9d7a4d81c53c9f6cade6ceadd6554e9af0879b1de0d44710f55c6e14179e1c55

Analysis

max time kernel
49s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2023, 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d7a4d81c53c9f6cade6ceadd6554e9af0879b1de0d44710f55c6e14179e1c55.exe
Size

1.4MB
MD5

e63612dbbc8d0cda759622657174d718
SHA1

653b8cae2e74c89286c03f4d9d517854b393cada
SHA256

9d7a4d81c53c9f6cade6ceadd6554e9af0879b1de0d44710f55c6e14179e1c55
SHA512

59e816500cff3d1f96c51602e6e75ef924203b06b864e01b4a133ba0200dc4af566839612623083e851247a64b621ff8788a19c2eb6829e7d5139a5155ed9950
SSDEEP

24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk

Score

8^/10

evasion upx

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
4848	netsh.exe
3940	netsh.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000023295-236.dat	acprotect
behavioral1/files/0x0007000000023295-235.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
4740	7z.exe

Loads dropped DLL 1 IoCs

pid	Process
4740	7z.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023296-232.dat	upx
behavioral1/files/0x0007000000023296-234.dat	upx
behavioral1/memory/4740-233-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/files/0x0007000000023295-236.dat	upx
behavioral1/memory/4740-237-0x0000000010000000-0x00000000100E2000-memory.dmp	upx
behavioral1/files/0x0007000000023295-235.dat	upx
behavioral1/memory/4740-241-0x0000000000400000-0x0000000000432000-memory.dmp	upx

