Analysis

  • max time kernel
    30s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    15/08/2023, 15:45

General

  • Target

    8169cd35ac84069d5e1e101dc22a6e9cb2fcaffa0c357972ad5fbbd5c3d7c8e0_JC.exe

  • Size

    1.4MB

  • MD5

    fb5784de1a251633e8006e3fc03bcb6f

  • SHA1

    0a86ae4b1542726a9a2f9d24102003141150b358

  • SHA256

    8169cd35ac84069d5e1e101dc22a6e9cb2fcaffa0c357972ad5fbbd5c3d7c8e0

  • SHA512

    c3021585da947b06e0cf65a35d752536cae8179e1ba4ef473ef7e793346f8449a8aaf01e2ac6fe37a5f241f4239f61603d7284e016c2c31e353d7ac13d3c0fb2

  • SSDEEP

    24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

-

C2

94.131.105.161:12344

Mutex

QSR_MUTEX_UEgITWnMKnRP3EZFzK

Attributes
  • encryption_key

    5Q0JQBQQfAUHRJTcAIOF

  • install_name

    lient.exe

  • log_directory

    Lugs

  • reconnect_delay

    3000

  • startup_key

    itartup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 6 IoCs
  • Modifies Windows Firewall 1 TTPs 2 IoCs
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Unexpected DNS network traffic destination 3 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8169cd35ac84069d5e1e101dc22a6e9cb2fcaffa0c357972ad5fbbd5c3d7c8e0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\8169cd35ac84069d5e1e101dc22a6e9cb2fcaffa0c357972ad5fbbd5c3d7c8e0_JC.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2964
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2700
        • C:\Windows\SysWOW64\nslookup.exe
          nslookup myip.opendns.com. resolver1.opendns.com
          4⤵
            PID:2876
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2856
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic ComputerSystem get Domain
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2908
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2688
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2744
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1104
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          Powershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3020
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          Powershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2396
        • C:\Users\Admin\AppData\Local\Temp\7z.exe
          7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:2252
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps1
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1188
          • C:\Windows\SysWOW64\netsh.exe
            "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
            4⤵
            • Modifies Windows Firewall
            PID:1640
          • C:\Windows\SysWOW64\netsh.exe
            "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
            4⤵
            • Modifies Windows Firewall
            PID:2100
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe"
            4⤵
              PID:1164
              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                wmic computersystem where name="UMAXQRGK" set AutomaticManagedPagefile=False
                5⤵
                  PID:2488
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe"
                4⤵
                  PID:2308
                  • C:\Windows\SysWOW64\Wbem\WMIC.exe
                    wmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=20000
                    5⤵
                      PID:1952
                  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe
                    "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
                    4⤵
                      PID:2228
                      • C:\Windows\SysWOW64\cmd.exe
                        "cmd" /c ping 127.0.0.1 -n 10 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
                        5⤵
                          PID:2460
                          • C:\Windows\SysWOW64\PING.EXE
                            ping 127.0.0.1 -n 10
                            6⤵
                            • Runs ping.exe
                            PID:848
                          • C:\Windows\SysWOW64\reg.exe
                            REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
                            6⤵
                              PID:2576
                          • C:\Windows\SysWOW64\cmd.exe
                            "cmd" /c ping 127.0.0.1 -n 20 > nul && copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 20 > nul && "C:\Users\Admin\Music\rot.exe"
                            5⤵
                              PID:2552
                          • C:\Windows\SysWOW64\attrib.exe
                            "C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
                            4⤵
                            • Views/modifies file attributes
                            PID:2300
                        • C:\Windows\SysWOW64\reg.exe
                          REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "ratt" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe" /F
                          3⤵
                            PID:1784
                          • C:\Users\Admin\AppData\Local\Temp\ratt.exe
                            "ratt.exe"
                            3⤵
                              PID:1460
                              • C:\Windows\SysWOW64\cmd.exe
                                "cmd" /c ping 127.0.0.1 -n 10 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
                                4⤵
                                  PID:1704
                                  • C:\Windows\SysWOW64\PING.EXE
                                    ping 127.0.0.1 -n 10
                                    5⤵
                                    • Runs ping.exe
                                    PID:2872
                                  • C:\Windows\SysWOW64\reg.exe
                                    REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
                                    5⤵
                                      PID:2080
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "cmd" /c ping 127.0.0.1 -n 13 > nul && copy "C:\Users\Admin\AppData\Local\Temp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 13 > nul && "C:\Users\Admin\Music\rot.exe"
                                    4⤵
                                      PID:2280
                                      • C:\Windows\SysWOW64\PING.EXE
                                        ping 127.0.0.1 -n 13
                                        5⤵
                                        • Runs ping.exe
                                        PID:2548
                                      • C:\Windows\SysWOW64\PING.EXE
                                        ping 127.0.0.1 -n 13
                                        5⤵
                                        • Runs ping.exe
                                        PID:2628
                                      • C:\Users\Admin\Music\rot.exe
                                        "C:\Users\Admin\Music\rot.exe"
                                        5⤵
                                          PID:1616
                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                            6⤵
                                              PID:2936
                                  • C:\Windows\SysWOW64\PING.EXE
                                    ping 127.0.0.1 -n 20
                                    1⤵
                                    • Runs ping.exe
                                    PID:2276

