e7176b97a0c4ad5acd36019e619b3d5

SHA512
faaf7f3dfcef2e2bef2cea7b99f793d1d8e114846412fd5522daed5eb58eb453c2b87a34ce76da4da9880d0d09ab6cc227a32d02fbd90d6aba25a8f04a6dbc82

Download Submit
C:\Users\Admin\AppData\Roaming\Lime\ICO\WindowsMediaPlayer.ico

Filesize
4KB

MD5
b2d35307c54450031b14fe5d694504d1

SHA1
17162851491fc499354ff1ec3dfa9912a07fb2c5

SHA256
a8543223e7c0cf878d52102af6dd4df94a6089da16caec76ab7dd98ec9297012

SHA512
02003d491e8f3d98cec43f815f9cc48036594a67052372bdfd47686e5cd3f38769b2ec43d06b560ebe43ef11813916ee006d633c84662b76bddc645d8c009886

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Blank Grabber.exe

Filesize
7.9MB

MD5
490ecd8f11af9825f52d4d8e7cc23b5e

SHA1
190cc0eb80e9661526ccf35955e90487c21247a2

SHA256
d65e380cf242a95cecb67b7dcd7fb4fda715bd7ab7b42a53255fe1521e00c3b5

SHA512
6f09348dcc08522588158e0988fdf19eae30a96e995fa50d784745ec0a301415a3e7d528264517d484ee7791011f23c0072afae79c8212cfa7953528a8d02426

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Blank Grabber.exe

Filesize
7.9MB

MD5
490ecd8f11af9825f52d4d8e7cc23b5e

SHA1
190cc0eb80e9661526ccf35955e90487c21247a2

SHA256
d65e380cf242a95cecb67b7dcd7fb4fda715bd7ab7b42a53255fe1521e00c3b5

SHA512
6f09348dcc08522588158e0988fdf19eae30a96e995fa50d784745ec0a301415a3e7d528264517d484ee7791011f23c0072afae79c8212cfa7953528a8d02426

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Blank Grabber.exe

Filesize
7.9MB

MD5
490ecd8f11af9825f52d4d8e7cc23b5e

SHA1
190cc0eb80e9661526ccf35955e90487c21247a2

SHA256
d65e380cf242a95cecb67b7dcd7fb4fda715bd7ab7b42a53255fe1521e00c3b5

SHA512
6f09348dcc08522588158e0988fdf19eae30a96e995fa50d784745ec0a301415a3e7d528264517d484ee7791011f23c0072afae79c8212cfa7953528a8d02426

Download Submit
C:\Users\Admin\Desktop\CPN BIBLE.pdf

Filesize
437KB

MD5
072bde13a5776d6b4e9872f7abce20c2

SHA1
257fe039b6eaa22b094269833cd96e9c38179046

SHA256
a2661e745c48a2ad8d6ad29490dfbf08f34a6fe00ae878325f5a1fdc1195c4ed

SHA512
cfca93a53717ffb5b9d918893f6b143b5d22c9cd4a56150649788f00b9d0d1849606034644c06bdf84700ad064292afeba56a1e7eaab76b6fe061ef678359a54

Download Submit
C:\Users\Admin\Desktop\DECRYPT.exe

Filesize
362KB

MD5
c36c656d1606347a35f226322f246fae

SHA1
d2410ad59eb1793ad12921b379292b4d6d86e33e

SHA256
9dc3e29206f2d22ec9afd52a7bdcee28d081b93605953dd72cfb3b8e8afb7595

SHA512
8d6bf8341200bfafeadd3a5fa145525c95bb2ddb6f6c4936568fb2b1f0a6e22b2998259975862f5e076313b36a19c4472428a01b996e49fd23a777641e5dc3fd

