0b964584a5cfec5938c7926fd1f90a2ce68dee56b38e77960cc4c9830f79370d

Analysis

max time kernel
40s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20230824-en
resource tags

arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2023, 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b964584a5cfec5938c7926fd1f90a2ce68dee56b38e77960cc4c9830f79370d.exe
Size

1.4MB
MD5

cf172ffe1b5a560be2b3e09bf7be0b83
SHA1

d3066bac1f1afb23613dafb079581499e458b608
SHA256

0b964584a5cfec5938c7926fd1f90a2ce68dee56b38e77960cc4c9830f79370d
SHA512

cae1d26036260724e8c2a32115ba7302e2cf19c57f1e5724b12a623b9093ea986f9f34e355bbe7964b2e98a4992f4db2ddb0e43060480796aed65954c326d0a5
SSDEEP

24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk

Score

8^/10

evasion upx

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
1960	netsh.exe
5092	netsh.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000022fe2-98.dat	acprotect
behavioral1/files/0x0007000000022fe2-97.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
3156	7z.exe

Loads dropped DLL 1 IoCs

pid	Process
3156	7z.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3156-95-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/files/0x0008000000022fe3-96.dat	upx
behavioral1/files/0x0008000000022fe3-94.dat	upx
behavioral1/files/0x0007000000022fe2-98.dat	upx
behavioral1/files/0x0007000000022fe2-97.dat	upx
behavioral1/memory/3156-99-0x0000000010000000-0x00000000100E2000-memory.dmp	upx
behavioral1/memory/3156-103-0x0000000000400000-0x0000000000432000-memory.dmp	upx

