Analysis Overview
SHA256
8169cd35ac84069d5e1e101dc22a6e9cb2fcaffa0c357972ad5fbbd5c3d7c8e0
Threat Level: Known bad
The file 8169cd35ac84069d5e1e101dc22a6e9cb2fcaffa0c357972ad5fbbd5c3d7c8e0_JC.exe was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar payload
Modifies Windows Firewall
UPX packed file
Executes dropped EXE
Unexpected DNS network traffic destination
Loads dropped DLL
ACProtect 1.3x - 1.4x DLL software
Looks up external IP address via web service
Unsigned PE
Enumerates physical storage devices
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Views/modifies file attributes
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-15 15:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-15 15:45
Reported
2023-08-15 15:47
Platform
win7-20230712-en
Max time kernel
30s
Max time network
153s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7z.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7z.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8169cd35ac84069d5e1e101dc22a6e9cb2fcaffa0c357972ad5fbbd5c3d7c8e0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\8169cd35ac84069d5e1e101dc22a6e9cb2fcaffa0c357972ad5fbbd5c3d7c8e0_JC.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
C:\Windows\SysWOW64\nslookup.exe
nslookup myip.opendns.com. resolver1.opendns.com
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic ComputerSystem get Domain
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
C:\Users\Admin\AppData\Local\Temp\7z.exe
7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps1
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic computersystem where name="UMAXQRGK" set AutomaticManagedPagefile=False
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=20000
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
C:\Windows\SysWOW64\attrib.exe
"C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "ratt" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe" /F
C:\Users\Admin\AppData\Local\Temp\ratt.exe
"ratt.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 10 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 10
C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 10 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 10
C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 13 > nul && copy "C:\Users\Admin\AppData\Local\Temp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 13 > nul && "C:\Users\Admin\Music\rot.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 13
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 20
C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 20 > nul && copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 20 > nul && "C:\Users\Admin\Music\rot.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 13
C:\Users\Admin\Music\rot.exe
"C:\Users\Admin\Music\rot.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| NL | 94.131.105.161:12344 | tcp | |
| NL | 94.131.105.161:12344 | tcp | |
| NL | 94.131.105.161:12344 | tcp | |
| NL | 94.131.105.161:12344 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\ratt.bat
| MD5 | 7ea1fec84d76294d9256ae3dca7676b2 |
| SHA1 | 1e335451d1cbb6951bc77bf75430f4d983491342 |
| SHA256 | 9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940 |
| SHA512 | ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317 |
C:\Users\Admin\AppData\Local\Temp\ratt.bat
| MD5 | 7ea1fec84d76294d9256ae3dca7676b2 |
| SHA1 | 1e335451d1cbb6951bc77bf75430f4d983491342 |
| SHA256 | 9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940 |
| SHA512 | ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317 |