                                  Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe

                                          Filesize

                                          226.3MB

                                          MD5

                                          c53c7f643ca0d77240a92b4aa14b5439

                                          SHA1

                                          91bd8195d749466aad08237c0d17fc6bd4c57a07

                                          SHA256

                                          b74417a8f097d15ea12e6bd4618dafe0047971e56ab434490407168f91475cef

                                          SHA512

                                          4db66376f28cb683477521020cea726484a4ad7f0265217b3d4b5d11d610c3f3ebdfc3ae6e12926ba39b23db59cee8a422820ded30734717b4d27265a19b317d

                                        • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe

                                          Filesize

                                          204.2MB

                                          MD5

                                          68bb8f19dd7ab25e0e0d15b0dcf34450

                                          SHA1

                                          2d347fa1c601cf770d40f0008e6fcdfd87eb231f

                                          SHA256

                                          bf18aa5a98e39f6dc635addbac1abafe1bca6d60ce37d42e1059f010dff90ac5

                                          SHA512

                                          216be234630bb76dc68569bea01e911f157ab80e01cabc080f9e64cb1211d0ae992f5cbbd4312782779514a013f5686d583199b187ea3d2966182699cd7ce78b

                                        • C:\Users\Admin\AppData\Local\Temp\7z.dll

                                          Filesize

                                          328KB

                                          MD5

                                          15bbbe562f9be3e5dcbb834e635cc231

                                          SHA1

                                          7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

                                          SHA256

                                          ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

                                          SHA512

                                          769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

                                        • C:\Users\Admin\AppData\Local\Temp\7z.exe

                                          Filesize

                                          71KB

                                          MD5

                                          8ba2e41b330ae9356e62eb63514cf82e

                                          SHA1

                                          8dc266467a5a0d587ed0181d4344581ef4ff30b2

                                          SHA256

                                          ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

                                          SHA512

                                          2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

                                        • C:\Users\Admin\AppData\Local\Temp\7z.exe

                                          Filesize

                                          71KB

                                          MD5

                                          8ba2e41b330ae9356e62eb63514cf82e

                                          SHA1

                                          8dc266467a5a0d587ed0181d4344581ef4ff30b2

                                          SHA256

                                          ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

                                          SHA512

                                          2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

                                        • C:\Users\Admin\AppData\Local\Temp\Add.ps1

                                          Filesize

                                          1KB

                                          MD5

                                          0df43097e0f0acd04d9e17fb43d618b9

                                          SHA1

                                          69b3ade12cb228393a93624e65f41604a17c83b6

                                          SHA256

                                          c8e4a63337a25f55f75ad10ab2b420d716bad4b35a2044fd39dcd5936419d873

                                          SHA512

                                          01ae71dd2ee040baad6f4b9afcfbaeca2b9f6cc7d60ade5de637238d65c17d74292734666f4ae6b533f6bf1007c46387d8e690d97c3b7a535bcd6f216e70c4fb