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
556	PING.EXE
4816	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1444	powershell.exe
1444	powershell.exe
4568	powershell.exe
4568	powershell.exe
2200	powershell.exe
2200	powershell.exe
3384	powershell.exe
3384	powershell.exe
3692	powershell.exe
3692	powershell.exe
4324	powershell.exe
4324	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3708	WMIC.exe
Token: SeSecurityPrivilege	3708	WMIC.exe
Token: SeTakeOwnershipPrivilege	3708	WMIC.exe
Token: SeLoadDriverPrivilege	3708	WMIC.exe
Token: SeSystemProfilePrivilege	3708	WMIC.exe
Token: SeSystemtimePrivilege	3708	WMIC.exe
Token: SeProfSingleProcessPrivilege	3708	WMIC.exe
Token: SeIncBasePriorityPrivilege	3708	WMIC.exe
Token: SeCreatePagefilePrivilege	3708	WMIC.exe
Token: SeBackupPrivilege	3708	WMIC.exe
Token: SeRestorePrivilege	3708	WMIC.exe
Token: SeShutdownPrivilege	3708	WMIC.exe
Token: SeDebugPrivilege	3708	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3708	WMIC.exe
Token: SeRemoteShutdownPrivilege	3708	WMIC.exe
Token: SeUndockPrivilege	3708	WMIC.exe
Token: SeManageVolumePrivilege	3708	WMIC.exe
Token: 33	3708	WMIC.exe
Token: 34	3708	WMIC.exe
Token: 35	3708	WMIC.exe
Token: 36	3708	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3708	WMIC.exe
Token: SeSecurityPrivilege	3708	WMIC.exe
Token: SeTakeOwnershipPrivilege	3708	WMIC.exe
Token: SeLoadDriverPrivilege	3708	WMIC.exe
Token: SeSystemProfilePrivilege	3708	WMIC.exe
Token: SeSystemtimePrivilege	3708	WMIC.exe
Token: SeProfSingleProcessPrivilege	3708	WMIC.exe
Token: SeIncBasePriorityPrivilege	3708	WMIC.exe
Token: SeCreatePagefilePrivilege	3708	WMIC.exe
Token: SeBackupPrivilege	3708	WMIC.exe
Token: SeRestorePrivilege	3708	WMIC.exe
Token: SeShutdownPrivilege	3708	WMIC.exe
Token: SeDebugPrivilege	3708	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3708	WMIC.exe
Token: SeRemoteShutdownPrivilege	3708	WMIC.exe
Token: SeUndockPrivilege	3708	WMIC.exe
Token: SeManageVolumePrivilege	3708	WMIC.exe
Token: 33	3708	WMIC.exe
Token: 34	3708	WMIC.exe
Token: 35	3708	WMIC.exe
Token: 36	3708	WMIC.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	4568	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	3384	powershell.exe
Token: SeDebugPrivilege	3692	powershell.exe
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeIncreaseQuotaPrivilege	3056	WMIC.exe
Token: SeSecurityPrivilege	3056	WMIC.exe
Token: SeTakeOwnershipPrivilege	3056	WMIC.exe
Token: SeLoadDriverPrivilege	3056	WMIC.exe
Token: SeSystemProfilePrivilege	3056	WMIC.exe
Token: SeSystemtimePrivilege	3056	WMIC.exe
Token: SeProfSingleProcessPrivilege	3056	WMIC.exe
Token: SeIncBasePriorityPrivilege	3056	WMIC.exe
Token: SeCreatePagefilePrivilege	3056	WMIC.exe
Token: SeBackupPrivilege	3056	WMIC.exe
Token: SeRestorePrivilege	3056	WMIC.exe
Token: SeShutdownPrivilege	3056	WMIC.exe
Token: SeDebugPrivilege	3056	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3056	WMIC.exe
Token: SeRemoteShutdownPrivilege	3056	WMIC.exe
Token: SeUndockPrivilege	3056	WMIC.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 3716	3044	9d7a4d81c53c9f6cade6ceadd6554e9af0879b1de0d44710f55c6e14179e1c55.exe	85
PID 3044 wrote to memory of 3716	3044	9d7a4d81c53c9f6cade6ceadd6554e9af0879b1de0d44710f55c6e14179e1c55.exe	85
PID 3044 wrote to memory of 3716	3044	9d7a4d81c53c9f6cade6ceadd6554e9af0879b1de0d44710f55c6e14179e1c55.exe	85
PID 3716 wrote to memory of 3600	3716	cmd.exe	89
PID 3716 wrote to memory of 3600	3716	cmd.exe	89
PID 3716 wrote to memory of 3600	3716	cmd.exe	89
PID 3600 wrote to memory of 980	3600	cmd.exe	90
PID 3600 wrote to memory of 980	3600	cmd.exe	90
PID 3600 wrote to memory of 980	3600	cmd.exe	90
PID 3716 wrote to memory of 3276	3716	cmd.exe	91
PID 3716 wrote to memory of 3276	3716	cmd.exe	91
PID 3716 wrote to memory of 3276	3716	cmd.exe	91
PID 3276 wrote to memory of 3708	3276	cmd.exe	92
PID 3276 wrote to memory of 3708	3276	cmd.exe	92
PID 3276 wrote to memory of 3708	3276	cmd.exe	92
PID 3716 wrote to memory of 1444	3716	cmd.exe	94
PID 3716 wrote to memory of 1444	3716	cmd.exe	94
PID 3716 wrote to memory of 1444	3716	cmd.exe	94
PID 3716 wrote to memory of 4568	3716	cmd.exe	98
PID 3716 wrote to memory of 4568	3716	cmd.exe	98
PID 3716 wrote to memory of 4568	3716	cmd.exe	98
PID 3716 wrote to memory of 2200	3716	cmd.exe	100
PID 3716 wrote to memory of 2200	3716	cmd.exe	100
PID 3716 wrote to memory of 2200	3716	cmd.exe	100
PID 3716 wrote to memory of 3384	3716	cmd.exe	101
PID 3716 wrote to memory of 3384	3716	cmd.exe	101
PID 3716 wrote to memory of 3384	3716	cmd.exe	101
PID 3716 wrote to memory of 3692	3716	cmd.exe	104
PID 3716 wrote to memory of 3692	3716	cmd.exe	104
PID 3716 wrote to memory of 3692	3716	cmd.exe	104
PID 3716 wrote to memory of 4740	3716	cmd.exe	105
PID 3716 wrote to memory of 4740	3716	cmd.exe	105
PID 3716 wrote to memory of 4740	3716	cmd.exe	105
PID 3716 wrote to memory of 4324	3716	cmd.exe	106
PID 3716 wrote to memory of 4324	3716	cmd.exe	106
PID 3716 wrote to memory of 4324	3716	cmd.exe	106
PID 4324 wrote to memory of 4848	4324	powershell.exe	109
PID 4324 wrote to memory of 4848	4324	powershell.exe	109
PID 4324 wrote to memory of 4848	4324	powershell.exe	109
PID 4324 wrote to memory of 3940	4324	powershell.exe	110
PID 4324 wrote to memory of 3940	4324	powershell.exe	110
PID 4324 wrote to memory of 3940	4324	powershell.exe	110
PID 4324 wrote to memory of 1832	4324	powershell.exe	111
PID 4324 wrote to memory of 1832	4324	powershell.exe	111
PID 4324 wrote to memory of 1832	4324	powershell.exe	111
PID 1832 wrote to memory of 3056	1832	cmd.exe	112
PID 1832 wrote to memory of 3056	1832	cmd.exe	112
PID 1832 wrote to memory of 3056	1832	cmd.exe	112
PID 4324 wrote to memory of 4672	4324	powershell.exe	113
PID 4324 wrote to memory of 4672	4324	powershell.exe	113
PID 4324 wrote to memory of 4672	4324	powershell.exe	113
PID 4672 wrote to memory of 4692	4672	cmd.exe	114
PID 4672 wrote to memory of 4692	4672	cmd.exe	114
PID 4672 wrote to memory of 4692	4672	cmd.exe	114