memory/2688-82-0x0000000001E50000-0x0000000001E90000-memory.dmp
memory/2688-81-0x0000000073860000-0x0000000073E0B000-memory.dmp
memory/2688-80-0x0000000073860000-0x0000000073E0B000-memory.dmp
memory/2688-83-0x0000000001E50000-0x0000000001E90000-memory.dmp
memory/2688-84-0x0000000073860000-0x0000000073E0B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 6144d97dc708fef233ef69a3ef39189a |
| SHA1 | cb690d034357a442a89cd793f2efda0771af325c |
| SHA256 | 02fac70bde8c2de6db3d48504a7473e665bcf013e232dfc45aefd5eacd5bb729 |
| SHA512 | 481bb288a6d97f272529b1ed5b4328106ec75b2a2768dac647234a67451f297af355b63baf689dd99c659bcd8ab7f6e6ec3b6fcc4e7851777383867df91f9b0a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TMDPDJRCNL4VCEZIBLFD.temp
| MD5 | 6144d97dc708fef233ef69a3ef39189a |
| SHA1 | cb690d034357a442a89cd793f2efda0771af325c |
| SHA256 | 02fac70bde8c2de6db3d48504a7473e665bcf013e232dfc45aefd5eacd5bb729 |
| SHA512 | 481bb288a6d97f272529b1ed5b4328106ec75b2a2768dac647234a67451f297af355b63baf689dd99c659bcd8ab7f6e6ec3b6fcc4e7851777383867df91f9b0a |
memory/2744-90-0x0000000073810000-0x0000000073DBB000-memory.dmp
memory/2744-91-0x0000000073810000-0x0000000073DBB000-memory.dmp
memory/2744-92-0x0000000073810000-0x0000000073DBB000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 6144d97dc708fef233ef69a3ef39189a |
| SHA1 | cb690d034357a442a89cd793f2efda0771af325c |
| SHA256 | 02fac70bde8c2de6db3d48504a7473e665bcf013e232dfc45aefd5eacd5bb729 |
| SHA512 | 481bb288a6d97f272529b1ed5b4328106ec75b2a2768dac647234a67451f297af355b63baf689dd99c659bcd8ab7f6e6ec3b6fcc4e7851777383867df91f9b0a |
memory/1104-98-0x0000000073830000-0x0000000073DDB000-memory.dmp
memory/1104-100-0x0000000073830000-0x0000000073DDB000-memory.dmp
memory/1104-99-0x0000000073830000-0x0000000073DDB000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 6144d97dc708fef233ef69a3ef39189a |
| SHA1 | cb690d034357a442a89cd793f2efda0771af325c |
| SHA256 | 02fac70bde8c2de6db3d48504a7473e665bcf013e232dfc45aefd5eacd5bb729 |
| SHA512 | 481bb288a6d97f272529b1ed5b4328106ec75b2a2768dac647234a67451f297af355b63baf689dd99c659bcd8ab7f6e6ec3b6fcc4e7851777383867df91f9b0a |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/3020-107-0x0000000073810000-0x0000000073DBB000-memory.dmp
memory/3020-108-0x0000000073810000-0x0000000073DBB000-memory.dmp
memory/3020-109-0x0000000073810000-0x0000000073DBB000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 6144d97dc708fef233ef69a3ef39189a |
| SHA1 | cb690d034357a442a89cd793f2efda0771af325c |
| SHA256 | 02fac70bde8c2de6db3d48504a7473e665bcf013e232dfc45aefd5eacd5bb729 |
| SHA512 | 481bb288a6d97f272529b1ed5b4328106ec75b2a2768dac647234a67451f297af355b63baf689dd99c659bcd8ab7f6e6ec3b6fcc4e7851777383867df91f9b0a |
memory/2396-115-0x0000000073830000-0x0000000073DDB000-memory.dmp
memory/2396-116-0x0000000073830000-0x0000000073DDB000-memory.dmp
memory/2396-118-0x00000000027A0000-0x00000000027E0000-memory.dmp
memory/2396-119-0x00000000027A0000-0x00000000027E0000-memory.dmp
memory/2396-117-0x00000000027A0000-0x00000000027E0000-memory.dmp
memory/2396-120-0x0000000073830000-0x0000000073DDB000-memory.dmp
\Users\Admin\AppData\Local\Temp\7z.exe
| MD5 | 8ba2e41b330ae9356e62eb63514cf82e |
| SHA1 | 8dc266467a5a0d587ed0181d4344581ef4ff30b2 |
| SHA256 | ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea |
| SHA512 | 2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d |
memory/2964-123-0x0000000000170000-0x00000000001A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7z.exe
| MD5 | 8ba2e41b330ae9356e62eb63514cf82e |
| SHA1 | 8dc266467a5a0d587ed0181d4344581ef4ff30b2 |