                                        • C:\Users\Admin\AppData\Local\Temp\ratt.7z

                                          Filesize

                                          693KB

                                          MD5

                                          7de6fdf3629c73bf0c29a96fa23ae055

                                          SHA1

                                          dcb37f6d43977601c6460b17387a89b9e4c0609a

                                          SHA256

                                          069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff

                                          SHA512

                                          d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8

                                        • C:\Users\Admin\AppData\Local\Temp\ratt.bat

                                          Filesize

                                          1KB

                                          MD5

                                          7ea1fec84d76294d9256ae3dca7676b2

                                          SHA1

                                          1e335451d1cbb6951bc77bf75430f4d983491342

                                          SHA256

                                          9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

                                          SHA512

                                          ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

                                        • C:\Users\Admin\AppData\Local\Temp\ratt.bat

                                          Filesize

                                          1KB

                                          MD5

                                          7ea1fec84d76294d9256ae3dca7676b2

                                          SHA1

                                          1e335451d1cbb6951bc77bf75430f4d983491342

                                          SHA256

                                          9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

                                          SHA512

                                          ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

                                        • C:\Users\Admin\AppData\Local\Temp\ratt.exe

                                          Filesize

                                          356.4MB

                                          MD5

                                          9346815b304fb74992bd2804ce095c89

                                          SHA1

                                          836c339bbe0cd754f8086a85c02c8c8503d86385

                                          SHA256

                                          3281c5af0831e36e0487fa512e0f2d2336b46420dac988e694da64c42b2938c2

                                          SHA512

                                          3a3f76b7faac04e4762973583b8b7018fd59b71f33542213436d778580e4e8a5a83cdcb4c19ca4275075242d9f5cfb9ae1ffd4d5af7a67eec35c3dd359d034ff

                                        • C:\Users\Admin\AppData\Local\Temp\ratt.exe

                                          Filesize

                                          227.7MB

                                          MD5

                                          5a80b25ed897a95785e8ef1532d4db8c

                                          SHA1

                                          1966e8871e35b1c30f45c4caf8fcd78784c638aa

                                          SHA256

                                          1295c0d3d36333cc79028da113b04c139e68d4e459ebc4133312be622497af19

                                          SHA512

                                          4734e9a7917dc1cc0db8e602f0f7103d4bfded98988a5223fa4bba553b6708177049088751b05268a3bee1a1a3ada5462c59b719582e9d2fbc3c7c88abf2102c

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TMDPDJRCNL4VCEZIBLFD.temp

                                          Filesize

                                          7KB

                                          MD5

                                          6144d97dc708fef233ef69a3ef39189a

                                          SHA1

                                          cb690d034357a442a89cd793f2efda0771af325c

                                          SHA256

                                          02fac70bde8c2de6db3d48504a7473e665bcf013e232dfc45aefd5eacd5bb729

                                          SHA512

                                          481bb288a6d97f272529b1ed5b4328106ec75b2a2768dac647234a67451f297af355b63baf689dd99c659bcd8ab7f6e6ec3b6fcc4e7851777383867df91f9b0a

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

                                          Filesize

                                          7KB

                                          MD5

                                          6144d97dc708fef233ef69a3ef39189a

                                          SHA1

                                          cb690d034357a442a89cd793f2efda0771af325c

                                          SHA256

                                          02fac70bde8c2de6db3d48504a7473e665bcf013e232dfc45aefd5eacd5bb729

                                          SHA512

                                          481bb288a6d97f272529b1ed5b4328106ec75b2a2768dac647234a67451f297af355b63baf689dd99c659bcd8ab7f6e6ec3b6fcc4e7851777383867df91f9b0a

