limerat | 4c93b44d1550229fd328c058fbbfe44999ba01e2766b4d3df17c777ce643925e

Analysis

max time kernel
1197s
max time network
1198s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
19-06-2024 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client.exe
Size

240KB
MD5

16deda7a7a2e8f354fbff30ad723a711
SHA1

8730e18a2fc9722f7700c1192b3cc941169d7701
SHA256

4c93b44d1550229fd328c058fbbfe44999ba01e2766b4d3df17c777ce643925e
SHA512

6a19f30f3eca499e14ab97c5055420cc352852b9e5caeeaf016cd6c707dee6837b92bd7a49e7ca288e391205f3ae0786f43a4fef1ca01e5829594edfe60108cd
SSDEEP

6144:RFCE/UVPy/oCa+LDZWC9z52oMbWknq1dissN:zCzPygCa+DZunq1cd

Score

10^/10

limerat defense_evasion evasion execution impact ransomware rat trojan

Malware Config

Extracted

Family

limerat

Wallets

False

Attributes

aes_key
1
antivm
false
c2_url
https://pastebin.com/raw/GfV4LBjE
download_payload
false
install
true
install_name
svchost.exe
main_folder
False
payload_url
True
pin_spread
true
sub_folder
True
usb_spread
false

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral3/memory/2684-1-0x0000023AD3860000-0x0000023AD38A2000-memory.dmp	disable_win_def
behavioral3/files/0x0003000000025db0-25.dat	disable_win_def

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Client.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Client.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Client.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	Client.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Executes dropped EXE 1 IoCs

pid	Process
864	svchost.exe

Enumerates connected drives 3 TTPs 15 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
18	pastebin.com
49	pastebin.com
54	pastebin.com
64	pastebin.com
80	pastebin.com
92	pastebin.com
106	pastebin.com
111	pastebin.com
17	pastebin.com
42	pastebin.com
58	pastebin.com
65	pastebin.com
69	pastebin.com
77	pastebin.com
81	pastebin.com
114	pastebin.com
117	pastebin.com
84	pastebin.com
11	pastebin.com
14	pastebin.com
16	pastebin.com
51	pastebin.com
53	pastebin.com
62	pastebin.com
67	pastebin.com
75	pastebin.com
98	pastebin.com
19	pastebin.com
27	pastebin.com
68	pastebin.com
78	pastebin.com
86	pastebin.com
88	pastebin.com
29	pastebin.com
46	pastebin.com
90	pastebin.com
95	pastebin.com
99	pastebin.com
105	pastebin.com
110	pastebin.com
116	pastebin.com
15	pastebin.com
33	pastebin.com
40	pastebin.com
85	pastebin.com
91	pastebin.com
108	pastebin.com
109	pastebin.com
12	pastebin.com
66	pastebin.com
71	pastebin.com
101	pastebin.com
104	pastebin.com
22	pastebin.com
25	pastebin.com
59	pastebin.com
83	pastebin.com
103	pastebin.com
112	pastebin.com
26	pastebin.com
44	pastebin.com
48	pastebin.com
74	pastebin.com
82	pastebin.com

Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2796	cmd.exe
1944	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Interacts with shadow copies 3 TTPs 12 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1904	vssadmin.exe
2348	vssadmin.exe
4240	vssadmin.exe
2248	vssadmin.exe
420	vssadmin.exe
1692	vssadmin.exe
912	vssadmin.exe
4876	vssadmin.exe
4472	vssadmin.exe
1400	vssadmin.exe
2024	vssadmin.exe
2316	vssadmin.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4392	schtasks.exe
1652	schtasks.exe
4116	schtasks.exe
3924	schtasks.exe
364	schtasks.exe
336	schtasks.exe
3644	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2684	Client.exe
2684	Client.exe
2684	Client.exe
4664	powershell.exe
4664	powershell.exe
864	svchost.exe
864	svchost.exe
864	svchost.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	Client.exe
Token: SeDebugPrivilege	4664	powershell.exe
Token: SeBackupPrivilege	4076	vssvc.exe
Token: SeRestorePrivilege	4076	vssvc.exe
Token: SeAuditPrivilege	4076	vssvc.exe
Token: SeBackupPrivilege	2684	Client.exe
Token: SeSecurityPrivilege	2684	Client.exe
Token: SeBackupPrivilege	2684	Client.exe
Token: SeDebugPrivilege	864	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2796	2684	Client.exe	78
PID 2684 wrote to memory of 2796	2684	Client.exe	78
PID 2796 wrote to memory of 544	2796	cmd.exe	80
PID 2796 wrote to memory of 544	2796	cmd.exe	80
PID 2796 wrote to memory of 4860	2796	cmd.exe	81
PID 2796 wrote to memory of 4860	2796	cmd.exe	81
PID 2684 wrote to memory of 4664	2684	Client.exe	82
PID 2684 wrote to memory of 4664	2684	Client.exe	82
PID 2684 wrote to memory of 4600	2684	Client.exe	84
PID 2684 wrote to memory of 4600	2684	Client.exe	84
PID 2684 wrote to memory of 1352	2684	Client.exe	85
PID 2684 wrote to memory of 1352	2684	Client.exe	85
PID 2684 wrote to memory of 2924	2684	Client.exe	86
PID 2684 wrote to memory of 2924	2684	Client.exe	86
PID 2684 wrote to memory of 4780	2684	Client.exe	87
PID 2684 wrote to memory of 4780	2684	Client.exe	87
PID 2684 wrote to memory of 2304	2684	Client.exe	88
PID 2684 wrote to memory of 2304	2684	Client.exe	88
PID 2684 wrote to memory of 3908	2684	Client.exe	89
PID 2684 wrote to memory of 3908	2684	Client.exe	89
PID 2684 wrote to memory of 3740	2684	Client.exe	90
PID 2684 wrote to memory of 3740	2684	Client.exe	90
PID 2684 wrote to memory of 664	2684	Client.exe	91
PID 2684 wrote to memory of 664	2684	Client.exe	91
PID 2684 wrote to memory of 1916	2684	Client.exe	92
PID 2684 wrote to memory of 1916	2684	Client.exe	92
PID 2684 wrote to memory of 3944	2684	Client.exe	93
PID 2684 wrote to memory of 3944	2684	Client.exe	93
PID 2684 wrote to memory of 2220	2684	Client.exe	94
PID 2684 wrote to memory of 2220	2684	Client.exe	94
PID 2684 wrote to memory of 1948	2684	Client.exe	95
PID 2684 wrote to memory of 1948	2684	Client.exe	95
PID 2684 wrote to memory of 3900	2684	Client.exe	96
PID 2684 wrote to memory of 3900	2684	Client.exe	96
PID 4780 wrote to memory of 1400	4780	cmd.exe	110
PID 4780 wrote to memory of 1400	4780	cmd.exe	110
PID 664 wrote to memory of 4472	664	cmd.exe	111
PID 664 wrote to memory of 4472	664	cmd.exe	111
PID 2304 wrote to memory of 2348	2304	cmd.exe	112
PID 2304 wrote to memory of 2348	2304	cmd.exe	112
PID 3740 wrote to memory of 2316	3740	cmd.exe	113
PID 3740 wrote to memory of 2316	3740	cmd.exe	113
PID 3900 wrote to memory of 4876	3900	cmd.exe	114
PID 3900 wrote to memory of 4876	3900	cmd.exe	114
PID 2220 wrote to memory of 4240	2220	cmd.exe	115
PID 2220 wrote to memory of 4240	2220	cmd.exe	115
PID 3908 wrote to memory of 1692	3908	cmd.exe	116
PID 3908 wrote to memory of 1692	3908	cmd.exe	116
PID 1948 wrote to memory of 2248	1948	cmd.exe	117
PID 1948 wrote to memory of 2248	1948	cmd.exe	117
PID 1916 wrote to memory of 420	1916	cmd.exe	118
PID 1916 wrote to memory of 420	1916	cmd.exe	118
PID 4600 wrote to memory of 912	4600	cmd.exe	120
PID 4600 wrote to memory of 912	4600	cmd.exe	120
PID 1352 wrote to memory of 1524	1352	cmd.exe	121
PID 1352 wrote to memory of 1524	1352	cmd.exe	121
PID 2924 wrote to memory of 2024	2924	cmd.exe	122
PID 2924 wrote to memory of 2024	2924	cmd.exe	122
PID 3944 wrote to memory of 1904	3944	cmd.exe	123
PID 3944 wrote to memory of 1904	3944	cmd.exe	123
PID 2684 wrote to memory of 1652	2684	Client.exe	125
PID 2684 wrote to memory of 1652	2684	Client.exe	125
PID 2684 wrote to memory of 4116	2684	Client.exe	127
PID 2684 wrote to memory of 4116	2684	Client.exe	127

