limerat | 269dc2b37169735ee126b0f15a4948a642d6c4b5b45ccda620e206cc72c6047d

Resubmissions

24-08-2023 17:14

230824-vr7mbseb56 10

24-08-2023 17:09

230824-vn81zsfg21 10

Analysis

max time kernel
213s
max time network
216s
platform
windows7_x64
resource
win7-20230824-en
resource tags

arch:x64arch:x86image:win7-20230824-enlocale:en-usos:windows7-x64system
submitted
24-08-2023 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New-Client.exe
Size

28KB
MD5

19d3bedf1ee8ae14fa8b095f3409cc11
SHA1

47ec9ed3a4043721cbe3e5758b5298090bec214d
SHA256

269dc2b37169735ee126b0f15a4948a642d6c4b5b45ccda620e206cc72c6047d
SHA512

df199215a55b1dd0093a365b2397a6afffcd9897ed7560de69bd917fabe02668998c12339e14c619a3d4389e83b90da54ec0c48896be4ae80d66182832a650a8
SSDEEP

384:0y+Sbj6NKQhW6dNAHN0s1qDIp6al2ra0JEvDKNrCeJE3WNgQavhGACeLQro3lcGJ:BpQ86dNwN56E2ra0Jq45NcZJRj

Score

10^/10

limerat rat

Malware Config

Extracted

Family

limerat

Attributes

aes_key
65AF55741941
antivm
false
c2_url
https://pastebin.com/raw/aEid41SM
delay
3
download_payload
false
install
true
install_name
Wservices.exe
main_folder
AppData
pin_spread
true
sub_folder
\pencil\
usb_spread
true

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Executes dropped EXE 1 IoCs

Processes:

Wservices.exe

pid process

3028 Wservices.exe
Loads dropped DLL 5 IoCs

Processes:

New-Client.exeWservices.exe

pid process

944 New-Client.exe
944 New-Client.exe
3028 Wservices.exe
3028 Wservices.exe
3028 Wservices.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2004 schtasks.exe

pid	process
944	New-Client.exe
944	New-Client.exe
3028	Wservices.exe
3028	Wservices.exe
3028	Wservices.exe

pid	process
2004	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{37C57271-42A2-11EE-93BF-EADD0F58E8CF} = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

Wservices.exechrome.exe

pid	process
3028	Wservices.exe
3028	Wservices.exe
3028	Wservices.exe
3028	Wservices.exe
3028	Wservices.exe
3028	Wservices.exe
3028	Wservices.exe
1920	chrome.exe
1920	chrome.exe
3028	Wservices.exe
3028	Wservices.exe
3028	Wservices.exe
3028	Wservices.exe
3028	Wservices.exe
3028	Wservices.exe
3028	Wservices.exe
3028	Wservices.exe
3028	Wservices.exe
3028	Wservices.exe
3028	Wservices.exe
3028	Wservices.exe
3028	Wservices.exe
3028	Wservices.exe
3028	Wservices.exe
3028	Wservices.exe
3028	Wservices.exe
3028	Wservices.exe
3028	Wservices.exe
3028	Wservices.exe
3028	Wservices.exe
3028	Wservices.exe
3028	Wservices.exe
3028	Wservices.exe
3028	Wservices.exe
3028	Wservices.exe
3028	Wservices.exe
3028	Wservices.exe
3028	Wservices.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

Wservices.exechrome.exeShutdown.exe

description	pid	process
Token: SeDebugPrivilege	3028	Wservices.exe
Token: SeDebugPrivilege	3028	Wservices.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	2000	Shutdown.exe
Token: SeRemoteShutdownPrivilege	2000	Shutdown.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

chrome.exeiexplore.exe

pid	process
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
2568	iexplore.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2568 iexplore.exe
2568 iexplore.exe
2780 IEXPLORE.EXE
2780 IEXPLORE.EXE
2780 IEXPLORE.EXE
2780 IEXPLORE.EXE

pid	process
2568	iexplore.exe
2568	iexplore.exe
2780	IEXPLORE.EXE
2780	IEXPLORE.EXE
2780	IEXPLORE.EXE
2780	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