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

                                          Filesize

                                          7KB

                                          MD5

                                          6144d97dc708fef233ef69a3ef39189a

                                          SHA1

                                          cb690d034357a442a89cd793f2efda0771af325c

                                          SHA256

                                          02fac70bde8c2de6db3d48504a7473e665bcf013e232dfc45aefd5eacd5bb729

                                          SHA512

                                          481bb288a6d97f272529b1ed5b4328106ec75b2a2768dac647234a67451f297af355b63baf689dd99c659bcd8ab7f6e6ec3b6fcc4e7851777383867df91f9b0a

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

                                          Filesize

                                          7KB

                                          MD5

                                          6144d97dc708fef233ef69a3ef39189a

                                          SHA1

                                          cb690d034357a442a89cd793f2efda0771af325c

                                          SHA256

                                          02fac70bde8c2de6db3d48504a7473e665bcf013e232dfc45aefd5eacd5bb729

                                          SHA512

                                          481bb288a6d97f272529b1ed5b4328106ec75b2a2768dac647234a67451f297af355b63baf689dd99c659bcd8ab7f6e6ec3b6fcc4e7851777383867df91f9b0a

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

                                          Filesize

                                          7KB

                                          MD5

                                          6144d97dc708fef233ef69a3ef39189a

                                          SHA1

                                          cb690d034357a442a89cd793f2efda0771af325c

                                          SHA256

                                          02fac70bde8c2de6db3d48504a7473e665bcf013e232dfc45aefd5eacd5bb729

                                          SHA512

                                          481bb288a6d97f272529b1ed5b4328106ec75b2a2768dac647234a67451f297af355b63baf689dd99c659bcd8ab7f6e6ec3b6fcc4e7851777383867df91f9b0a

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

                                          Filesize

                                          7KB

                                          MD5

                                          6144d97dc708fef233ef69a3ef39189a

                                          SHA1

                                          cb690d034357a442a89cd793f2efda0771af325c

                                          SHA256

                                          02fac70bde8c2de6db3d48504a7473e665bcf013e232dfc45aefd5eacd5bb729

                                          SHA512

                                          481bb288a6d97f272529b1ed5b4328106ec75b2a2768dac647234a67451f297af355b63baf689dd99c659bcd8ab7f6e6ec3b6fcc4e7851777383867df91f9b0a

                                        • C:\Users\Admin\Music\rot.exe

                                          Filesize

                                          139.1MB

                                          MD5

                                          6dfb515b8ae0125042178728d7b291c4

                                          SHA1

                                          fabe0a5c702bd3c6b5f73f7ea841f21a4c192441

                                          SHA256

                                          e556dafdbe0751dbacce36b7a863663266682d122cf24c86305572e6acd34152

                                          SHA512

                                          e154040879f16b8d5772d86bc912c298aac72f78b1ab2579dd5ac716baa26018984bcf829f9c7d200acec8a03366f5206a0f8f9563d4e6018d97b7a56efbb548

                                        • C:\Users\Admin\Music\rot.exe

                                          Filesize

                                          107.2MB

                                          MD5

                                          a00897d7e19bad70c7bbe6cdb3ccafbd

                                          SHA1

                                          a9f01c345b12e63db11d8ea0c7d519dad0f93742

                                          SHA256

                                          c366135b964aa29b0c4897a82356d2ef7011935cb9bdb49390473ef983cfe74f

                                          SHA512

                                          63d1de48a59e5310db8e7154b036b97825d1791ec8c482e8788524d0b45215ba9cf9db979a0350eef6396fd87baee8e504739aff1d431ab325d3d06b3098d3d7

                                        • C:\Users\Admin\Music\rot.exe

                                          Filesize

                                          107.2MB

                                          MD5

                                          9c718d37d5b87ce2b33c424b66063c71

                                          SHA1

                                          0bf8123679857e75506655b2caa577f597a8e89c

                                          SHA256

                                          d871647fa78aaf309168849822aeb46c216bc4ee574030c70beb698bc319c19c

                                          SHA512

                                          6579ec353a9075319d86a0f4ba68149bb74f9f56ded17479846c7edfeb635e84da4d68b7c3586db8b3c2489f573f92e94364ac3adb8bc1960826400bc32dec48