| SHA256 | ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea |
| SHA512 | 2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d |
\Users\Admin\AppData\Local\Temp\7z.dll
| MD5 | 15bbbe562f9be3e5dcbb834e635cc231 |
| SHA1 | 7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a |
| SHA256 | ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde |
| SHA512 | 769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287 |
C:\Users\Admin\AppData\Local\Temp\7z.dll
| MD5 | 15bbbe562f9be3e5dcbb834e635cc231 |
| SHA1 | 7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a |
| SHA256 | ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde |
| SHA512 | 769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287 |
memory/2252-129-0x0000000010000000-0x00000000100E2000-memory.dmp
memory/2964-125-0x0000000000170000-0x00000000001A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7z.exe
| MD5 | 8ba2e41b330ae9356e62eb63514cf82e |
| SHA1 | 8dc266467a5a0d587ed0181d4344581ef4ff30b2 |
| SHA256 | ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea |
| SHA512 | 2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d |
\Users\Admin\AppData\Local\Temp\7z.exe
| MD5 | 8ba2e41b330ae9356e62eb63514cf82e |
| SHA1 | 8dc266467a5a0d587ed0181d4344581ef4ff30b2 |
| SHA256 | ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea |
| SHA512 | 2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d |
memory/1104-131-0x0000000073830000-0x0000000073DDB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ratt.7z
| MD5 | 7de6fdf3629c73bf0c29a96fa23ae055 |
| SHA1 | dcb37f6d43977601c6460b17387a89b9e4c0609a |
| SHA256 | 069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff |
| SHA512 | d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8 |
memory/2252-132-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2252-135-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ratt.exe
| MD5 | 9346815b304fb74992bd2804ce095c89 |
| SHA1 | 836c339bbe0cd754f8086a85c02c8c8503d86385 |
| SHA256 | 3281c5af0831e36e0487fa512e0f2d2336b46420dac988e694da64c42b2938c2 |
| SHA512 | 3a3f76b7faac04e4762973583b8b7018fd59b71f33542213436d778580e4e8a5a83cdcb4c19ca4275075242d9f5cfb9ae1ffd4d5af7a67eec35c3dd359d034ff |
memory/2964-137-0x0000000000170000-0x00000000001A2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 6144d97dc708fef233ef69a3ef39189a |
| SHA1 | cb690d034357a442a89cd793f2efda0771af325c |
| SHA256 | 02fac70bde8c2de6db3d48504a7473e665bcf013e232dfc45aefd5eacd5bb729 |
| SHA512 | 481bb288a6d97f272529b1ed5b4328106ec75b2a2768dac647234a67451f297af355b63baf689dd99c659bcd8ab7f6e6ec3b6fcc4e7851777383867df91f9b0a |
memory/1188-146-0x0000000002790000-0x00000000027D0000-memory.dmp
memory/1188-148-0x0000000002790000-0x00000000027D0000-memory.dmp
memory/1188-147-0x0000000073810000-0x0000000073DBB000-memory.dmp
memory/1188-145-0x0000000073810000-0x0000000073DBB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Add.ps1
| MD5 | 0df43097e0f0acd04d9e17fb43d618b9 |
| SHA1 | 69b3ade12cb228393a93624e65f41604a17c83b6 |
| SHA256 | c8e4a63337a25f55f75ad10ab2b420d716bad4b35a2044fd39dcd5936419d873 |
| SHA512 | 01ae71dd2ee040baad6f4b9afcfbaeca2b9f6cc7d60ade5de637238d65c17d74292734666f4ae6b533f6bf1007c46387d8e690d97c3b7a535bcd6f216e70c4fb |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe
| MD5 | c53c7f643ca0d77240a92b4aa14b5439 |
| SHA1 | 91bd8195d749466aad08237c0d17fc6bd4c57a07 |
| SHA256 | b74417a8f097d15ea12e6bd4618dafe0047971e56ab434490407168f91475cef |
| SHA512 | 4db66376f28cb683477521020cea726484a4ad7f0265217b3d4b5d11d610c3f3ebdfc3ae6e12926ba39b23db59cee8a422820ded30734717b4d27265a19b317d |