New-Client.exechrome.exe

description	pid	process	target process
PID 944 wrote to memory of 2004	944	New-Client.exe	schtasks.exe
PID 944 wrote to memory of 2004	944	New-Client.exe	schtasks.exe
PID 944 wrote to memory of 2004	944	New-Client.exe	schtasks.exe
PID 944 wrote to memory of 2004	944	New-Client.exe	schtasks.exe
PID 944 wrote to memory of 3028	944	New-Client.exe	Wservices.exe
PID 944 wrote to memory of 3028	944	New-Client.exe	Wservices.exe
PID 944 wrote to memory of 3028	944	New-Client.exe	Wservices.exe
PID 944 wrote to memory of 3028	944	New-Client.exe	Wservices.exe
PID 1920 wrote to memory of 1984	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 1984	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 1984	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2396	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 1376	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 1376	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 1376	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2624	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2624	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2624	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2624	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2624	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2624	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2624	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2624	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2624	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2624	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 2624	1920	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\New-Client.exe
"C:\Users\Admin\AppData\Local\Temp\New-Client.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:944
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\pencil\Wservices.exe'"
  2⤵
  - Creates scheduled task(s)
  PID:2004
- C:\Users\Admin\AppData\Roaming\pencil\Wservices.exe
  "C:\Users\Admin\AppData\Roaming\pencil\Wservices.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3028
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oeu2rdiu.cmdline"
    3⤵
    PID:2696
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\baenk8xg.cmdline"
    3⤵
    PID:440
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E95.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5E94.tmp"
      4⤵
      PID:2840
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ah9c0_bx.cmdline"
    3⤵
    PID:2864
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F7F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5F7E.tmp"
      4⤵
      PID:1516
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\umsxu2ra.cmdline"
    3⤵
    PID:936
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES604A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6049.tmp"
      4⤵
      PID:2724
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe" "C:\Users\Admin\AppData\Roaming\pencil\Wservices.exe"
    3⤵
    PID:2028
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe" "C:\Users\Admin\AppData\Roaming\pencil\Wservices.exe"
    3⤵
    PID:1712
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe" "C:\Users\Admin\AppData\Roaming\pencil\Wservices.exe"
    3⤵
    PID:1020
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe" "C:\Users\Admin\AppData\Roaming\pencil\Wservices.exe"
    3⤵
    PID:1376
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe" "C:\Users\Admin\AppData\Roaming\pencil\Wservices.exe"
    3⤵
    PID:1704
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://google.com/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:2568
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2568 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2780
- - C:\Windows\SysWOW64\Shutdown.exe
    Shutdown /s /f /t 00
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef67d9758,0x7fef67d9768,0x7fef67d9778
  2⤵
  PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1184 --field-trial-handle=1204,i,17711617527659613117,15959443759318662615,131072 /prefetch:2
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1204,i,17711617527659613117,15959443759318662615,131072 /prefetch:8
  2⤵
  PID:1376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1204,i,17711617527659613117,15959443759318662615,131072 /prefetch:8
  2⤵
  PID:2624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2272 --field-trial-handle=1204,i,17711617527659613117,15959443759318662615,131072 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2264 --field-trial-handle=1204,i,17711617527659613117,15959443759318662615,131072 /prefetch:1
  2⤵
  PID:2580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1480 --field-trial-handle=1204,i,17711617527659613117,15959443759318662615,131072 /prefetch:2
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3180 --field-trial-handle=1204,i,17711617527659613117,15959443759318662615,131072 /prefetch:8
  2⤵
  PID:2180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3320 --field-trial-handle=1204,i,17711617527659613117,15959443759318662615,131072 /prefetch:1
  2⤵
  PID:2644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3548 --field-trial-handle=1204,i,17711617527659613117,15959443759318662615,131072 /prefetch:8
  2⤵
  PID:1280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3672 --field-trial-handle=1204,i,17711617527659613117,15959443759318662615,131072 /prefetch:8
  2⤵
  PID:368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3216 --field-trial-handle=1204,i,17711617527659613117,15959443759318662615,131072 /prefetch:8
  2⤵
  PID:1996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2704 --field-trial-handle=1204,i,17711617527659613117,15959443759318662615,131072 /prefetch:8
  2⤵
  PID:1548