                                        • \ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe

                                          Filesize

                                          209.1MB

                                          MD5

                                          e13f8417e4b6bc5782b418ad3d9115d2

                                          SHA1

                                          0441e5b8a2181c6ff43ef8ed5b4996f6baf15c00

                                          SHA256

                                          a34a69537a5993222af2e78ec6f906755504b47a71249efd57de18d4ba8a4ef6

                                          SHA512

                                          330c6b07da05b7fdb13d51da5e7c4dfbe5b8290b4935a4c1ce1e9a57f7262695effc0a8fd4f052416c0171d75b9382ebddcff475adc0fb8cca05d55d4be2f07b

                                        • \Users\Admin\AppData\Local\Temp\7z.dll

                                          Filesize

                                          328KB

                                          MD5

                                          15bbbe562f9be3e5dcbb834e635cc231

                                          SHA1

                                          7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

                                          SHA256

                                          ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

                                          SHA512

                                          769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

                                        • \Users\Admin\AppData\Local\Temp\7z.exe

                                          Filesize

                                          71KB

                                          MD5

                                          8ba2e41b330ae9356e62eb63514cf82e

                                          SHA1

                                          8dc266467a5a0d587ed0181d4344581ef4ff30b2

                                          SHA256

                                          ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

                                          SHA512

                                          2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

                                        • \Users\Admin\AppData\Local\Temp\7z.exe

                                          Filesize

                                          71KB

                                          MD5

                                          8ba2e41b330ae9356e62eb63514cf82e

                                          SHA1

                                          8dc266467a5a0d587ed0181d4344581ef4ff30b2

                                          SHA256

                                          ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

                                          SHA512

                                          2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

                                        • \Users\Admin\AppData\Local\Temp\ratt.exe

                                          Filesize

                                          227.9MB

                                          MD5

                                          ff9e70fd8bec3aa803813fc7c30ab1bb

                                          SHA1

                                          aa50945b75511bbadb8e7190cafe643c4697e9eb

                                          SHA256

                                          dd34cad0afa15103d976e1b1559073f8df575a9592635e191774321039612cd6

                                          SHA512

                                          da82a0572ba920b391aab23d3a8ed961194614d26b7f0b2000ed109bbe38117e0402f6a577464ff3f53fbb36092c53c6db842d7cc5fcca41d7f1ae253290a340

                                        • \Users\Admin\Music\rot.exe

                                          Filesize

                                          108.4MB

                                          MD5

                                          9732fa52b757e1b99d070e1bbbca6cfb

                                          SHA1

                                          c4e89065c09915168085c48b204841495074e485

                                          SHA256

                                          41492f2193eaeae26770d245aeb159c1500f5990ff4befe77fa84231284fc051

                                          SHA512

                                          793ee0f2d67db78bfd9dcb2eaee9e735dc33d5297e2e815b52fa7e14afe8c8f0d077cfaaab5582643b8ae7f9bc4e647c991c40f069100dfd6a30e83b145f8b58

