8b6dbbbc9df9b5d63f93f8e2cf776997c0f782649f25d24cef0fa8b092496368

Analysis

max time kernel
38s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2023, 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b6dbbbc9df9b5d63f93f8e2cf776997c0f782649f25d24cef0fa8b092496368.exe
Size

1.4MB
MD5

8735b37a616166c2174112975d0aefe0
SHA1

970a6ac779ca82e9218d62ef6509833eac8320ce
SHA256

8b6dbbbc9df9b5d63f93f8e2cf776997c0f782649f25d24cef0fa8b092496368
SHA512

97f49a3e7fb29344a424da8927878c50f63a6f698f42b556685e65bc41c85b3621328a758e5122ee3d664c6831c9ba2b2ac9111c1c0c16fa451d65611419b20d
SSDEEP

24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk

Score

8^/10

evasion upx

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
2952	netsh.exe
3852	netsh.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0006000000023236-234.dat	acprotect
behavioral1/files/0x0006000000023236-233.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2152	7z.exe

Loads dropped DLL 1 IoCs

pid	Process
2152	7z.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000023237-230.dat	upx
behavioral1/memory/2152-231-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/files/0x0006000000023237-232.dat	upx
behavioral1/files/0x0006000000023236-234.dat	upx
behavioral1/files/0x0006000000023236-233.dat	upx
behavioral1/memory/2152-235-0x0000000010000000-0x00000000100E2000-memory.dmp	upx
behavioral1/memory/2152-239-0x0000000000400000-0x0000000000432000-memory.dmp	upx