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1072

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1120

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
78eed70c96a12251d894d7b7d5f11a5a

SHA1
a677a3c8ab4bc7b4ded05215a7aa4cd2d2b19aff

SHA256
c95dafc9f84cbb817bbcf803aab09d37365fcdb501aebb6d060da64df65a8546

SHA512
e1a533c87769e2c80b3b95e1540d8d07197763ee4d845c2357121f3d467802b8e72bae6a96f2016f585fd31b9a93adf798c78b36a7c1408e8f26a7e586d931a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c535c79db95393caee3397db8281010f

SHA1
20cd552e42de2fd70d7eae8346c09b302ef66fe6

SHA256
fc1f4e92eb832cfc1b88fc60e1eb1e02601e4cb656c7efe13521d8f4698f06bf

SHA512
e0ff72298d8b029482f4f4169933f9fd533030e13b1e5f771a46510210f54fd643f2fadde072633ed97bd78c002b3d3ed2d75c7cbb6725d98495fd04b8682b5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2bc6e07a4d130086d6bddd1548e843d6

SHA1
8df12922a24fc67e35d586357ec0035f0d46c57b

SHA256
f8790ddba11c37287142794daabf60417c3b157142b62b248a19b79a91eef646

SHA512
bd0ff46bceb162c3cff641e12d293326db3d591ae98dbe4bb5137cdc3e7331dfd9a929d4278c3e8f0493f89d47b370ea268ece9093fc4e41e3f525a3e438bd2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fa1be415443e698de1d7b09e5418ee57

SHA1
c19e9128ca281af2a50e503f5d42a28b84e7e233

SHA256
83b25d2bbf0b8986e0a28cba760a12d42e7093c44c0de1912321d22ca888d995

SHA512
630b4201f2b2d721588825336810e20f2c8645ba9c5f6ff5a4019e1a0e6eedb7d3a45ddceb0704d18de96f2f2bb94932cbb7b6a6c3c70244154cc63277e4450f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c4c9a8cea237e53c680656fb8b9a0e50

SHA1
1bba036443ef99cee7863f682b788f0703c71e3a

SHA256
7019db65c1686bb7ffe64e4b8c00d99679e20c2edf17d50daafb618e7e56fd2e

SHA512
b442b501e7a1180c3db2b78f8f7c46e06bceef7af7c5cc68306e43800d899259d60479cf646dda66fcfb9a5826b025feaf3cf3105571bbe9f0e3a5a5d13671c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3755dbcfdd96d4cf6056f3df9319f61f

SHA1
f355c87d1c5d71afbe9c8f07f41ec534a93da1c5

SHA256
c1902af803ee5d0294dd7198e67cb94cf480f769a5fde17cd2da68ed4dbf12ed

SHA512
22d2e8d7a383c7b4b4d722ca04775efbe18c98d405d75f61c5252b46e5af7def2329250c7978655db0864ef7ea53f64372463edd6446aa754778754ac9a353a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d3a3ff580cfb02d6519b3ecd54ba7719

SHA1
dad0f04c8e85b5dd6ff6bafada8eaf0f0b6e2061

SHA256
3bb3cf8a45e806fae06d04cb80b6c923eb868a8522bf90e58110a02e993fba44

SHA512
69e86f49fbc852bd62cb425ada6a400612df9c93066dc99566149f6c653016bb51f36a25797ee1d01fd0b2250966157e198bd802f7b640f58c3a85bd8bccc469

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8b56c9c5325b634973a983091cfd880d