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1052	attrib.exe

C:\Users\Admin\AppData\Local\Temp\9d7a4d81c53c9f6cade6ceadd6554e9af0879b1de0d44710f55c6e14179e1c55.exe
"C:\Users\Admin\AppData\Local\Temp\9d7a4d81c53c9f6cade6ceadd6554e9af0879b1de0d44710f55c6e14179e1c55.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3600
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup myip.opendns.com. resolver1.opendns.com
      4⤵
      PID:980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3276
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get Domain
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3708
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1444
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4568
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2200
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3384
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3692
- - C:\Users\Admin\AppData\Local\Temp\7z.exe
    7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4740
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4324
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:4848
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:3940
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1832
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic computersystem where name="BIHQJRXS" set AutomaticManagedPagefile=False
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4672
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=20000
        5⤵
        
        PID:4692
  - - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe
      "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      PID:2200
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 9 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
        5⤵
        
        PID:208
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 9
        6⤵
        Runs ping.exe
        
        PID:556
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
        6⤵
        
        PID:1128
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 16 > nul && copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 16 > nul && "C:\Users\Admin\Music\rot.exe"
        5⤵
        
        PID:1800
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 16
        6⤵
        Runs ping.exe
        
        PID:4816
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      Views/modifies file attributes
      PID:1052
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "ratt" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe" /F
    3⤵
    PID:464
- - C:\Users\Admin\AppData\Local\Temp\ratt.exe
    "ratt.exe"
    3⤵
    PID:3400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe

Filesize
637.9MB

MD5
08782c404301a74f146ef219f511e82f

SHA1
c79a73f96edfaf652dcefa7cae81d969d0273de7

SHA256
abc6b7a4eb5c9313f9dc14f3cde3da920933817f70f372b30e864cca5afe5dc3

SHA512
d636b823fe9a5596b5fa851895afefafed71bd34debf5b2f7d45a3ce4f4f9e6ea37d1f6986fd3d0aa522dcc9ea08b93cac08f46ff5855acb8671ba5b3eedaa55

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe

Filesize
240.3MB

MD5
232a8bc18ff11f8d32d4e4f9762c0ad3

SHA1
0417c1ca0b4cc1d485ab9ffe6526ff240c63172c

SHA256
90bcb3e9a39aef2127c4708eb450d8270c29831377152a160ef0692ce38a0f34

SHA512
2be374ef81604a200c87eff3641ce84b5c2f1e79c38db7887288a09863ea0a072c72628ce435defc4ab66c4ee80a442c7a9fcb257fe112ca07ebbdf94f00d3fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
33b19d75aa77114216dbc23f43b195e3

SHA1
36a6c3975e619e0c5232aa4f5b7dc1fec9525535

SHA256
b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

SHA512
676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
52b0433d4071c4cf30b01de5ecbaa96f

SHA1
877c6d426260ea6ec836e4cb6b1c712cc4af6825

SHA256
edccc108f5944873d0f2ef45ee1f23e3cf648d11655340399a20d17216c16f9a

SHA512
d19071b0dba7ffa2958244d4fc6ad75c4f89a8afa0c41d87f9b63fd90f3c849fc1bf4e9e211bcada97d7fa8af7f4f060a7f83f2c958a59dd3710879883619044

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
41325eb49a76b1d5fd1b4f4c94ea61c3

SHA1
b4e82a8b08bee9a3d43914bf66b468ee40032c5d

SHA256
2763897d51543a422007d0ac851fdf650dfc15c48cfd5624d7be9b492e40be7e

SHA512
56df4444c5b10098f40bc645e665458d8d38b5701c0a64e9674fd645a07a1aa347bc54f2b5f483e844207144e8935363b83d05fd5bb751a383e86d414402e4f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
adfc75ff434451aec19a79dc9321a7cd