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
3676	PING.EXE
4132	PING.EXE
1848	PING.EXE
4252	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3588	powershell.exe
3588	powershell.exe
4368	powershell.exe
4368	powershell.exe
636	powershell.exe
636	powershell.exe
1848	powershell.exe
1848	powershell.exe
5088	powershell.exe
5088	powershell.exe
1616	powershell.exe
1616	powershell.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5100	WMIC.exe
Token: SeSecurityPrivilege	5100	WMIC.exe
Token: SeTakeOwnershipPrivilege	5100	WMIC.exe
Token: SeLoadDriverPrivilege	5100	WMIC.exe
Token: SeSystemProfilePrivilege	5100	WMIC.exe
Token: SeSystemtimePrivilege	5100	WMIC.exe
Token: SeProfSingleProcessPrivilege	5100	WMIC.exe
Token: SeIncBasePriorityPrivilege	5100	WMIC.exe
Token: SeCreatePagefilePrivilege	5100	WMIC.exe
Token: SeBackupPrivilege	5100	WMIC.exe
Token: SeRestorePrivilege	5100	WMIC.exe
Token: SeShutdownPrivilege	5100	WMIC.exe
Token: SeDebugPrivilege	5100	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5100	WMIC.exe
Token: SeRemoteShutdownPrivilege	5100	WMIC.exe
Token: SeUndockPrivilege	5100	WMIC.exe
Token: SeManageVolumePrivilege	5100	WMIC.exe
Token: 33	5100	WMIC.exe
Token: 34	5100	WMIC.exe
Token: 35	5100	WMIC.exe
Token: 36	5100	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5100	WMIC.exe
Token: SeSecurityPrivilege	5100	WMIC.exe
Token: SeTakeOwnershipPrivilege	5100	WMIC.exe
Token: SeLoadDriverPrivilege	5100	WMIC.exe
Token: SeSystemProfilePrivilege	5100	WMIC.exe
Token: SeSystemtimePrivilege	5100	WMIC.exe
Token: SeProfSingleProcessPrivilege	5100	WMIC.exe
Token: SeIncBasePriorityPrivilege	5100	WMIC.exe
Token: SeCreatePagefilePrivilege	5100	WMIC.exe
Token: SeBackupPrivilege	5100	WMIC.exe
Token: SeRestorePrivilege	5100	WMIC.exe
Token: SeShutdownPrivilege	5100	WMIC.exe
Token: SeDebugPrivilege	5100	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5100	WMIC.exe
Token: SeRemoteShutdownPrivilege	5100	WMIC.exe
Token: SeUndockPrivilege	5100	WMIC.exe
Token: SeManageVolumePrivilege	5100	WMIC.exe
Token: 33	5100	WMIC.exe
Token: 34	5100	WMIC.exe
Token: 35	5100	WMIC.exe
Token: 36	5100	WMIC.exe
Token: SeDebugPrivilege	3588	powershell.exe
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeDebugPrivilege	636	powershell.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 4272	4048	0b964584a5cfec5938c7926fd1f90a2ce68dee56b38e77960cc4c9830f79370d.exe	86
PID 4048 wrote to memory of 4272	4048	0b964584a5cfec5938c7926fd1f90a2ce68dee56b38e77960cc4c9830f79370d.exe	86
PID 4048 wrote to memory of 4272	4048	0b964584a5cfec5938c7926fd1f90a2ce68dee56b38e77960cc4c9830f79370d.exe	86
PID 4272 wrote to memory of 3368	4272	cmd.exe	89
PID 4272 wrote to memory of 3368	4272	cmd.exe	89
PID 4272 wrote to memory of 3368	4272	cmd.exe	89
PID 3368 wrote to memory of 1516	3368	cmd.exe	90
PID 3368 wrote to memory of 1516	3368	cmd.exe	90
PID 3368 wrote to memory of 1516	3368	cmd.exe	90
PID 4272 wrote to memory of 816	4272	cmd.exe	91
PID 4272 wrote to memory of 816	4272	cmd.exe	91
PID 4272 wrote to memory of 816	4272	cmd.exe	91
PID 816 wrote to memory of 5100	816	cmd.exe	92
PID 816 wrote to memory of 5100	816	cmd.exe	92
PID 816 wrote to memory of 5100	816	cmd.exe	92
PID 4272 wrote to memory of 3588	4272	cmd.exe	94
PID 4272 wrote to memory of 3588	4272	cmd.exe	94
PID 4272 wrote to memory of 3588	4272	cmd.exe	94
PID 4272 wrote to memory of 4368	4272	cmd.exe	95
PID 4272 wrote to memory of 4368	4272	cmd.exe	95
PID 4272 wrote to memory of 4368	4272	cmd.exe	95
PID 4272 wrote to memory of 636	4272	cmd.exe	96
PID 4272 wrote to memory of 636	4272	cmd.exe	96
PID 4272 wrote to memory of 636	4272	cmd.exe	96
PID 4272 wrote to memory of 1848	4272	cmd.exe	97
PID 4272 wrote to memory of 1848	4272	cmd.exe	97
PID 4272 wrote to memory of 1848	4272	cmd.exe	97
PID 4272 wrote to memory of 5088	4272	cmd.exe	98
PID 4272 wrote to memory of 5088	4272	cmd.exe	98
PID 4272 wrote to memory of 5088	4272	cmd.exe	98
PID 4272 wrote to memory of 3156	4272	cmd.exe	99
PID 4272 wrote to memory of 3156	4272	cmd.exe	99
PID 4272 wrote to memory of 3156	4272	cmd.exe	99
PID 4272 wrote to memory of 1616	4272	cmd.exe	101
PID 4272 wrote to memory of 1616	4272	cmd.exe	101
PID 4272 wrote to memory of 1616	4272	cmd.exe	101
PID 1616 wrote to memory of 1960	1616	powershell.exe	103
PID 1616 wrote to memory of 1960	1616	powershell.exe	103
PID 1616 wrote to memory of 1960	1616	powershell.exe	103
PID 1616 wrote to memory of 5092	1616	powershell.exe	104
PID 1616 wrote to memory of 5092	1616	powershell.exe	104
PID 1616 wrote to memory of 5092	1616	powershell.exe	104

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2152	attrib.exe

C:\Users\Admin\AppData\Local\Temp\0b964584a5cfec5938c7926fd1f90a2ce68dee56b38e77960cc4c9830f79370d.exe
"C:\Users\Admin\AppData\Local\Temp\0b964584a5cfec5938c7926fd1f90a2ce68dee56b38e77960cc4c9830f79370d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3368
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup myip.opendns.com. resolver1.opendns.com
      4⤵
      PID:1516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:816
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get Domain
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5100
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3588
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4368
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:636
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1848
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5088
- - C:\Users\Admin\AppData\Local\Temp\7z.exe
    7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3156
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1960
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:5092
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:2068
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic computersystem where name="MTMNHEOR" set AutomaticManagedPagefile=False
        5⤵
        
        PID:1828
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:3076
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=20000
        5⤵
        
        PID:3144
  - - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe
      "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      PID:4412
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 7 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
        5⤵
        
        PID:3800
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 7
        6⤵
        Runs ping.exe
        
        PID:3676
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
        6⤵
        
        PID:1628
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 18 > nul && copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 18 > nul && "C:\Users\Admin\Music\rot.exe"
        5⤵
        
        PID:4360
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 18
        6⤵
        Runs ping.exe
        