SHA1
cbc08e7ee93de6b63a4757aa648193855dba07db

SHA256
f2a87fec63bf832e6733abc8299cce625624ab8fb203b0fa35f9518d93e53d3c

SHA512
741b8dbe0fd9cadf52c2c75467eaea00852aeaaf51dd5c95469ea83e29ce62ee371ad5fe6e5241c0cba9318525d40412d010907399ee62bfb69fe11c1a0ac291

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2b6a1f8baf9d4327a300090deabfd4ea

SHA1
f46756ec20e30ff0df0ed875efb2fd4c4ce6c1f5

SHA256
6adc82b3ee090373428ea70af479dcb8cf4df986fa29595bac371e97a92ca575

SHA512
b30df93ac5b874ca191544938dffa24030e0f39bc500fe2ff452d61250a9b4a1459f99026b6b0d83aadfe6ef7147b72404b33fc30a652daebcf022f4c96cb768

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\8d15340b-50e8-4784-950e-b0d77d920cc7.tmp

Filesize
184KB

MD5
0d1bbb976e19c81777a691db06a3e277

SHA1
74a29320c70fd6e2ccfa83f63b27c9503306c3f1

SHA256
1a1d4bec184059d27ef501b180959d79ad468f784bf94730272e6b86fbc68ae0

SHA512
e2fa33dec3f5d3f06cdaa92fdbf6666fd5f148e337267ff327135f703dcf3f542f9affd3940ab2627b391357ad67fccc2e3100e2117603f93ed36ed3936185d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
208cf73f27ca7d95a3585ba48c001059

SHA1
6053d80e7e49724f626bf0eaf9582e09b569256e

SHA256
1fa21ae13d0d64da838d4c2f3d2f3f6139f1720a974ad8a5e7e1f3079dc62225

SHA512
223fd5ce9fad01575f86593b42505ca967e6ab58fd929260a51103e5b72cbc74f7ca92ab31044ae20e813c85fd6293fe5a927ab4af3d9f74230d2df04e420905

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
184KB

MD5
a9e4f9b6e9cfbfbe8ed59ebabffc4808

SHA1
feed3a76d6c84814067d88cfa50e65b406a17d8a

SHA256
419fd66f825a927c0df94abe8fa032e253ad7302caf8fd5b1db63ba6d0067dfe

SHA512
eb7668e98747c3fb1f0de1d01426976601095a494df45d4f01530643c9f3a290dea8331725f83a72d73b15f409240a71b3b057d2884cd01c1a8ab006d2263594

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\cwy38xe\imagestore.dat

Filesize
5KB

MD5
397d49307d74db9296562e3995226545

SHA1
cd74b27f888fababaffe56fe86f9f621cb883015

SHA256
607ffa94dd73afabc48bda6376ff8e4262b4fadb57820a20f6a782d3cade9176

SHA512
b433dd66a2bfd17ec17e71b97d2edb63448f223038a519e80f72b4cac489166500211bb8ce9e2ca24a823c81ead7f767be0d4ecd2218479de35c1dc7505b6e6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2DQTNP48\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab928.tmp

Filesize
61KB

MD5
e56ec378251cd65923ad88c1e14d0b6e

SHA1
7f5d986e0a34dd81487f6439fb0446ffa52a712e

SHA256
32ccf567c07b62b6078cf03d097e21cbf7ef67a4ce312c9c34a47f865b3ad0a0

SHA512
2737a622ca45b532aebc202184b3e35cde8684e5296cb1f008e7831921be2895a43f952c1df88d33011a7b9586aafbd88483f6c134cb5e8e98c236f5abb5f3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5E95.tmp

Filesize
5KB

MD5
c52bfc036efa166cad649271a577b56d

SHA1
0e8d46b65914fdb7600c4c34a7d0fda7971cc0cd

SHA256
9676542b754c31bfd8b862cbd3054b3c78a5984a7f23de02324446e10ff308f2

SHA512
5301f484938bfd526b74d11b8a23ce55bc52a66e179d7d4d0e06d8505c981172db41c7b3e49495f1e3725b4f5a1aad20c32c55449e77934010129b7dad70dbba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5F7F.tmp