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe
| MD5 | e13f8417e4b6bc5782b418ad3d9115d2 |
| SHA1 | 0441e5b8a2181c6ff43ef8ed5b4996f6baf15c00 |
| SHA256 | a34a69537a5993222af2e78ec6f906755504b47a71249efd57de18d4ba8a4ef6 |
| SHA512 | 330c6b07da05b7fdb13d51da5e7c4dfbe5b8290b4935a4c1ce1e9a57f7262695effc0a8fd4f052416c0171d75b9382ebddcff475adc0fb8cca05d55d4be2f07b |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe
| MD5 | 68bb8f19dd7ab25e0e0d15b0dcf34450 |
| SHA1 | 2d347fa1c601cf770d40f0008e6fcdfd87eb231f |
| SHA256 | bf18aa5a98e39f6dc635addbac1abafe1bca6d60ce37d42e1059f010dff90ac5 |
| SHA512 | 216be234630bb76dc68569bea01e911f157ab80e01cabc080f9e64cb1211d0ae992f5cbbd4312782779514a013f5686d583199b187ea3d2966182699cd7ce78b |
memory/1188-153-0x0000000073810000-0x0000000073DBB000-memory.dmp
memory/1188-154-0x0000000073810000-0x0000000073DBB000-memory.dmp
memory/2228-155-0x0000000001020000-0x00000000011D6000-memory.dmp
memory/2228-156-0x000000006FDE0000-0x00000000704CE000-memory.dmp
\Users\Admin\AppData\Local\Temp\ratt.exe
| MD5 | ff9e70fd8bec3aa803813fc7c30ab1bb |
| SHA1 | aa50945b75511bbadb8e7190cafe643c4697e9eb |
| SHA256 | dd34cad0afa15103d976e1b1559073f8df575a9592635e191774321039612cd6 |
| SHA512 | da82a0572ba920b391aab23d3a8ed961194614d26b7f0b2000ed109bbe38117e0402f6a577464ff3f53fbb36092c53c6db842d7cc5fcca41d7f1ae253290a340 |
C:\Users\Admin\AppData\Local\Temp\ratt.exe
| MD5 | 5a80b25ed897a95785e8ef1532d4db8c |
| SHA1 | 1966e8871e35b1c30f45c4caf8fcd78784c638aa |
| SHA256 | 1295c0d3d36333cc79028da113b04c139e68d4e459ebc4133312be622497af19 |
| SHA512 | 4734e9a7917dc1cc0db8e602f0f7103d4bfded98988a5223fa4bba553b6708177049088751b05268a3bee1a1a3ada5462c59b719582e9d2fbc3c7c88abf2102c |
memory/1460-159-0x0000000001360000-0x0000000001516000-memory.dmp
memory/1460-160-0x000000006FDE0000-0x00000000704CE000-memory.dmp
memory/1460-162-0x0000000000290000-0x00000000002D0000-memory.dmp
memory/2228-161-0x0000000000420000-0x0000000000460000-memory.dmp
memory/1460-164-0x00000000001D0000-0x0000000000216000-memory.dmp
memory/2228-163-0x00000000004A0000-0x00000000004E6000-memory.dmp
memory/2228-165-0x000000006FDE0000-0x00000000704CE000-memory.dmp
memory/1460-166-0x000000006FDE0000-0x00000000704CE000-memory.dmp
memory/1460-168-0x0000000000290000-0x00000000002D0000-memory.dmp
memory/2228-167-0x0000000000420000-0x0000000000460000-memory.dmp
memory/1460-169-0x000000006FDE0000-0x00000000704CE000-memory.dmp
memory/2228-170-0x000000006FDE0000-0x00000000704CE000-memory.dmp
C:\Users\Admin\Music\rot.exe
| MD5 | 6dfb515b8ae0125042178728d7b291c4 |
| SHA1 | fabe0a5c702bd3c6b5f73f7ea841f21a4c192441 |
| SHA256 | e556dafdbe0751dbacce36b7a863663266682d122cf24c86305572e6acd34152 |
| SHA512 | e154040879f16b8d5772d86bc912c298aac72f78b1ab2579dd5ac716baa26018984bcf829f9c7d200acec8a03366f5206a0f8f9563d4e6018d97b7a56efbb548 |
\Users\Admin\Music\rot.exe
| MD5 | 9732fa52b757e1b99d070e1bbbca6cfb |
| SHA1 | c4e89065c09915168085c48b204841495074e485 |
| SHA256 | 41492f2193eaeae26770d245aeb159c1500f5990ff4befe77fa84231284fc051 |
| SHA512 | 793ee0f2d67db78bfd9dcb2eaee9e735dc33d5297e2e815b52fa7e14afe8c8f0d077cfaaab5582643b8ae7f9bc4e647c991c40f069100dfd6a30e83b145f8b58 |
C:\Users\Admin\Music\rot.exe
| MD5 | a00897d7e19bad70c7bbe6cdb3ccafbd |
| SHA1 | a9f01c345b12e63db11d8ea0c7d519dad0f93742 |
| SHA256 | c366135b964aa29b0c4897a82356d2ef7011935cb9bdb49390473ef983cfe74f |
| SHA512 | 63d1de48a59e5310db8e7154b036b97825d1791ec8c482e8788524d0b45215ba9cf9db979a0350eef6396fd87baee8e504739aff1d431ab325d3d06b3098d3d7 |