SHA1
b47c075a758d3c8fa4270cfd94a47a694d20588c

SHA256
efade5016c2a1ed198edc94cf5b10ab19767a10deb1ebecd7e206b2d971ed50a

SHA512
380c1862e88b26b24dcc9c03cbaa7d570f375001278503db2506770f65ea89188e7ae7f04e95abaa245be49ac176e24e4c645462e4fb2eb397649fb1175e2891

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
94d083e5c4090e182d4b03d7b423e78c

SHA1
7632555992cae45744180d216adede82e50316fc

SHA256
708ff45b5de8c7d3b375752c73cc44c4d822a993ea806b0cef390057dc910cbd

SHA512
76c5bd9d13b0663a8d167bc31f35f0d1d2cc2cea27d905a48dfaf08e8010010c8db37099b6292021fd294731a00b8e26d7ad268c171f780f2c4d33a0412b2324

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
8b3a3776bd374eb27a4a229e2f415444

SHA1
d1ec6e9256af26da898059c4b225eefe9703ba20

SHA256
e42aa2dbced70be72e7d2ad95ebbef96ebbee8fdfe7e1f1fa7fac9937d67e58d

SHA512
84b9d2d749f7f397aab81532519b5c5e526e8db128d876b3eb126a9ba2e1591ea97db0d984ab867660b60e13da9df0420225f8a40f9908c26c5435e1b5ae8ee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Add.ps1

Filesize
1KB

MD5
0df43097e0f0acd04d9e17fb43d618b9

SHA1
69b3ade12cb228393a93624e65f41604a17c83b6

SHA256
c8e4a63337a25f55f75ad10ab2b420d716bad4b35a2044fd39dcd5936419d873

SHA512
01ae71dd2ee040baad6f4b9afcfbaeca2b9f6cc7d60ade5de637238d65c17d74292734666f4ae6b533f6bf1007c46387d8e690d97c3b7a535bcd6f216e70c4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_exqeph2f.12e.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.7z

Filesize
693KB

MD5
7de6fdf3629c73bf0c29a96fa23ae055

SHA1
dcb37f6d43977601c6460b17387a89b9e4c0609a

SHA256
069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff

SHA512
d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.bat

Filesize
1KB

MD5
7ea1fec84d76294d9256ae3dca7676b2

SHA1
1e335451d1cbb6951bc77bf75430f4d983491342

SHA256
9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

SHA512
ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
745.1MB

MD5
be788bb3680cf3809d9678ee6f7ba321

SHA1
499f01d5f654f83e172004dcc03f99abdd251734

SHA256
03a17a2b669f72df082569ea477977d824796da3b6b7a8d0e6f91f2629ef406b

SHA512
83c0b885740a57b84b2c909d0d6bb25baaa49d62499773030b59058325f37a5fcf39a1cd59ef9c229ca7289af7250034f6652e449625b67c2d260b285ddb9a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
174.2MB

MD5
c7005f697f24bf65b3371e0ad5057c70

SHA1
09a194e62950a7a3bae3e42e8c662a04123d2764

SHA256
a52cee3876e3827d762fcb4570fd12d81697e0f00d915d8eb9af8c34a1af1626

SHA512
06dbf3c70e8993f4c8e9eb7f4606e9f5f18245dc33a065156928d4fdf3745bff9755e0d2b2ccebe4977f904092d58a32c2dea80517d41bcecee70e633f8e8f7a

Download Submit
memory/1444-163-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/1444-146-0x0000000075190000-0x0000000075940000-memory.dmp

Filesize
7.7MB

Download
memory/1444-147-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/1444-148-0x0000000002FC0000-0x0000000002FF6000-memory.dmp

Filesize
216KB

Download
memory/1444-149-0x0000000005750000-0x0000000005D78000-memory.dmp

Filesize
6.2MB

Download
memory/1444-166-0x0000000075190000-0x0000000075940000-memory.dmp

Filesize
7.7MB

Download
memory/1444-150-0x00000000055E0000-0x0000000005602000-memory.dmp

Filesize
136KB

Download
memory/1444-162-0x00000000065D0000-0x00000000065EE000-memory.dmp

Filesize
120KB

Download
memory/1444-152-0x0000000005F60000-0x0000000005FC6000-memory.dmp

Filesize
408KB

Download
memory/1444-151-0x0000000005EF0000-0x0000000005F56000-memory.dmp

Filesize
408KB

Download
memory/2200-184-0x0000000075190000-0x0000000075940000-memory.dmp

Filesize
7.7MB

Download
memory/2200-297-0x00000000750C0000-0x0000000075870000-memory.dmp

Filesize
7.7MB

Download
memory/2200-289-0x0000000000A90000-0x0000000000C46000-memory.dmp

Filesize
1.7MB

Download
memory/2200-288-0x00000000750C0000-0x0000000075870000-memory.dmp

Filesize
7.7MB

Download
memory/2200-290-0x0000000004F00000-0x0000000004F9C000-memory.dmp

Filesize
624KB

Download
memory/2200-291-0x0000000005060000-0x00000000050F2000-memory.dmp

Filesize
584KB

Download
memory/2200-292-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/2200-294-0x0000000005030000-0x000000000503A000-memory.dmp