                                        • memory/1104-99-0x0000000073830000-0x0000000073DDB000-memory.dmp

                                          Filesize

                                          5.7MB

                                        • memory/1104-98-0x0000000073830000-0x0000000073DDB000-memory.dmp

                                          Filesize

                                          5.7MB

                                        • memory/1104-100-0x0000000073830000-0x0000000073DDB000-memory.dmp

                                          Filesize

                                          5.7MB

                                        • memory/1104-131-0x0000000073830000-0x0000000073DDB000-memory.dmp

                                          Filesize

                                          5.7MB

                                        • memory/1188-153-0x0000000073810000-0x0000000073DBB000-memory.dmp

                                          Filesize

                                          5.7MB

                                        • memory/1188-146-0x0000000002790000-0x00000000027D0000-memory.dmp

                                          Filesize

                                          256KB

                                        • memory/1188-148-0x0000000002790000-0x00000000027D0000-memory.dmp

                                          Filesize

                                          256KB

                                        • memory/1188-147-0x0000000073810000-0x0000000073DBB000-memory.dmp

                                          Filesize

                                          5.7MB

                                        • memory/1188-145-0x0000000073810000-0x0000000073DBB000-memory.dmp

                                          Filesize

                                          5.7MB

                                        • memory/1188-154-0x0000000073810000-0x0000000073DBB000-memory.dmp

                                          Filesize

                                          5.7MB

                                        • memory/1460-169-0x000000006FDE0000-0x00000000704CE000-memory.dmp

                                          Filesize

                                          6.9MB

                                        • memory/1460-168-0x0000000000290000-0x00000000002D0000-memory.dmp

                                          Filesize

                                          256KB

                                        • memory/1460-164-0x00000000001D0000-0x0000000000216000-memory.dmp

                                          Filesize

                                          280KB

                                        • memory/1460-162-0x0000000000290000-0x00000000002D0000-memory.dmp

                                          Filesize

                                          256KB

                                        • memory/1460-160-0x000000006FDE0000-0x00000000704CE000-memory.dmp

                                          Filesize

                                          6.9MB

                                        • memory/1460-159-0x0000000001360000-0x0000000001516000-memory.dmp

                                          Filesize

                                          1.7MB

                                        • memory/1460-166-0x000000006FDE0000-0x00000000704CE000-memory.dmp

                                          Filesize

                                          6.9MB

                                        • memory/1616-178-0x0000000073C40000-0x000000007432E000-memory.dmp

                                          Filesize

                                          6.9MB

                                        • memory/1616-180-0x0000000000570000-0x00000000005B0000-memory.dmp

                                          Filesize

                                          256KB

                                        • memory/1616-179-0x0000000001040000-0x00000000011F6000-memory.dmp

                                          Filesize

                                          1.7MB

                                        • memory/1616-181-0x00000000004C0000-0x0000000000506000-memory.dmp

                                          Filesize

                                          280KB

                                        • memory/1616-195-0x0000000073C40000-0x000000007432E000-memory.dmp

                                          Filesize

                                          6.9MB

                                        • memory/1616-191-0x0000000000570000-0x00000000005B0000-memory.dmp

                                          Filesize

                                          256KB

                                        • memory/1616-190-0x0000000073C40000-0x000000007432E000-memory.dmp

                                          Filesize

                                          6.9MB

                                        • memory/1616-183-0x00000000005E0000-0x00000000005E6000-memory.dmp

                                          Filesize

                                          24KB

                                        • memory/1616-182-0x00000000005B0000-0x00000000005CA000-memory.dmp

                                          Filesize

                                          104KB

                                        • memory/2228-163-0x00000000004A0000-0x00000000004E6000-memory.dmp

                                          Filesize

                                          280KB

                                        • memory/2228-155-0x0000000001020000-0x00000000011D6000-memory.dmp

                                          Filesize

                                          1.7MB

                                        • memory/2228-156-0x000000006FDE0000-0x00000000704CE000-memory.dmp

                                          Filesize

                                          6.9MB

                                        • memory/2228-167-0x0000000000420000-0x0000000000460000-memory.dmp

                                          Filesize

                                          256KB

                                        • memory/2228-165-0x000000006FDE0000-0x00000000704CE000-memory.dmp

                                          Filesize

                                          6.9MB

                                        • memory/2228-170-0x000000006FDE0000-0x00000000704CE000-memory.dmp

                                          Filesize

                                          6.9MB

                                        • memory/2228-161-0x0000000000420000-0x0000000000460000-memory.dmp

                                          Filesize

                                          256KB

                                        • memory/2252-129-0x0000000010000000-0x00000000100E2000-memory.dmp