C:\Users\Admin\Music\rot.exe
| MD5 | 9c718d37d5b87ce2b33c424b66063c71 |
| SHA1 | 0bf8123679857e75506655b2caa577f597a8e89c |
| SHA256 | d871647fa78aaf309168849822aeb46c216bc4ee574030c70beb698bc319c19c |
| SHA512 | 6579ec353a9075319d86a0f4ba68149bb74f9f56ded17479846c7edfeb635e84da4d68b7c3586db8b3c2489f573f92e94364ac3adb8bc1960826400bc32dec48 |
memory/1616-179-0x0000000001040000-0x00000000011F6000-memory.dmp
memory/1616-180-0x0000000000570000-0x00000000005B0000-memory.dmp
memory/1616-178-0x0000000073C40000-0x000000007432E000-memory.dmp
memory/1616-181-0x00000000004C0000-0x0000000000506000-memory.dmp
memory/1616-182-0x00000000005B0000-0x00000000005CA000-memory.dmp
memory/1616-183-0x00000000005E0000-0x00000000005E6000-memory.dmp
memory/2936-184-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2936-185-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2936-186-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2936-187-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2936-188-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1616-190-0x0000000073C40000-0x000000007432E000-memory.dmp
memory/1616-191-0x0000000000570000-0x00000000005B0000-memory.dmp
memory/2936-192-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2936-194-0x0000000000400000-0x000000000045E000-memory.dmp
memory/1616-195-0x0000000073C40000-0x000000007432E000-memory.dmp
memory/2936-196-0x0000000073C40000-0x000000007432E000-memory.dmp
memory/2936-197-0x00000000048E0000-0x0000000004920000-memory.dmp
memory/2936-193-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2936-199-0x0000000073C40000-0x000000007432E000-memory.dmp
memory/2936-200-0x00000000048E0000-0x0000000004920000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-15 15:45
Reported
2023-08-15 15:47
Platform
win10v2004-20230703-en
Max time kernel
39s
Max time network
132s
Command Line
Signatures
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7z.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7z.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8169cd35ac84069d5e1e101dc22a6e9cb2fcaffa0c357972ad5fbbd5c3d7c8e0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\8169cd35ac84069d5e1e101dc22a6e9cb2fcaffa0c357972ad5fbbd5c3d7c8e0_JC.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
C:\Windows\SysWOW64\nslookup.exe
nslookup myip.opendns.com. resolver1.opendns.com
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic ComputerSystem get Domain
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
C:\Users\Admin\AppData\Local\Temp\7z.exe
7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps1
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic computersystem where name="HISXQJCD" set AutomaticManagedPagefile=False
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=20000
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
C:\Windows\SysWOW64\attrib.exe
"C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "ratt" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe" /F
C:\Users\Admin\AppData\Local\Temp\ratt.exe
"ratt.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 8 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 8
C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 12 > nul && copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 12 > nul && "C:\Users\Admin\Music\rot.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 12
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 18 > nul && copy "C:\Users\Admin\AppData\Local\Temp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 18 > nul && "C:\Users\Admin\Music\rot.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 18