Filesize
40KB

Download
memory/2200-185-0x0000000002960000-0x0000000002970000-memory.dmp

Filesize
64KB

Download
memory/2200-300-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/2200-302-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/2200-196-0x0000000002960000-0x0000000002970000-memory.dmp

Filesize
64KB

Download
memory/2200-198-0x0000000075190000-0x0000000075940000-memory.dmp

Filesize
7.7MB

Download
memory/3384-214-0x0000000075190000-0x0000000075940000-memory.dmp

Filesize
7.7MB

Download
memory/3384-199-0x0000000075190000-0x0000000075940000-memory.dmp

Filesize
7.7MB

Download
memory/3384-200-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/3384-201-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/3384-213-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/3400-299-0x00000000750C0000-0x0000000075870000-memory.dmp

Filesize
7.7MB

Download
memory/3400-298-0x0000000000AE0000-0x0000000000C96000-memory.dmp

Filesize
1.7MB

Download
memory/3400-301-0x00000000059B0000-0x00000000059C0000-memory.dmp

Filesize
64KB

Download
memory/3692-230-0x0000000075190000-0x0000000075940000-memory.dmp

Filesize
7.7MB

Download
memory/3692-228-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/3692-217-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/3692-216-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/3692-215-0x0000000075190000-0x0000000075940000-memory.dmp

Filesize
7.7MB

Download
memory/4324-273-0x00000000075C0000-0x00000000075DA000-memory.dmp

Filesize
104KB

Download
memory/4324-271-0x0000000006830000-0x000000000684E000-memory.dmp

Filesize
120KB

Download
memory/4324-274-0x0000000007610000-0x000000000761A000-memory.dmp

Filesize
40KB

Download
memory/4324-275-0x0000000007840000-0x00000000078D6000-memory.dmp

Filesize
600KB

Download
memory/4324-276-0x00000000750C0000-0x0000000075870000-memory.dmp

Filesize
7.7MB

Download
memory/4324-277-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/4324-278-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/4324-279-0x00000000077C0000-0x00000000077CE000-memory.dmp

Filesize
56KB

Download
memory/4324-280-0x00000000078E0000-0x00000000078FA000-memory.dmp

Filesize
104KB

Download
memory/4324-281-0x0000000007810000-0x0000000007818000-memory.dmp

Filesize
32KB

Download
memory/4324-282-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/4324-284-0x0000000007950000-0x0000000007972000-memory.dmp

Filesize
136KB

Download
memory/4324-285-0x0000000008830000-0x0000000008DD4000-memory.dmp

Filesize
5.6MB

Download
memory/4324-245-0x00000000750C0000-0x0000000075870000-memory.dmp

Filesize
7.7MB

Download
memory/4324-246-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/4324-272-0x0000000007C00000-0x000000000827A000-memory.dmp

Filesize
6.5MB

Download
memory/4324-261-0x0000000070EE0000-0x0000000070F2C000-memory.dmp

Filesize
304KB

Download
memory/4324-260-0x0000000006850000-0x0000000006882000-memory.dmp

Filesize
200KB

Download
memory/4324-259-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/4324-247-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/4324-295-0x00000000750C0000-0x0000000075870000-memory.dmp

Filesize
7.7MB

Download
memory/4568-183-0x0000000075190000-0x0000000075940000-memory.dmp

Filesize
7.7MB

Download
memory/4568-168-0x0000000075190000-0x0000000075940000-memory.dmp

Filesize
7.7MB

Download
memory/4568-182-0x00000000044A0000-0x00000000044B0000-memory.dmp

Filesize
64KB

Download
memory/4568-169-0x00000000044A0000-0x00000000044B0000-memory.dmp

Filesize
64KB

Download
memory/4568-170-0x00000000044A0000-0x00000000044B0000-memory.dmp

Filesize
64KB

Download
memory/4740-241-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4740-237-0x0000000010000000-0x00000000100E2000-memory.dmp

Filesize
904KB

Download
memory/4740-233-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download