Filesize
5KB

MD5
4a73183d45b9e208554e4e2322dfde63

SHA1
ba6f138c84a5216e3155787204136db95e1d11e8

SHA256
52222de642b740383c65abd76f54248f9941af20bf38034dc29905f513e19d8e

SHA512
4692ae22f1fccf724c8679807b2616a163bc54533837d02ddc16bf653031e18ff2f4f1228788fe2d957325c6301aa721c626cdfd1763a37039113225aa81468d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES604A.tmp

Filesize
5KB

MD5
9ed6f3122d8d8ea92801ca6e5d4332bb

SHA1
4f6ff7b2fb05f60bf6edf4671bab5794489eb30b

SHA256
bd83d8426b20a3a71d5fa7926e165f677d380bcc916d24343ded495f4161bb80

SHA512
6f40aaa04bb25163f612b85644e6e5e5dc370bdf86ff60cfb3e413d269cbcb9b0774efda0c7c5d8fa25446a04b250fff53b195d0d0f5d861f209c80123e16cdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA05.tmp

Filesize
163KB

MD5
19399ab248018076e27957e772bcfbab

SHA1
faef897e02d9501146beb49f75da1caf12967b88

SHA256
326842dd8731e37c8c27a08373c7ac341e6c72226cc850084e3a17d26675f3c9

SHA512
6d5b12ec637ef4223fdd0e271cdc9f860b060ff08d380bba546ac6962b1d672003f9ae9556d65282d8083e830d4277bad8d16443720716077e542ab0262b0103

Download Submit
C:\Users\Admin\AppData\Local\Temp\ah9c0_bx.0.vb

Filesize
240B

MD5
67a2ccab0095bc92374060bc1ce02692

SHA1
bae0d8f9bf01ee077200dd846f44d62619df4b40

SHA256
9b8206910d039684c78e91a26775e7d0fc790a711d22c0a7a9fed320d043509e

SHA512
c23f7d0eac69ad3dfca27ce0aa5ffa16bfe93b90aa44ba58e0b251305828108a3a20f62a56dc5986c05a2fccbbb9f11a3ad3d03e0d6ff1b9ef9dd2afc87f91e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ah9c0_bx.cmdline

Filesize
290B

MD5
520e3613c8cdc55fdcad5551550470fd

SHA1
5f8f6b1637336695f1db0814d1813e595b03d93a

SHA256
67aa4b4487384a05abe5701b0c78d1ff129ca9778b0c74e300ab7dd6b5335e90

SHA512
6011ef58b6a1945047adcd18fdb8a814000c016b3655f50a3caca217af003d24049a619fcb2744ac8f6564f603a7768c5e4ab12065e0e2cc7e03114b4cc68ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\baenk8xg.0.vb

Filesize
241B

MD5
9016ff602f6f78ad428e3f96657a3052

SHA1
14389a39ec0f06bd03bf280a95826d6337b2e7b3

SHA256
68fb9e26077ef2b5aecbf8bb5e4749ae2c9bcc9283b163116bf6fe52495d027c

SHA512
d11b297edba8b2c59c3b26b4a136983fb7c899df3b2ee08c578bb1a132881fdf2777de8b52d0fa95cdd355f5496d33e9d00e90f34de035ed738efb98389d7793

Download Submit
C:\Users\Admin\AppData\Local\Temp\baenk8xg.cmdline

Filesize
292B

MD5
c12ac6101f57744bcbc22a914b2de50f

SHA1
8ba815faf0a2cc9e0dad554c643bce70c2570d3a

SHA256
80dac538af5baa5a3d63f1a385097f9f3a6acf4edb8f90ff2f85ee4db5bda76a

SHA512
7665c06d18cdcb8d69fc979882fd7e7e96038c12f614d40a66f93c5b96b4c0dbc559902c89275707d5d5bd7e43f7a8d4201717bc77bd68683f35064063db563e