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 18
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 222.222.67.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.128.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\ratt.bat
| MD5 | 7ea1fec84d76294d9256ae3dca7676b2 |
| SHA1 | 1e335451d1cbb6951bc77bf75430f4d983491342 |
| SHA256 | 9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940 |
| SHA512 | ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317 |
memory/5004-146-0x0000000002AB0000-0x0000000002AE6000-memory.dmp
memory/5004-147-0x0000000075390000-0x0000000075B40000-memory.dmp
memory/5004-148-0x0000000002BA0000-0x0000000002BB0000-memory.dmp
memory/5004-149-0x0000000002BA0000-0x0000000002BB0000-memory.dmp
memory/5004-150-0x0000000005200000-0x0000000005828000-memory.dmp
memory/5004-151-0x00000000050D0000-0x00000000050F2000-memory.dmp
memory/5004-152-0x00000000059A0000-0x0000000005A06000-memory.dmp
memory/5004-153-0x0000000005A10000-0x0000000005A76000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gc4iokbc.n4j.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5004-163-0x00000000060C0000-0x00000000060DE000-memory.dmp
memory/5004-164-0x0000000002BA0000-0x0000000002BB0000-memory.dmp
memory/5004-167-0x0000000075390000-0x0000000075B40000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 33b19d75aa77114216dbc23f43b195e3 |
| SHA1 | 36a6c3975e619e0c5232aa4f5b7dc1fec9525535 |
| SHA256 | b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2 |
| SHA512 | 676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821 |
memory/4512-169-0x0000000075390000-0x0000000075B40000-memory.dmp
memory/4512-170-0x00000000050E0000-0x00000000050F0000-memory.dmp
memory/4512-171-0x00000000050E0000-0x00000000050F0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e5577eec0db115f35094427f605f9b08 |
| SHA1 | 108844ef5fc95a68f926d02890865434a7cee877 |
| SHA256 | 72bb9e248c9d9fc928945ef1c4b4413848366728c15bc4f18acd827119d0c255 |
| SHA512 | b3dbc53a6ad6cf5509afe15e1071b89c040bba56b1cb2b412dec9d84bfcb42fd31f5626e9af5ad6d823ee12707034bcc9d347a19f5c7a1985174d38dc38240c2 |
memory/4512-182-0x00000000050E0000-0x00000000050F0000-memory.dmp
memory/4512-184-0x0000000075390000-0x0000000075B40000-memory.dmp
memory/3228-186-0x0000000005430000-0x0000000005440000-memory.dmp
memory/3228-185-0x0000000075390000-0x0000000075B40000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1a6d8e8980849ac86b7674d9e40a64b3 |
| SHA1 | 78b239356b3acbadb3766fd4ecc42bca6177adc4 |
| SHA256 | 849d4d1b398c42688bcf684c711cfa5d5ab871f56c40ced41bc397cc546bf2d9 |
| SHA512 | c2936228a7629e871f156939decb2c242b818d62743ab26b1e0b41aec4c3e05914b7c433938c436916bf8f1f9579f705437a890c2bb1f421b4256cded3b01f64 |
memory/3228-198-0x0000000075390000-0x0000000075B40000-memory.dmp
memory/1676-200-0x0000000002B50000-0x0000000002B60000-memory.dmp
memory/1676-199-0x0000000075390000-0x0000000075B40000-memory.dmp
memory/1676-201-0x0000000002B50000-0x0000000002B60000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3944c3c18f048b3e96538dd73cf52220 |
| SHA1 | d65500fe4698e9e3b0b143214a18b3a9a47590d8 |
| SHA256 | 1f159261a3441dd3edef3cae9462f9822c0cbf921a10194f3f3a54f8195e31a0 |
| SHA512 | 48e60edddb181f0de4195ce5661d69c7fb1e70136fd6650b913c9987d3d47042cd2b77e0c4826000713523dbbbafffcbc87d5fae508cef13b6319162bc035186 |
memory/1676-213-0x0000000075390000-0x0000000075B40000-memory.dmp
memory/4608-214-0x0000000075390000-0x0000000075B40000-memory.dmp
memory/4608-215-0x0000000004A40000-0x0000000004A50000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 84b2620ecfd900d7ba0779cff391f68e |