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
2588	PING.EXE
976	PING.EXE
4968	PING.EXE
1516	PING.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4612	powershell.exe
4612	powershell.exe
4148	powershell.exe
4148	powershell.exe
4804	powershell.exe
4804	powershell.exe
4996	powershell.exe
4996	powershell.exe
3108	powershell.exe
3108	powershell.exe
3108	powershell.exe
2064	powershell.exe
2064	powershell.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	756	WMIC.exe
Token: SeSecurityPrivilege	756	WMIC.exe
Token: SeTakeOwnershipPrivilege	756	WMIC.exe
Token: SeLoadDriverPrivilege	756	WMIC.exe
Token: SeSystemProfilePrivilege	756	WMIC.exe
Token: SeSystemtimePrivilege	756	WMIC.exe
Token: SeProfSingleProcessPrivilege	756	WMIC.exe
Token: SeIncBasePriorityPrivilege	756	WMIC.exe
Token: SeCreatePagefilePrivilege	756	WMIC.exe
Token: SeBackupPrivilege	756	WMIC.exe
Token: SeRestorePrivilege	756	WMIC.exe
Token: SeShutdownPrivilege	756	WMIC.exe
Token: SeDebugPrivilege	756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	756	WMIC.exe
Token: SeRemoteShutdownPrivilege	756	WMIC.exe
Token: SeUndockPrivilege	756	WMIC.exe
Token: SeManageVolumePrivilege	756	WMIC.exe
Token: 33	756	WMIC.exe
Token: 34	756	WMIC.exe
Token: 35	756	WMIC.exe
Token: 36	756	WMIC.exe
Token: SeIncreaseQuotaPrivilege	756	WMIC.exe
Token: SeSecurityPrivilege	756	WMIC.exe
Token: SeTakeOwnershipPrivilege	756	WMIC.exe
Token: SeLoadDriverPrivilege	756	WMIC.exe
Token: SeSystemProfilePrivilege	756	WMIC.exe
Token: SeSystemtimePrivilege	756	WMIC.exe
Token: SeProfSingleProcessPrivilege	756	WMIC.exe
Token: SeIncBasePriorityPrivilege	756	WMIC.exe
Token: SeCreatePagefilePrivilege	756	WMIC.exe
Token: SeBackupPrivilege	756	WMIC.exe
Token: SeRestorePrivilege	756	WMIC.exe
Token: SeShutdownPrivilege	756	WMIC.exe
Token: SeDebugPrivilege	756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	756	WMIC.exe
Token: SeRemoteShutdownPrivilege	756	WMIC.exe
Token: SeUndockPrivilege	756	WMIC.exe
Token: SeManageVolumePrivilege	756	WMIC.exe
Token: 33	756	WMIC.exe
Token: 34	756	WMIC.exe
Token: 35	756	WMIC.exe
Token: 36	756	WMIC.exe
Token: SeDebugPrivilege	4612	powershell.exe
Token: SeDebugPrivilege	4148	powershell.exe
Token: SeDebugPrivilege	4804	powershell.exe
Token: SeDebugPrivilege	4996	powershell.exe
Token: SeDebugPrivilege	3108	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 2456	1164	8b6dbbbc9df9b5d63f93f8e2cf776997c0f782649f25d24cef0fa8b092496368.exe	86
PID 1164 wrote to memory of 2456	1164	8b6dbbbc9df9b5d63f93f8e2cf776997c0f782649f25d24cef0fa8b092496368.exe	86
PID 1164 wrote to memory of 2456	1164	8b6dbbbc9df9b5d63f93f8e2cf776997c0f782649f25d24cef0fa8b092496368.exe	86
PID 2456 wrote to memory of 3576	2456	cmd.exe	89
PID 2456 wrote to memory of 3576	2456	cmd.exe	89
PID 2456 wrote to memory of 3576	2456	cmd.exe	89
PID 3576 wrote to memory of 3216	3576	cmd.exe	90
PID 3576 wrote to memory of 3216	3576	cmd.exe	90
PID 3576 wrote to memory of 3216	3576	cmd.exe	90
PID 2456 wrote to memory of 5008	2456	cmd.exe	91
PID 2456 wrote to memory of 5008	2456	cmd.exe	91
PID 2456 wrote to memory of 5008	2456	cmd.exe	91
PID 5008 wrote to memory of 756	5008	cmd.exe	92
PID 5008 wrote to memory of 756	5008	cmd.exe	92
PID 5008 wrote to memory of 756	5008	cmd.exe	92
PID 2456 wrote to memory of 4612	2456	cmd.exe	94
PID 2456 wrote to memory of 4612	2456	cmd.exe	94
PID 2456 wrote to memory of 4612	2456	cmd.exe	94
PID 2456 wrote to memory of 4148	2456	cmd.exe	99
PID 2456 wrote to memory of 4148	2456	cmd.exe	99
PID 2456 wrote to memory of 4148	2456	cmd.exe	99
PID 2456 wrote to memory of 4804	2456	cmd.exe	101
PID 2456 wrote to memory of 4804	2456	cmd.exe	101
PID 2456 wrote to memory of 4804	2456	cmd.exe	101
PID 2456 wrote to memory of 4996	2456	cmd.exe	103
PID 2456 wrote to memory of 4996	2456	cmd.exe	103
PID 2456 wrote to memory of 4996	2456	cmd.exe	103
PID 2456 wrote to memory of 3108	2456	cmd.exe	107
PID 2456 wrote to memory of 3108	2456	cmd.exe	107
PID 2456 wrote to memory of 3108	2456	cmd.exe	107
PID 2456 wrote to memory of 2152	2456	cmd.exe	109
PID 2456 wrote to memory of 2152	2456	cmd.exe	109
PID 2456 wrote to memory of 2152	2456	cmd.exe	109
PID 2456 wrote to memory of 2064	2456	cmd.exe	111
PID 2456 wrote to memory of 2064	2456	cmd.exe	111
PID 2456 wrote to memory of 2064	2456	cmd.exe	111
PID 2064 wrote to memory of 2952	2064	powershell.exe	114
PID 2064 wrote to memory of 2952	2064	powershell.exe	114
PID 2064 wrote to memory of 2952	2064	powershell.exe	114

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1548	attrib.exe

C:\Users\Admin\AppData\Local\Temp\8b6dbbbc9df9b5d63f93f8e2cf776997c0f782649f25d24cef0fa8b092496368.exe
"C:\Users\Admin\AppData\Local\Temp\8b6dbbbc9df9b5d63f93f8e2cf776997c0f782649f25d24cef0fa8b092496368.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3576
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup myip.opendns.com. resolver1.opendns.com
      4⤵
      PID:3216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5008
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get Domain
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:756
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4612
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4148
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4804
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4996
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3108
- - C:\Users\Admin\AppData\Local\Temp\7z.exe
    7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2152
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:2952
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:3852
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:388
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic computersystem where name="KHQJMFWR" set AutomaticManagedPagefile=False
        5⤵
        