        PID:4132
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      Views/modifies file attributes
      PID:2152
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "ratt" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe" /F
    3⤵
    PID:5056
- - C:\Users\Admin\AppData\Local\Temp\ratt.exe
    "ratt.exe"
    3⤵
    PID:548
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 14 > nul && copy "C:\Users\Admin\AppData\Local\Temp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 14 > nul && "C:\Users\Admin\Music\rot.exe"
      4⤵
      PID:1412
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 14
        5⤵
        Runs ping.exe
        
        PID:1848
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 14
        5⤵
        Runs ping.exe
        
        PID:4252
    - - C:\Users\Admin\Music\rot.exe
        
        "C:\Users\Admin\Music\rot.exe"
        5⤵
        
        PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe

Filesize
301.3MB

MD5
1ea5f208d1c221abbe1110a913ba2fe0

SHA1
a91d4dc00930f91749349cce2b115e189c5fb824

SHA256
cd92a453fd349e2b9fe3872cc9245ef0d675fe090bf6a0b11dd5a6eb7f0d7af7

SHA512
b8bbc262e6da0f4185bab44da599eafb35261788342b62ebd728bf8ce2fc5fc71eb04a36dbfd422196749cd50c9a345faf21949d81fca8bcd4c54f211817043a

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe

Filesize
259.6MB

MD5
6664dca4c7c77a40ccaf8a7ce2728cae

SHA1
1cad110fb911ae6916215c6753a5631a2ef107ad

SHA256
a1d33ad836678a1395514d36ed44f0d16f1d1702ba9ca8845bf9065ee7ad4f49

SHA512
313ec450c306499b82081cbcdc82e9e99eab9f65ce6956c223827c1e1ff7f3b5603da84b4e7984f47478c4ce1107fc8076e79e2fe69917ab5042a78998c67566

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ratt.exe.log

Filesize
1KB

MD5
9a2d0ce437d2445330f2646472703087

SHA1
33c83e484a15f35c2caa3af62d5da6b7713a20ae

SHA256
30ea2f716e85f8d14a201e3fb0897d745a01b113342dfb7a9b7ac133c4ef150c

SHA512
a61d18d90bfad9ea8afdfa37537cfea3d5a3d0c161e323fa65840c283bdc87c3de85daaff5519beea2f2719eec1c68398eea8679b55ff733a61052f073162d5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
25c1375cf1529d21d5362183687870dd

SHA1
ca9610ea80bd59cd197fde864a8587b00d9dd930

SHA256
a81d7bca76d73b683be00d2feb203aeddebf46344a765b81eff5260bedbc8514

SHA512
19aef6d6cd34f16d729be0299f4e398658468a56ce404aecf849c6457836a4f6690ee76af2e652fd9730f125819b0aabc0f004d9746af8d4a443cefbb3a3e90e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
babf7575bcee252694333619b5e7c3ed

SHA1
b37349cb6524def5eb491217aae8e8bb43bf11ff

SHA256
344399319f49c1451f2012039b5474dd3805e5324de11b4027a110e812d03e06

SHA512
0acf24ffe35c3f4751ce69fc35cd48073fbaff58ec27c2fa7da12ba1abb61ad199634564ad6cfc90b741ae7089f38a927ee8d4941ad29ea5e23fc117943a48c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
5e4083d63b64afe000aa56f084c19136

SHA1
24e81f3900709ea0e45be5ddf3c6b513e917d3d6

SHA256
a933680b3be9c1239204b206970a8f12552b649898949b22d3acb0a212a2fac6

SHA512
a7e397212879c0f2154511ff67bd6a435c1ded5b132ad87bb78386a69feb468ef03492c113644bf502b0547ce950b8132ca741638aef6293018fd27868283fa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
9b0d8e595eeffc280449d973336b97e6

SHA1
e31fd35af5ede973c6f00b32983c1a196b778c0e

SHA256
a1f35c7757931fa0edc3fba06e485c704082126b4d52a014327b3d93288169ff

SHA512
b7a00b3df97751b09350254dbe4a6ea15d72178054d267cf1b12ff1ad54068c01e6db81e14183ee68e0937cb07aafb63cb344b2a57979a5dc3215352a18808ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
40b62868e3c35211c5221932e6cde147

SHA1
d121345f05e6208de7bd331705e916860f36a788

SHA256
bc4f12776a783d236c3d3bec8cb51078dfaa9a473d3585f5ae5404eabdd17fdf

SHA512
fc9eac6475dbb61462096419123bc6b927ba65687499f4a27711273852a8ea6840de7c9ac7227c861dc283bccfb0dc82dc3a6a17c8da4e7b71e5b77f908e4fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Add.ps1