Download Submit
C:\Users\Admin\AppData\Local\Temp\oeu2rdiu.0.vb

Filesize
237B

MD5
8fb9532be1ad79e10d85e26671f9e4d9

SHA1
952b309505036b18685f7fda3e82b1b80aad2514

SHA256
2a3e1bdf8b44569d9eb8626d2558bf1b2dba4f9921431e19e0f2f77e8328cd12

SHA512
3ddcb8e963dff6e30d00b929373102061a18ab6ed90d38840f9c90d077ad30a46db4190608ff0fcb53c3fb3bdc142d3b124b187bb55f5fd496dc7515234017eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\oeu2rdiu.cmdline

Filesize
284B

MD5
0fbcadf70159dfb095717bb9f94b871a

SHA1
a425737b723200448e2953bde03a29c75fb6fa3a

SHA256
3492818867f5b495155e2e90b3e269f23cdcd02d74ad4a11e7acb14d288689fc

SHA512
c199ef77d839ed7f419d2741f9e381499f93cbe9438ee6bba434014ce751b8801fb2d12dcccab32519d4b26420c2a646dade9529ac4a7b35e2ceab23d92d5fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\umsxu2ra.0.vb

Filesize
244B

MD5
ac373a59994da40ddbc2113ec6efa851

SHA1
bc9ce22db9f2c853106eb505f55ed4a36ba16128

SHA256
6ecdfb444687ec70a3bdda707ed7ce2bf8b6e6363c9d1afea7f0d579e0fd3731

SHA512
6483fc2ae356fb2ef26275f178df3cef05d53f2030c53b4cf8bfbe59e06737e12b1bc7086c67ed13fb30b3e6bf49d2cfb34c55f48e8d37026de7b68be8dca281

Download Submit
C:\Users\Admin\AppData\Local\Temp\umsxu2ra.cmdline

Filesize
297B

MD5
4967bcf500b235494946c70e3a7446bc

SHA1
1325538c6efe1830c419553c68c462e160fe725d

SHA256
c2f3603f18ce770f24447447a23fce5d63e57d9be684cf1d74208269bd2b55ef

SHA512
adbee40f89a5f51bc5eb829be4cdf253c2cf04bebf8a31ebdd38ee70df5fcc7ac0b5d2bf85c3cdb4f7489a028e237e90d7669bc169d20a0dfe285d5563f32622

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5E94.tmp

Filesize
4KB

MD5
afe48426876eedacfdba91eb5176ecf8

SHA1
9da744cfff5427e51c2e7d091408539e03d80a05

SHA256
387dee5276fe1bb1c2c247e24436b03af42c504b6c4c48ed74ddaeae63c7cd6e

SHA512
f22abfb811911e8fdf4cb4df9d980beb9350e3be987debd4989b4a9afb0b0c45966600f013f2822adf26328335a6e39fe2326063aae8c24df5a3fcc9fcc9c926

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5F7E.tmp

Filesize
4KB

MD5
a3487b776d060a4552667931e5382936

SHA1
fe13f9c7c180fac565d5f4ce2c88b1fb8b8023ed

SHA256
d12f09ec4b6d340bfbc6ab928f127a1482e3fd6a4eff6ec090875cdfad642f45

SHA512
e06e4ea67baf67314ae42e23c9737c675f07528c9c66a0ddfc42084be4a0f086c97f10c75015c7f93bdf229e0790136844af227562107627de5b2af00d69985e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6049.tmp

Filesize
4KB

MD5
eb7a3f68ceac4a230a060cd5056dcc5a

SHA1
b84047c053b4e1ace70fb47df7d6ffba8551370e

SHA256
d7150437b76b84dc43c2919a4b52015c07e12771269ea8ff1c386499acd8042e

SHA512
91339d546e1bce6bb0730c77041932e1e37a006484fd7a3fd2c8de4784df41bfa0b573559159d2f9aa0aec83ffcf7c909b7ad31b5242e983bdaf2edeb1ed8cdc