        PID:4864
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:1784
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=20000
        5⤵
        
        PID:3016
  - - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe
      "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      PID:3472
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 10 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
        5⤵
        
        PID:4444
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        6⤵
        Runs ping.exe
        
        PID:2588
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
        6⤵
        
        PID:4844
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 13 > nul && copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 13 > nul && "C:\Users\Admin\Music\rot.exe"
        5⤵
        
        PID:4688
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 13
        6⤵
        Runs ping.exe
        
        PID:976
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      Views/modifies file attributes
      PID:1548
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "ratt" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe" /F
    3⤵
    PID:3976
- - C:\Users\Admin\AppData\Local\Temp\ratt.exe
    "ratt.exe"
    3⤵
    PID:2316
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 8 > nul && copy "C:\Users\Admin\AppData\Local\Temp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 8 > nul && "C:\Users\Admin\Music\rot.exe"
      4⤵
      PID:3104
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 8
        5⤵
        Runs ping.exe
        
        PID:4968
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 8
        5⤵
        Runs ping.exe
        
        PID:1516
    - - C:\Users\Admin\Music\rot.exe
        
        "C:\Users\Admin\Music\rot.exe"
        5⤵
        
        PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe

Filesize
544.9MB

MD5
85f6519a342496ed8be4b913f9711042

SHA1
b58b485e491bfd8717f7bd25cb8c56af6846d7f6

SHA256
08b5c3dce11031bba561f1ae1dbdca004c631ca11133800b6717ce63fa190261

SHA512
29f5d51702627e4db2909f5ee2a115ad69a7fac9e83c2f9873bede3f371ecb11c8e77f569d23fd05269d34baa0551fc5c5d6ffc154f8ba57958db3757c400038

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe

Filesize
373.4MB

MD5
f515dc3a599ff6fabd73605128dc67ac

SHA1
cdabb26b7b1888ef94540fffe6a044f1ffe0990b

SHA256
b0bd7a4f89dbf5e9e32fba3258762a1a80756fd45610888ec2fd922d9fa2489b

SHA512
6f515f0196bd35975b781bf316f39f7b0e2adc48f4ed20b8e31cde7e260db3290e554dce8c1ecaf97ab01a74966bce8bc986bb3dfedd3aad7121e929e180b7be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
33b19d75aa77114216dbc23f43b195e3

SHA1
36a6c3975e619e0c5232aa4f5b7dc1fec9525535

SHA256
b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

SHA512
676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ratt.exe.log

Filesize
1KB

MD5
9a2d0ce437d2445330f2646472703087

SHA1
33c83e484a15f35c2caa3af62d5da6b7713a20ae

SHA256
30ea2f716e85f8d14a201e3fb0897d745a01b113342dfb7a9b7ac133c4ef150c

SHA512
a61d18d90bfad9ea8afdfa37537cfea3d5a3d0c161e323fa65840c283bdc87c3de85daaff5519beea2f2719eec1c68398eea8679b55ff733a61052f073162d5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
7768547580093e8de0f1498b3fe925c4

SHA1
0ad7feadb52f3c4e662e7ae718f16178285fc2cd

SHA256
74ab1ff5d625b5c04b9b3548b5593b97794e4bb33afe8a9d6888355d91e6fd07

SHA512
a3185f84456dd4b0b5e522cb811eccbda59ec1355fa40784ea2c0a10a813452fad86284ba79c12ce4a5f76a21df3c54986f8d1e511bfc44d5621b61b679be3c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
3a96f9f2d5da90ac843466e73a920dd1

SHA1
f74904d1eb150f940d758fcaba57038010b16d5a

SHA256
c425426e5b222d4c0520e0aefc8d842a3cf3d546b28785f746c59ebd353b757b

SHA512
7e44f4c317da3ab65fc3fe01a4c6a334a9146e6d55bd263c7dd6f71a6602410fd924b9f31c2e070251a4ee4f0091f3c21d0933e4ad3cdb1225e7a1cc014cd6b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
c6989ec07c9ae01e2228c7c83a55ff1a