                                          Filesize

                                          904KB

                                        • memory/2252-135-0x0000000000400000-0x0000000000432000-memory.dmp

                                          Filesize

                                          200KB

                                        • memory/2252-132-0x0000000000400000-0x0000000000432000-memory.dmp

                                          Filesize

                                          200KB

                                        • memory/2396-118-0x00000000027A0000-0x00000000027E0000-memory.dmp

                                          Filesize

                                          256KB

                                        • memory/2396-116-0x0000000073830000-0x0000000073DDB000-memory.dmp

                                          Filesize

                                          5.7MB

                                        • memory/2396-120-0x0000000073830000-0x0000000073DDB000-memory.dmp

                                          Filesize

                                          5.7MB

                                        • memory/2396-117-0x00000000027A0000-0x00000000027E0000-memory.dmp

                                          Filesize

                                          256KB

                                        • memory/2396-115-0x0000000073830000-0x0000000073DDB000-memory.dmp

                                          Filesize

                                          5.7MB

                                        • memory/2396-119-0x00000000027A0000-0x00000000027E0000-memory.dmp

                                          Filesize

                                          256KB

                                        • memory/2688-83-0x0000000001E50000-0x0000000001E90000-memory.dmp

                                          Filesize

                                          256KB

                                        • memory/2688-80-0x0000000073860000-0x0000000073E0B000-memory.dmp

                                          Filesize

                                          5.7MB

                                        • memory/2688-81-0x0000000073860000-0x0000000073E0B000-memory.dmp

                                          Filesize

                                          5.7MB

                                        • memory/2688-82-0x0000000001E50000-0x0000000001E90000-memory.dmp

                                          Filesize

                                          256KB

                                        • memory/2688-84-0x0000000073860000-0x0000000073E0B000-memory.dmp

                                          Filesize

                                          5.7MB

                                        • memory/2744-90-0x0000000073810000-0x0000000073DBB000-memory.dmp

                                          Filesize

                                          5.7MB

                                        • memory/2744-92-0x0000000073810000-0x0000000073DBB000-memory.dmp

                                          Filesize

                                          5.7MB

                                        • memory/2744-91-0x0000000073810000-0x0000000073DBB000-memory.dmp

                                          Filesize

                                          5.7MB

                                        • memory/2936-184-0x0000000000400000-0x000000000045E000-memory.dmp

                                          Filesize

                                          376KB

                                        • memory/2936-196-0x0000000073C40000-0x000000007432E000-memory.dmp

                                          Filesize

                                          6.9MB

                                        • memory/2936-200-0x00000000048E0000-0x0000000004920000-memory.dmp

                                          Filesize

                                          256KB

                                        • memory/2936-199-0x0000000073C40000-0x000000007432E000-memory.dmp

                                          Filesize

                                          6.9MB

                                        • memory/2936-185-0x0000000000400000-0x000000000045E000-memory.dmp

                                          Filesize

                                          376KB

                                        • memory/2936-186-0x0000000000400000-0x000000000045E000-memory.dmp

                                          Filesize

                                          376KB

                                        • memory/2936-187-0x0000000000400000-0x000000000045E000-memory.dmp

                                          Filesize

                                          376KB

                                        • memory/2936-188-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2936-193-0x0000000000400000-0x000000000045E000-memory.dmp

                                          Filesize

                                          376KB

                                        • memory/2936-197-0x00000000048E0000-0x0000000004920000-memory.dmp

                                          Filesize

                                          256KB

                                        • memory/2936-192-0x0000000000400000-0x000000000045E000-memory.dmp

                                          Filesize

                                          376KB

                                        • memory/2936-194-0x0000000000400000-0x000000000045E000-memory.dmp

                                          Filesize

                                          376KB

                                        • memory/2964-137-0x0000000000170000-0x00000000001A2000-memory.dmp

                                          Filesize

                                          200KB

                                        • memory/2964-123-0x0000000000170000-0x00000000001A2000-memory.dmp

                                          Filesize

                                          200KB

                                        • memory/2964-125-0x0000000000170000-0x00000000001A2000-memory.dmp

                                          Filesize

                                          200KB

                                        • memory/3020-107-0x0000000073810000-0x0000000073DBB000-memory.dmp

                                          Filesize

                                          5.7MB

                                        • memory/3020-109-0x0000000073810000-0x0000000073DBB000-memory.dmp

                                          Filesize

                                          5.7MB

                                        • memory/3020-108-0x0000000073810000-0x0000000073DBB000-memory.dmp

                                          Filesize

                                          5.7MB