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
544	attrib.exe
4860	attrib.exe
292	attrib.exe
4928	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies security service
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding" & attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\system32\attrib.exe
    attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding"
    3⤵
    - Views/modifies file attributes
    PID:544
- - C:\Windows\system32\attrib.exe
    attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D
    3⤵
    - Views/modifies file attributes
    PID:4860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4664
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin Delete Shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:912
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadow /for=c: /on=c: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadow /for=c: /on=c: /maxsize=401MB
    3⤵
    PID:1524
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:2024
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1400
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2348
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1692
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2316
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:664
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4472
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:420
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1904
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4240
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2248
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c Vssadmin delete shadowstorage /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\Windows\system32\vssadmin.exe
    Vssadmin delete shadowstorage /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4876
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /create /f /sc ONLOGON /RL HIGHEST /tn MapsToastTask /tr "'C:\Users\Admin\AppData\Roaming\Branding\svchost.exe'"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1652
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /create /f /st "02:28" /sc daily /mo "3" /tn "WinSAT" /tr "'explorer'https://bit.ly/3hfQB4H"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4116
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /create /f /st "05:08" /sc daily /mo "2" /tn "WinSAT" /tr "'explorer'https://bit.ly/3hfQB4H"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3924
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /create /f /st "12:13" /sc daily /mo "2" /tn "WinSAT" /tr "'explorer'https://bit.ly/3hfQB4H"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:364
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /create /f /st "15:52" /sc weekly /mo "5" /d "Thu" /tn "WinSAT" /tr "'explorer'https://bit.ly/3hfQB4H"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:336
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /create /f /st "23:07" /sc monthly /m "aug" /tn "WinSAT" /tr "'explorer'https://bit.ly/3hfQB4H"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3644
- C:\Users\Admin\AppData\Roaming\Branding\svchost.exe
  "C:\Users\Admin\AppData\Roaming\Branding\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:864
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding" & attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:1944
  - - C:\Windows\system32\attrib.exe
      attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding"
      4⤵
      Views/modifies file attributes
      PID:292
  - - C:\Windows\system32\attrib.exe
      attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D
      4⤵
      Views/modifies file attributes
      PID:4928
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /f /sc ONLOGON /RL HIGHEST /tn MapsToastTask /tr "'C:\Users\Admin\AppData\Roaming\Branding\svchost.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4392

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Direct Volume Access

T1006

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xdnl1i0o.vjo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Branding\svchost.exe

Filesize
240KB

MD5
16deda7a7a2e8f354fbff30ad723a711

SHA1
8730e18a2fc9722f7700c1192b3cc941169d7701

SHA256
4c93b44d1550229fd328c058fbbfe44999ba01e2766b4d3df17c777ce643925e

SHA512
6a19f30f3eca499e14ab97c5055420cc352852b9e5caeeaf016cd6c707dee6837b92bd7a49e7ca288e391205f3ae0786f43a4fef1ca01e5829594edfe60108cd

Download Submit
memory/2684-20-0x00007FF830B93000-0x00007FF830B95000-memory.dmp

Filesize
8KB

Download
memory/2684-1-0x0000023AD3860000-0x0000023AD38A2000-memory.dmp

Filesize
264KB

Download
memory/2684-2-0x00007FF830B90000-0x00007FF831652000-memory.dmp

Filesize
10.8MB

Download
memory/2684-33-0x00007FF830B90000-0x00007FF831652000-memory.dmp

Filesize
10.8MB

Download
memory/2684-0-0x00007FF830B93000-0x00007FF830B95000-memory.dmp

Filesize
8KB

Download
memory/2684-21-0x00007FF830B90000-0x00007FF831652000-memory.dmp

Filesize
10.8MB

Download
memory/4664-13-0x00007FF830B90000-0x00007FF831652000-memory.dmp

Filesize
10.8MB

Download
memory/4664-18-0x00007FF830B90000-0x00007FF831652000-memory.dmp

Filesize
10.8MB

Download
memory/4664-15-0x00007FF830B90000-0x00007FF831652000-memory.dmp

Filesize
10.8MB

Download
memory/4664-14-0x00007FF830B90000-0x00007FF831652000-memory.dmp

Filesize
10.8MB

Download
memory/4664-12-0x00007FF830B90000-0x00007FF831652000-memory.dmp

Filesize
10.8MB

Download
memory/4664-5-0x000002279E540000-0x000002279E562000-memory.dmp

Filesize
136KB

Download