SHA1
aeefcc6b4cb0a73721653f1e4bd6f57fbaabd435

SHA256
e9252e4cf2a58f5f2ac307ee7d6cf5c101ef4e7fa4b11b48e8d1daf9f8d74708

SHA512
4a7506ce4b9311b1d776d57d67bb6848248d4690ac3ba02f07e8a3d6c83053346b8ffb791b6b8c285d7e0fcd953c8ca5151444124e3ca701d631fba14c1783bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
06f71a8c38dfc4cc1027c03664f95288

SHA1
97708f06a49d7c6038eb3865211638132f51e3b0

SHA256
50d2146d557664575b3df4c82b3b2e61419b70ad6cbe4a705b56f0c870cafe3d

SHA512
054c81256f5e8aa10a22ad7c08f7c0052cb203af2c312dcbea815ddb4e210b9fb8f645b0bcf55fae1a81b47f352c27084dc2e1e0889de08ff7a8ab7838ccbfdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
b0d50dde6a6966505235ac8403b527ab

SHA1
133aa3f519c5268472a1b82602b45271323c4fbc

SHA256
d95040ee3739bd699d76b0ea05ebcebe988a326d6ac2bc42eae839870c26e178

SHA512
c7ec73c613a4a8f3614d85972429a1073f162d6818d0f715a6065be911817b0239ef05fb376ba138ae4b417640442b750a583faf0e017fe8d584eb3f0d8a51a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Add.ps1

Filesize
1KB

MD5
0df43097e0f0acd04d9e17fb43d618b9

SHA1
69b3ade12cb228393a93624e65f41604a17c83b6

SHA256
c8e4a63337a25f55f75ad10ab2b420d716bad4b35a2044fd39dcd5936419d873

SHA512
01ae71dd2ee040baad6f4b9afcfbaeca2b9f6cc7d60ade5de637238d65c17d74292734666f4ae6b533f6bf1007c46387d8e690d97c3b7a535bcd6f216e70c4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pvhejisk.tyv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.7z

Filesize
693KB

MD5
7de6fdf3629c73bf0c29a96fa23ae055

SHA1
dcb37f6d43977601c6460b17387a89b9e4c0609a

SHA256
069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff

SHA512
d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.bat

Filesize
1KB

MD5
7ea1fec84d76294d9256ae3dca7676b2

SHA1
1e335451d1cbb6951bc77bf75430f4d983491342

SHA256
9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

SHA512
ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
745.1MB

MD5
be788bb3680cf3809d9678ee6f7ba321

SHA1
499f01d5f654f83e172004dcc03f99abdd251734

SHA256
03a17a2b669f72df082569ea477977d824796da3b6b7a8d0e6f91f2629ef406b

SHA512
83c0b885740a57b84b2c909d0d6bb25baaa49d62499773030b59058325f37a5fcf39a1cd59ef9c229ca7289af7250034f6652e449625b67c2d260b285ddb9a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
340.7MB

MD5
f97ad5e44a0f0aaa5f26d308a4ec0313

SHA1
7ac37c8756648ca9d899157dfb95b6cda5be80ec

SHA256
3d7ead6285e085d2b586c8fa6eba1c89aba67fa24591708d1c14f3862e0a03de

SHA512
47c80bf5a82445e5cab307ff7ad102c6d3d85bf9fa1d16af411b8cc3750fe22cf81d913919f892ce0b00132d91e0dc684e789b50e3b4e97117d3e4a14d17f0de

Download Submit
C:\Users\Admin\Music\rot.exe

Filesize
35.0MB

MD5
8e410696d89e1b14ff2726f08475dc9e

SHA1
636be5842645099f0f4f9cd53ebcd164aa70ccb9

SHA256
88368ec7f3ef49ef87fa1e6a847a07d57f2b527f36df0e95258bd0f728bd9ac9

SHA512
fdc487dda86458e48396b8632e50caedb6c1701343be45cf649c0736f1633c4b12ce4b3752a6a637305ba695d70fa2938ffe06ce39f286ef639baca6f38b802b

Download Submit
memory/2064-281-0x0000000007900000-0x0000000007922000-memory.dmp

Filesize
136KB

Download
memory/2064-245-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2064-270-0x0000000007BA0000-0x000000000821A000-memory.dmp