Download Submit
C:\Users\Admin\AppData\Roaming\Lime\ICO\GoogleChrome.ico

Filesize
6B

MD5
ed5a964e00f4a03ab201efe358667914

SHA1
d5d5370bbe3e3ce247c6f0825a9e16db2b8cd5c5

SHA256
025fc246f13759c192cbbae2a68f2b59b6478f21b31a05d77483a87e417906dd

SHA512
7f3b68419e0914cec2d853dcd8bbb45bf9ed77bdde4c9d6f2ea786b2ba99f3e49560512fbb26dd3f0189b595c0c108d32eb43f9a6f13bbc35b8c16b1561bd070

Download Submit
C:\Users\Admin\AppData\Roaming\Lime\ICO\InternetExplorer.ico

Filesize
4KB

MD5
2d14fe9fa6d3f40a6ecef5d5446a763a

SHA1
f312cd8312a41c5aed3bb609be3f7e9a1bc4f0f5

SHA256
03549b1b39e9b471c0c95a9dc673fd0c5be53ccfe81cf7811580aa59f2ed4fbb

SHA512
562f34d14216f50a7641afd2d927ee2ee0512389b097112d111a88709241f9e777d79e7f1a3ef5dd172d6efbb68d65f0161e13020baeb74ff4c16b060e4111df

Download Submit
C:\Users\Admin\AppData\Roaming\Lime\ICO\WindowsExplorer.ico

Filesize
4KB

MD5
ee136b4101d0e996d462c2c5de0beb95

SHA1
65cfa6ea0637548488e869ed8ac02c87906c0a5b

SHA256
d8b40d56ccc920590d12e1bb90c39e608e7176b97a0c4ad5acd36019e619b3d5

SHA512
faaf7f3dfcef2e2bef2cea7b99f793d1d8e114846412fd5522daed5eb58eb453c2b87a34ce76da4da9880d0d09ab6cc227a32d02fbd90d6aba25a8f04a6dbc82

Download Submit
C:\Users\Admin\AppData\Roaming\Lime\ICO\WindowsMediaPlayer.ico

Filesize
4KB

MD5
b2d35307c54450031b14fe5d694504d1

SHA1
17162851491fc499354ff1ec3dfa9912a07fb2c5

SHA256
a8543223e7c0cf878d52102af6dd4df94a6089da16caec76ab7dd98ec9297012

SHA512
02003d491e8f3d98cec43f815f9cc48036594a67052372bdfd47686e5cd3f38769b2ec43d06b560ebe43ef11813916ee006d633c84662b76bddc645d8c009886

Download Submit
C:\Users\Admin\AppData\Roaming\pencil\Wservices.exe

Filesize
28KB

MD5
19d3bedf1ee8ae14fa8b095f3409cc11

SHA1
47ec9ed3a4043721cbe3e5758b5298090bec214d

SHA256
269dc2b37169735ee126b0f15a4948a642d6c4b5b45ccda620e206cc72c6047d

SHA512
df199215a55b1dd0093a365b2397a6afffcd9897ed7560de69bd917fabe02668998c12339e14c619a3d4389e83b90da54ec0c48896be4ae80d66182832a650a8

Download Submit
C:\Users\Admin\AppData\Roaming\pencil\Wservices.exe

Filesize
28KB

MD5
19d3bedf1ee8ae14fa8b095f3409cc11

SHA1
47ec9ed3a4043721cbe3e5758b5298090bec214d

SHA256
269dc2b37169735ee126b0f15a4948a642d6c4b5b45ccda620e206cc72c6047d

SHA512
df199215a55b1dd0093a365b2397a6afffcd9897ed7560de69bd917fabe02668998c12339e14c619a3d4389e83b90da54ec0c48896be4ae80d66182832a650a8

Download Submit
C:\Users\Admin\AppData\Roaming\pencil\Wservices.exe

Filesize
28KB

MD5
19d3bedf1ee8ae14fa8b095f3409cc11

SHA1
47ec9ed3a4043721cbe3e5758b5298090bec214d

SHA256
269dc2b37169735ee126b0f15a4948a642d6c4b5b45ccda620e206cc72c6047d

SHA512
df199215a55b1dd0093a365b2397a6afffcd9897ed7560de69bd917fabe02668998c12339e14c619a3d4389e83b90da54ec0c48896be4ae80d66182832a650a8