Download Submit
C:\Users\Admin\Desktop\DECRYPT.exe

Filesize
362KB

MD5
c36c656d1606347a35f226322f246fae

SHA1
d2410ad59eb1793ad12921b379292b4d6d86e33e

SHA256
9dc3e29206f2d22ec9afd52a7bdcee28d081b93605953dd72cfb3b8e8afb7595

SHA512
8d6bf8341200bfafeadd3a5fa145525c95bb2ddb6f6c4936568fb2b1f0a6e22b2998259975862f5e076313b36a19c4472428a01b996e49fd23a777641e5dc3fd

Download Submit
C:\Users\Admin\Desktop\DECRYPT.exe

Filesize
362KB

MD5
c36c656d1606347a35f226322f246fae

SHA1
d2410ad59eb1793ad12921b379292b4d6d86e33e

SHA256
9dc3e29206f2d22ec9afd52a7bdcee28d081b93605953dd72cfb3b8e8afb7595

SHA512
8d6bf8341200bfafeadd3a5fa145525c95bb2ddb6f6c4936568fb2b1f0a6e22b2998259975862f5e076313b36a19c4472428a01b996e49fd23a777641e5dc3fd

Download Submit
C:\Users\Admin\Desktop\Federal Reserve.jpg

Filesize
48KB

MD5
8b515a483fb8addfa245c4eef208719e

SHA1
c2d4a921ff4b9717a13780e84b6f24cce7c98274

SHA256
6daa510f4f587955e07a728dd75fb63d591fae136686dc73381fc62d54771096

SHA512
0b7f4c97835a1db3017937b6224f9e38ab0a938de77b26d723a16662fa8d455376a03ce52ded91ed9b106f27c481074d2e1c5b30271fdcc23b3f0b152c7183dd

Download Submit
C:\Users\Admin\Desktop\READ-ME-NOW.txt

Filesize
645KB

MD5
6675a7793d6758a8ae6bd60ea81cb58e

SHA1
e4f567ce960f5d6e9f39d8c9cf33cb614766c85d

SHA256
00089b3f5498a32297829aae43bf7bdf3690428abac8c8b4a4ce40c94bed31e0

SHA512
f9fbee5b857fe2ac8cff1cc5fab7f189789232ca329232125f040c4c9d0da7a509ecbb543fd7707542b8630428be5551ccf43a7ca9f18675f270574b950d1180

Download Submit
C:\Users\Admin\Desktop\READ-ME-NOW.txt

Filesize
645KB

MD5
a5439b6c3d61b3a547eafe5f108b984a

SHA1
2624a2efb9073fccc176aeca79250de8e0e74c6f

SHA256
a784b4526d8a260741240a5aa50bc834ea2a812de5dddb71bb0472c2cfbef869

SHA512
8396c5038b42aafdbbc90380021eff3c15873ea6ccd04be209ec4721c47773b2fffa1e5fe49e6dabc4c0c395f10e3c657c978284e886e258c7f0e73999d532bf

Download Submit
C:\Users\Admin\wd\windowsdefender.exe

Filesize
28KB

MD5
7fcdcaa0df4e732f66a9bd29a93aca61

SHA1
0da1dda6bf065a634763df786f65b9b89dcec290

SHA256
95348accec5a3e7e3f424db8fe57135063692c02f80bcc035f69f747f942c9e6

SHA512
eedd7cf4bbb454d437f39e6374b685f82954d8da8be4cfdae51dac2ee14471261088cc571d470a8bbda70bedaf379fcb13c9da70628e5ceb6292e53ae886d742

Download Submit
C:\Users\Admin\wd\windowsdefender.exe

Filesize
28KB

MD5
7fcdcaa0df4e732f66a9bd29a93aca61

SHA1
0da1dda6bf065a634763df786f65b9b89dcec290

SHA256
95348accec5a3e7e3f424db8fe57135063692c02f80bcc035f69f747f942c9e6

SHA512
eedd7cf4bbb454d437f39e6374b685f82954d8da8be4cfdae51dac2ee14471261088cc571d470a8bbda70bedaf379fcb13c9da70628e5ceb6292e53ae886d742