| SHA1 | 6d793e49e77d02b77a491c6180b74c847cd44f2b |
| SHA256 | fb26bf3e0a38134c4b5665bd33b8a3f3f8cd3db2b5bfa6fd2a4abcffc55b38ea |
| SHA512 | 725c092bf7dca2d5929034eebe7e134f77e00678b4972278cb205689b009f020149dc278e615d4149c5f65580bef06cc6032d7cad1666d976eb5022e673b10de |
memory/4608-226-0x0000000004A40000-0x0000000004A50000-memory.dmp
memory/4608-228-0x0000000075390000-0x0000000075B40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7z.exe
| MD5 | 8ba2e41b330ae9356e62eb63514cf82e |
| SHA1 | 8dc266467a5a0d587ed0181d4344581ef4ff30b2 |
| SHA256 | ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea |
| SHA512 | 2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d |
C:\Users\Admin\AppData\Local\Temp\7z.exe
| MD5 | 8ba2e41b330ae9356e62eb63514cf82e |
| SHA1 | 8dc266467a5a0d587ed0181d4344581ef4ff30b2 |
| SHA256 | ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea |
| SHA512 | 2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d |
memory/3288-231-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7z.dll
| MD5 | 15bbbe562f9be3e5dcbb834e635cc231 |
| SHA1 | 7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a |
| SHA256 | ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde |
| SHA512 | 769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287 |
C:\Users\Admin\AppData\Local\Temp\7z.dll
| MD5 | 15bbbe562f9be3e5dcbb834e635cc231 |
| SHA1 | 7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a |
| SHA256 | ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde |
| SHA512 | 769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287 |
memory/3288-235-0x0000000010000000-0x00000000100E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ratt.7z
| MD5 | 7de6fdf3629c73bf0c29a96fa23ae055 |
| SHA1 | dcb37f6d43977601c6460b17387a89b9e4c0609a |
| SHA256 | 069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff |
| SHA512 | d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8 |
memory/3288-239-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ratt.exe
| MD5 | be788bb3680cf3809d9678ee6f7ba321 |
| SHA1 | 499f01d5f654f83e172004dcc03f99abdd251734 |
| SHA256 | 03a17a2b669f72df082569ea477977d824796da3b6b7a8d0e6f91f2629ef406b |
| SHA512 | 83c0b885740a57b84b2c909d0d6bb25baaa49d62499773030b59058325f37a5fcf39a1cd59ef9c229ca7289af7250034f6652e449625b67c2d260b285ddb9a8e |
memory/1640-244-0x0000000002C90000-0x0000000002CA0000-memory.dmp
memory/1640-243-0x00000000752C0000-0x0000000075A70000-memory.dmp
memory/1640-245-0x0000000002C90000-0x0000000002CA0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 20311cbb97c9fccceb50adf38544be24 |
| SHA1 | 3e0131cd35e1b22a38c2427e75fd1283319b509c |
| SHA256 | 9272a45cdc925b2b1e9afb221a133ff9bac0e66a375f9503b74101a52001bcab |
| SHA512 | 59909a316346fbe2c2e701c16ba4ada36a8b81f9b87d9e094e62583fc155ff42802b4cd95d467f18b13ce92066f71d495b129c0d014c25ff982b884c8a2e3c95 |
C:\Users\Admin\AppData\Local\Temp\Add.ps1
| MD5 | 0df43097e0f0acd04d9e17fb43d618b9 |
| SHA1 | 69b3ade12cb228393a93624e65f41604a17c83b6 |
| SHA256 | c8e4a63337a25f55f75ad10ab2b420d716bad4b35a2044fd39dcd5936419d873 |
| SHA512 | 01ae71dd2ee040baad6f4b9afcfbaeca2b9f6cc7d60ade5de637238d65c17d74292734666f4ae6b533f6bf1007c46387d8e690d97c3b7a535bcd6f216e70c4fb |
memory/1640-257-0x0000000006860000-0x0000000006892000-memory.dmp
memory/1640-258-0x00000000710E0000-0x000000007112C000-memory.dmp
memory/1640-268-0x00000000067D0000-0x00000000067EE000-memory.dmp
memory/1640-269-0x0000000007BE0000-0x000000000825A000-memory.dmp
memory/1640-270-0x00000000075C0000-0x00000000075DA000-memory.dmp