Filesize
6.5MB

Download
memory/2064-269-0x0000000004F40000-0x0000000004F5E000-memory.dmp

Filesize
120KB

Download
memory/2064-259-0x0000000070A40000-0x0000000070A8C000-memory.dmp

Filesize
304KB

Download
memory/2064-258-0x00000000073F0000-0x0000000007422000-memory.dmp

Filesize
200KB

Download
memory/2064-257-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2064-293-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/2064-282-0x00000000087D0000-0x0000000008D74000-memory.dmp

Filesize
5.6MB

Download
memory/2064-272-0x00000000075C0000-0x00000000075CA000-memory.dmp

Filesize
40KB

Download
memory/2064-273-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/2064-280-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2064-271-0x0000000007570000-0x000000000758A000-memory.dmp

Filesize
104KB

Download
memory/2064-243-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/2064-279-0x00000000077C0000-0x00000000077C8000-memory.dmp

Filesize
32KB

Download
memory/2064-244-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2064-278-0x0000000007890000-0x00000000078AA000-memory.dmp

Filesize
104KB

Download
memory/2064-277-0x0000000007770000-0x000000000777E000-memory.dmp

Filesize
56KB

Download
memory/2064-276-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2064-274-0x00000000077F0000-0x0000000007886000-memory.dmp

Filesize
600KB

Download
memory/2064-275-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2152-239-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2152-235-0x0000000010000000-0x00000000100E2000-memory.dmp

Filesize
904KB

Download
memory/2152-231-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2316-299-0x00000000006D0000-0x0000000000886000-memory.dmp

Filesize
1.7MB

Download
memory/2316-298-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/2316-300-0x0000000005190000-0x00000000051A0000-memory.dmp

Filesize
64KB

Download
memory/2316-302-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/2316-303-0x0000000005190000-0x00000000051A0000-memory.dmp

Filesize
64KB

Download
memory/3108-228-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/3108-226-0x0000000003250000-0x0000000003260000-memory.dmp

Filesize
64KB

Download
memory/3108-215-0x0000000003250000-0x0000000003260000-memory.dmp

Filesize
64KB

Download
memory/3108-214-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/3472-288-0x0000000005310000-0x00000000053AC000-memory.dmp

Filesize
624KB

Download
memory/3472-295-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/3472-301-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/3472-294-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/3472-291-0x0000000005730000-0x000000000573A000-memory.dmp

Filesize
40KB

Download
memory/3472-290-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/3472-289-0x0000000005470000-0x0000000005502000-memory.dmp

Filesize
584KB

Download
memory/3472-287-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/3472-286-0x0000000000A40000-0x0000000000BF6000-memory.dmp

Filesize
1.7MB

Download
memory/4148-184-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/4148-169-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/4148-182-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/4148-170-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/4148-171-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/4612-148-0x0000000002EB0000-0x0000000002EE6000-memory.dmp

Filesize
216KB

Download
memory/4612-158-0x0000000005E30000-0x0000000005E96000-memory.dmp

Filesize
408KB

Download
memory/4612-152-0x0000000005DC0000-0x0000000005E26000-memory.dmp

Filesize
408KB

Download
memory/4612-146-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/4612-167-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/4612-151-0x00000000055E0000-0x0000000005602000-memory.dmp

Filesize
136KB

Download
memory/4612-164-0x0000000002E60000-0x0000000002E70000-memory.dmp

Filesize
64KB

Download
memory/4612-149-0x0000000002E60000-0x0000000002E70000-memory.dmp

Filesize
64KB

Download
memory/4612-150-0x0000000005790000-0x0000000005DB8000-memory.dmp

Filesize
6.2MB

Download
memory/4612-147-0x0000000002E60000-0x0000000002E70000-memory.dmp

Filesize
64KB

Download
memory/4612-163-0x00000000064C0000-0x00000000064DE000-memory.dmp

Filesize
120KB

Download
memory/4804-185-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/4804-198-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/4804-196-0x0000000003110000-0x0000000003120000-memory.dmp

Filesize
64KB

Download
memory/4996-199-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/4996-200-0x00000000029C0000-0x00000000029D0000-memory.dmp

Filesize
64KB

Download
memory/4996-213-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/4996-211-0x00000000029C0000-0x00000000029D0000-memory.dmp

Filesize
64KB

Download