Download Submit
\Users\Admin\AppData\Local\Temp\DB8oZUaTmbOF.exe

Filesize
28KB

MD5
7fcdcaa0df4e732f66a9bd29a93aca61

SHA1
0da1dda6bf065a634763df786f65b9b89dcec290

SHA256
95348accec5a3e7e3f424db8fe57135063692c02f80bcc035f69f747f942c9e6

SHA512
eedd7cf4bbb454d437f39e6374b685f82954d8da8be4cfdae51dac2ee14471261088cc571d470a8bbda70bedaf379fcb13c9da70628e5ceb6292e53ae886d742

Download Submit
\Users\Admin\AppData\Local\Temp\DB8oZUaTmbOF.exe

Filesize
28KB

MD5
7fcdcaa0df4e732f66a9bd29a93aca61

SHA1
0da1dda6bf065a634763df786f65b9b89dcec290

SHA256
95348accec5a3e7e3f424db8fe57135063692c02f80bcc035f69f747f942c9e6

SHA512
eedd7cf4bbb454d437f39e6374b685f82954d8da8be4cfdae51dac2ee14471261088cc571d470a8bbda70bedaf379fcb13c9da70628e5ceb6292e53ae886d742

Download Submit
\Users\Admin\AppData\Local\Temp\M2kZrx0Y7oeB.exe

Filesize
28KB

MD5
7fcdcaa0df4e732f66a9bd29a93aca61

SHA1
0da1dda6bf065a634763df786f65b9b89dcec290

SHA256
95348accec5a3e7e3f424db8fe57135063692c02f80bcc035f69f747f942c9e6

SHA512
eedd7cf4bbb454d437f39e6374b685f82954d8da8be4cfdae51dac2ee14471261088cc571d470a8bbda70bedaf379fcb13c9da70628e5ceb6292e53ae886d742

Download Submit
\Users\Admin\AppData\Local\Temp\M2kZrx0Y7oeB.exe

Filesize
28KB

MD5
7fcdcaa0df4e732f66a9bd29a93aca61

SHA1
0da1dda6bf065a634763df786f65b9b89dcec290

SHA256
95348accec5a3e7e3f424db8fe57135063692c02f80bcc035f69f747f942c9e6

SHA512
eedd7cf4bbb454d437f39e6374b685f82954d8da8be4cfdae51dac2ee14471261088cc571d470a8bbda70bedaf379fcb13c9da70628e5ceb6292e53ae886d742

Download Submit
\Users\Admin\AppData\Local\Temp\_github.com..Blank_c2682\python311.dll

Filesize
1.6MB

MD5
8534c15a4eb10120c60c9233d2693dec

SHA1
126a52080ecaec660bfd56f8e3c76fb0f8b664c8

SHA256
fd6e6c75180af0d08c9e78831229468c7047003dd995303004f66891fccec392

SHA512
1064b385a5d5f7e8061913321bca64865ed5569b4629b6a2728852ade84857f6f370d823b86542fa5943d1548ec55e65029eba7a94285a6d3c00d106c0e868a0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Blank Grabber.exe

Filesize
7.9MB

MD5
490ecd8f11af9825f52d4d8e7cc23b5e

SHA1
190cc0eb80e9661526ccf35955e90487c21247a2

SHA256
d65e380cf242a95cecb67b7dcd7fb4fda715bd7ab7b42a53255fe1521e00c3b5

SHA512
6f09348dcc08522588158e0988fdf19eae30a96e995fa50d784745ec0a301415a3e7d528264517d484ee7791011f23c0072afae79c8212cfa7953528a8d02426

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Blank Grabber.exe

Filesize
7.9MB

MD5
490ecd8f11af9825f52d4d8e7cc23b5e

SHA1
190cc0eb80e9661526ccf35955e90487c21247a2

SHA256
d65e380cf242a95cecb67b7dcd7fb4fda715bd7ab7b42a53255fe1521e00c3b5

SHA512
6f09348dcc08522588158e0988fdf19eae30a96e995fa50d784745ec0a301415a3e7d528264517d484ee7791011f23c0072afae79c8212cfa7953528a8d02426