memory/1640-271-0x0000000007610000-0x000000000761A000-memory.dmp
memory/1640-272-0x0000000007840000-0x00000000078D6000-memory.dmp
memory/1640-273-0x00000000752C0000-0x0000000075A70000-memory.dmp
memory/1640-274-0x00000000077C0000-0x00000000077CE000-memory.dmp
memory/1640-275-0x0000000002C90000-0x0000000002CA0000-memory.dmp
memory/1640-276-0x00000000078E0000-0x00000000078FA000-memory.dmp
memory/1640-277-0x0000000007810000-0x0000000007818000-memory.dmp
memory/1640-278-0x0000000002C90000-0x0000000002CA0000-memory.dmp
memory/1640-279-0x0000000002C90000-0x0000000002CA0000-memory.dmp
memory/1640-281-0x0000000007920000-0x0000000007942000-memory.dmp
memory/1640-282-0x0000000008810000-0x0000000008DB4000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe
| MD5 | c1e3f6ac55b215f70581778c531d70fe |
| SHA1 | 7655df6c93ceb87c695391ec4bfc3103b4b54869 |
| SHA256 | fa356f98f64cf27a47727da86ee250c5bd00cd217dc1422c2d78b16a1a6d94d7 |
| SHA512 | d5464f3c3a8af593e0491f38e4042351222320cf59bf3bc2f3111604b28d86cf6793cb53134bcb2cebe99bf5cb49c9c008ae2834e153b0ec022ae1d371cad701 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe
| MD5 | 6e116444f1b62fc67e98f5a7f8d53b54 |
| SHA1 | 662e4ca2b1afcedf2d36c050cb66420fe4cbb078 |
| SHA256 | 5189dbc02387e74956401044db7103ff3c8b8f79a128f00a783190659b4155fa |
| SHA512 | 124c916dbf6228197807f651049a2213a87741e7722d834c3af553a0032c12e93ea33f8781e93d8dae43e785a04d29e3bc372a4ac844c1da0f3092fa02353c41 |
memory/2556-285-0x00000000752C0000-0x0000000075A70000-memory.dmp
memory/2556-286-0x0000000000E40000-0x0000000000FF6000-memory.dmp
memory/2556-287-0x0000000004B00000-0x0000000004B9C000-memory.dmp
memory/2556-288-0x0000000004BA0000-0x0000000004C32000-memory.dmp
memory/2556-289-0x0000000004E30000-0x0000000004E40000-memory.dmp
memory/1640-291-0x00000000752C0000-0x0000000075A70000-memory.dmp
memory/2556-292-0x0000000004D50000-0x0000000004D5A000-memory.dmp
memory/2556-293-0x00000000752C0000-0x0000000075A70000-memory.dmp
memory/2556-294-0x0000000004E30000-0x0000000004E40000-memory.dmp
memory/2556-295-0x0000000004E30000-0x0000000004E40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ratt.exe
| MD5 | c3376d17e1955ad4f5d37ffc5a34a77b |
| SHA1 | 79bbcf85ef94a818d59c3d657d58d0c26d32cfc5 |
| SHA256 | 55f54341838a2c8b274eec0d47db4abfca922b864638664fbef31f5aa69d399a |
| SHA512 | b6a4cfe3b09c8eefc035e3e4008f52634fcde88b8cf95adcc649283f487361e6dd4f959cb41cfd3134b1412738d2b6f0814ae4c9086bcf9417729d03d627b96e |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ratt.exe.log
| MD5 | 9a2d0ce437d2445330f2646472703087 |
| SHA1 | 33c83e484a15f35c2caa3af62d5da6b7713a20ae |
| SHA256 | 30ea2f716e85f8d14a201e3fb0897d745a01b113342dfb7a9b7ac133c4ef150c |
| SHA512 | a61d18d90bfad9ea8afdfa37537cfea3d5a3d0c161e323fa65840c283bdc87c3de85daaff5519beea2f2719eec1c68398eea8679b55ff733a61052f073162d5d |
memory/3616-300-0x00000000752C0000-0x0000000075A70000-memory.dmp
memory/3616-301-0x0000000000650000-0x0000000000806000-memory.dmp
memory/2556-299-0x00000000752C0000-0x0000000075A70000-memory.dmp
memory/3616-302-0x0000000005070000-0x0000000005080000-memory.dmp
memory/3616-303-0x00000000752C0000-0x0000000075A70000-memory.dmp
memory/3616-304-0x0000000005070000-0x0000000005080000-memory.dmp
C:\Users\Admin\Music\rot.exe
| MD5 | 0bd75f0e4a3dfdc5dc907d7af04cbc98 |
| SHA1 | d824dc7684114bf642a37c75e7d4dad7f61b6f47 |
| SHA256 | 69f26a891d35c3b069a048c507db581f1ce8d5e6d50ec196c42d02aa4329efc3 |
| SHA512 | 415558a9e5d269b89ff24bc66deb2375752408ee233fd8d62efecc5e9d2ae70a3f3186c15d8a4c6acbad06cb53a4a3b436fac287ffe44e3d8276875e6780f166 |