Download Submit
\??\pipe\crashpad_1920_DRHAFFILDIREMMPH

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\pencil\IconLib.dll

Filesize
59KB

MD5
45ecaf5e82da876240f9be946923406c

SHA1
0e79bfe8ecc9b0a22430d1c13c423fbf0ac2a61d

SHA256
087a0c5f789e964a2fbcb781015d3fc9d1757358bc63bb4e0b863b4dffdb6e4f

SHA512
6fd4a25051414b2d70569a82dff5522606bfc34d3eaeea54d2d924bc9c92e479c7fda178208026308a1bf9c90bee9dbcaf8716d85c2ab7f383b43b0734329bc8

Download Submit
\Users\Admin\AppData\Roaming\pencil\IconLib.dll

Filesize
59KB

MD5
45ecaf5e82da876240f9be946923406c

SHA1
0e79bfe8ecc9b0a22430d1c13c423fbf0ac2a61d

SHA256
087a0c5f789e964a2fbcb781015d3fc9d1757358bc63bb4e0b863b4dffdb6e4f

SHA512
6fd4a25051414b2d70569a82dff5522606bfc34d3eaeea54d2d924bc9c92e479c7fda178208026308a1bf9c90bee9dbcaf8716d85c2ab7f383b43b0734329bc8

Download Submit
\Users\Admin\AppData\Roaming\pencil\IconLib.dll

Filesize
59KB

MD5
45ecaf5e82da876240f9be946923406c

SHA1
0e79bfe8ecc9b0a22430d1c13c423fbf0ac2a61d

SHA256
087a0c5f789e964a2fbcb781015d3fc9d1757358bc63bb4e0b863b4dffdb6e4f

SHA512
6fd4a25051414b2d70569a82dff5522606bfc34d3eaeea54d2d924bc9c92e479c7fda178208026308a1bf9c90bee9dbcaf8716d85c2ab7f383b43b0734329bc8

Download Submit
\Users\Admin\AppData\Roaming\pencil\Wservices.exe

Filesize
28KB

MD5
19d3bedf1ee8ae14fa8b095f3409cc11

SHA1
47ec9ed3a4043721cbe3e5758b5298090bec214d

SHA256
269dc2b37169735ee126b0f15a4948a642d6c4b5b45ccda620e206cc72c6047d

SHA512
df199215a55b1dd0093a365b2397a6afffcd9897ed7560de69bd917fabe02668998c12339e14c619a3d4389e83b90da54ec0c48896be4ae80d66182832a650a8

Download Submit
\Users\Admin\AppData\Roaming\pencil\Wservices.exe

Filesize
28KB

MD5
19d3bedf1ee8ae14fa8b095f3409cc11

SHA1
47ec9ed3a4043721cbe3e5758b5298090bec214d

SHA256
269dc2b37169735ee126b0f15a4948a642d6c4b5b45ccda620e206cc72c6047d

SHA512
df199215a55b1dd0093a365b2397a6afffcd9897ed7560de69bd917fabe02668998c12339e14c619a3d4389e83b90da54ec0c48896be4ae80d66182832a650a8

Download Submit
memory/440-248-0x0000000000320000-0x0000000000360000-memory.dmp

Filesize
256KB

Download
memory/944-16-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/944-2-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/944-15-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/944-0-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/944-1-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/944-3-0x0000000000120000-0x0000000000160000-memory.dmp

Filesize
256KB

Download
memory/1120-804-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/2352-808-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/2696-237-0x00000000023C0000-0x0000000002400000-memory.dmp

Filesize
256KB

Download
memory/3028-53-0x0000000000160000-0x00000000001A0000-memory.dmp

Filesize
256KB

Download
memory/3028-52-0x0000000000160000-0x00000000001A0000-memory.dmp

Filesize
256KB

Download
memory/3028-17-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/3028-807-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/3028-14-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download