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Blank Grabber.exe

Filesize
7.9MB

MD5
490ecd8f11af9825f52d4d8e7cc23b5e

SHA1
190cc0eb80e9661526ccf35955e90487c21247a2

SHA256
d65e380cf242a95cecb67b7dcd7fb4fda715bd7ab7b42a53255fe1521e00c3b5

SHA512
6f09348dcc08522588158e0988fdf19eae30a96e995fa50d784745ec0a301415a3e7d528264517d484ee7791011f23c0072afae79c8212cfa7953528a8d02426

Download Submit
\Users\Admin\Desktop\DECRYPT.exe

Filesize
362KB

MD5
c36c656d1606347a35f226322f246fae

SHA1
d2410ad59eb1793ad12921b379292b4d6d86e33e

SHA256
9dc3e29206f2d22ec9afd52a7bdcee28d081b93605953dd72cfb3b8e8afb7595

SHA512
8d6bf8341200bfafeadd3a5fa145525c95bb2ddb6f6c4936568fb2b1f0a6e22b2998259975862f5e076313b36a19c4472428a01b996e49fd23a777641e5dc3fd

Download Submit
\Users\Admin\Desktop\DECRYPT.exe

Filesize
362KB

MD5
c36c656d1606347a35f226322f246fae

SHA1
d2410ad59eb1793ad12921b379292b4d6d86e33e

SHA256
9dc3e29206f2d22ec9afd52a7bdcee28d081b93605953dd72cfb3b8e8afb7595

SHA512
8d6bf8341200bfafeadd3a5fa145525c95bb2ddb6f6c4936568fb2b1f0a6e22b2998259975862f5e076313b36a19c4472428a01b996e49fd23a777641e5dc3fd

Download Submit
\Users\Admin\wd\IconLib.dll

Filesize
59KB

MD5
45ecaf5e82da876240f9be946923406c

SHA1
0e79bfe8ecc9b0a22430d1c13c423fbf0ac2a61d

SHA256
087a0c5f789e964a2fbcb781015d3fc9d1757358bc63bb4e0b863b4dffdb6e4f

SHA512
6fd4a25051414b2d70569a82dff5522606bfc34d3eaeea54d2d924bc9c92e479c7fda178208026308a1bf9c90bee9dbcaf8716d85c2ab7f383b43b0734329bc8

Download Submit
\Users\Admin\wd\IconLib.dll

Filesize
59KB

MD5
45ecaf5e82da876240f9be946923406c

SHA1
0e79bfe8ecc9b0a22430d1c13c423fbf0ac2a61d

SHA256
087a0c5f789e964a2fbcb781015d3fc9d1757358bc63bb4e0b863b4dffdb6e4f

SHA512
6fd4a25051414b2d70569a82dff5522606bfc34d3eaeea54d2d924bc9c92e479c7fda178208026308a1bf9c90bee9dbcaf8716d85c2ab7f383b43b0734329bc8

Download Submit
\Users\Admin\wd\windowsdefender.exe

Filesize
28KB

MD5
7fcdcaa0df4e732f66a9bd29a93aca61

SHA1
0da1dda6bf065a634763df786f65b9b89dcec290

SHA256
95348accec5a3e7e3f424db8fe57135063692c02f80bcc035f69f747f942c9e6

SHA512
eedd7cf4bbb454d437f39e6374b685f82954d8da8be4cfdae51dac2ee14471261088cc571d470a8bbda70bedaf379fcb13c9da70628e5ceb6292e53ae886d742

Download Submit
\Users\Admin\wd\windowsdefender.exe

Filesize
28KB

MD5
7fcdcaa0df4e732f66a9bd29a93aca61

SHA1
0da1dda6bf065a634763df786f65b9b89dcec290

SHA256
95348accec5a3e7e3f424db8fe57135063692c02f80bcc035f69f747f942c9e6

SHA512
eedd7cf4bbb454d437f39e6374b685f82954d8da8be4cfdae51dac2ee14471261088cc571d470a8bbda70bedaf379fcb13c9da70628e5ceb6292e53ae886d742

Download Submit
memory/268-59-0x0000000000000000-mapping.dmp

Download
memory/268-61-0x000007FEFB691000-0x000007FEFB693000-memory.dmp

Filesize
8KB

Download
memory/304-129-0x0000000000000000-mapping.dmp

Download
memory/520-83-0x0000000000000000-mapping.dmp

Download
memory/588-69-0x0000000002080000-0x00000000020F6000-memory.dmp

Filesize
472KB

Download
memory/588-62-0x0000000000000000-mapping.dmp

Download
memory/672-152-0x0000000000000000-mapping.dmp

Download
memory/828-68-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download
memory/828-56-0x00000000004E0000-0x0000000000510000-memory.dmp

Filesize
192KB

Download
memory/828-57-0x0000000000660000-0x0000000000678000-memory.dmp

Filesize
96KB

Download
memory/828-54-0x0000000000880000-0x00000000015BC000-memory.dmp

Filesize
13.2MB

Download
memory/828-55-0x0000000074ED1000-0x0000000074ED3000-memory.dmp

Filesize
8KB

Download
memory/828-67-0x0000000005030000-0x000000000504A000-memory.dmp

Filesize
104KB

Download
memory/844-74-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/844-75-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/844-79-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/844-77-0x000000000044943E-mapping.dmp

Download
memory/844-72-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/844-76-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/844-81-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/844-71-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/872-137-0x0000000000000000-mapping.dmp

Download
memory/872-142-0x000007FEF56C0000-0x000007FEF5CA7000-memory.dmp

Filesize
5.9MB

Download
memory/888-149-0x0000000000000000-mapping.dmp

Download
memory/1124-119-0x0000000000000000-mapping.dmp

Download
memory/1128-101-0x0000000000000000-mapping.dmp

Download
memory/1128-104-0x00000000013E0000-0x00000000013EC000-memory.dmp

Filesize
48KB

Download
memory/1128-90-0x0000000000000000-mapping.dmp

Download
memory/1256-168-0x0000000004DF5000-0x0000000004E06000-memory.dmp

Filesize
68KB

Download
memory/1256-166-0x0000000004DF5000-0x0000000004E06000-memory.dmp

Filesize
68KB

Download
memory/1256-162-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/1256-157-0x0000000000000000-mapping.dmp

Download
memory/1408-133-0x0000000000000000-mapping.dmp

Download
memory/1420-105-0x0000000000B30000-0x0000000000B4E000-memory.dmp

Filesize
120KB

Download
memory/1420-107-0x0000000005970000-0x00000000059DC000-memory.dmp

Filesize
432KB

Download
memory/1420-94-0x0000000000000000-mapping.dmp

Download
memory/1420-174-0x00000000006B0000-0x00000000006BC000-memory.dmp

Filesize
48KB

Download
memory/1420-106-0x0000000000B90000-0x0000000000BB4000-memory.dmp

Filesize
144KB

Download
memory/1420-110-0x00000000006F0000-0x0000000000706000-memory.dmp

Filesize
88KB

Download
memory/1420-97-0x0000000000DD0000-0x0000000000DDC000-memory.dmp

Filesize
48KB

Download
memory/1628-89-0x0000000000F60000-0x0000000000F6C000-memory.dmp

Filesize
48KB

Download
memory/1628-86-0x0000000000000000-mapping.dmp

Download
memory/1828-111-0x0000000000000000-mapping.dmp

Download
memory/1844-126-0x0000000000000000-mapping.dmp

Download
memory/1872-115-0x0000000000000000-mapping.dmp

Download
memory/2004-159-0x0000000000000000-mapping.dmp

Download
memory/2004-167-0x0000000004835000-0x0000000004846000-memory.dmp

Filesize
68KB

Download
memory/2004-169-0x0000000004835000-0x0000000004846000-memory.dmp

Filesize
68KB

Download
memory/2036-122-0x0000000000000000-mapping.dmp

Download