Filesize
1KB

MD5
0df43097e0f0acd04d9e17fb43d618b9

SHA1
69b3ade12cb228393a93624e65f41604a17c83b6

SHA256
c8e4a63337a25f55f75ad10ab2b420d716bad4b35a2044fd39dcd5936419d873

SHA512
01ae71dd2ee040baad6f4b9afcfbaeca2b9f6cc7d60ade5de637238d65c17d74292734666f4ae6b533f6bf1007c46387d8e690d97c3b7a535bcd6f216e70c4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p2jsqh3b.sle.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.7z

Filesize
693KB

MD5
7de6fdf3629c73bf0c29a96fa23ae055

SHA1
dcb37f6d43977601c6460b17387a89b9e4c0609a

SHA256
069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff

SHA512
d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.bat

Filesize
1KB

MD5
7ea1fec84d76294d9256ae3dca7676b2

SHA1
1e335451d1cbb6951bc77bf75430f4d983491342

SHA256
9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

SHA512
ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
327.9MB

MD5
ef19e3107b7e812cb3b7eebb93fc9054

SHA1
0ec87f331a8f84d43419ce73c8d07a601193a244

SHA256
92aba674db4f8545c00016255943b85752fa01d80d8e3316314787e225c33b60

SHA512
36408fd142ed62d4066a39f62b8d486a22daa825501f07e3f8d33b367e066a0d67f2f35c4efe895b039b9f85f91a1b4acc6c64517675e97988665e442d45a0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
235.5MB

MD5
e418f3b9390263285401ada3c03f5f88

SHA1
cc29a8c92ff68eebcd4b3fa570e7c42fcf5dcd81

SHA256
6b88b154039998823263e2d5332311ac83d284c98c83cf97a3aa395ab9f56b0a

SHA512
cc5f52a9f3d05119f527f30705bc52b59c69d5f7e2ed0c67034d1ef77ad6983ac526940a796e6d8b1b1da40009a70eea65eacb3a218a69b52d3b9a96eb72bd9c

Download Submit
C:\Users\Admin\Music\rot.exe

Filesize
100.5MB

MD5
c6b0b07e04c08cb387b7f2e3bf45e878

SHA1
6b5b8cc038f8c9ba37790cc135abccbc8b26c2cf

SHA256
bd6b71f667493d240bf5b990b9d95c10878947d01f30779d6c7a2508d84948a1

SHA512
b88fdc92cd3748c9712ae9e25e6c012a0ef84f426ccba70b8680340df979a0d4ddc6448285a2fab45483c6bfc0b487de230778423d97f5ce32f80954663c65df

Download Submit
C:\Users\Admin\Music\rot.exe

Filesize
27.7MB

MD5
d32e6b504a26bd13ea5ff049ea023cf3

SHA1
2df724a256391beca346321541c898e8fc98043d

SHA256
df36abe27de4033fa36fed0f6146caa09f5fbb40559b9db1d3d2006d20c15212

SHA512
6c0969bdd600469defd01aaf313e8d46ce2a0bd990d24024c7035fe666a548fdd38cd336d35d58fb4303bc19cfad0f120c8c16a3927843230175a2298018dca3

Download Submit
C:\Users\Admin\Music\rot.exe

Filesize
27.9MB

MD5
7b7d215699ff480594c820a0c2e9b9a3

SHA1
85a010d4f6da2f88cfba83e5e42b87a10f92a2c7

SHA256
3766302bb1041d90f3e68874320e23bc66a7969de27e0bd20b5ed468991bf276

SHA512
dd05e711c0c56196434cc95a89b622001600b854fc6bddde6bd911d5c20a4e0a5b5a0ee3da347c4a556964626ed899864a9e9a349fa0584c1d611629fa64d587

Download Submit
memory/548-167-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/548-164-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/548-162-0x0000000000490000-0x0000000000646000-memory.dmp

Filesize
1.7MB

Download
memory/548-163-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/548-168-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/636-50-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/636-62-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/636-64-0x00000000752F0000-0x0000000075AA0000-memory.dmp

Filesize
7.7MB

Download
memory/636-51-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/636-49-0x00000000752F0000-0x0000000075AA0000-memory.dmp

Filesize
7.7MB

Download
memory/1616-108-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/1616-134-0x0000000008140000-0x00000000087BA000-memory.dmp

Filesize
6.5MB

Download
memory/1616-147-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/1616-146-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/1616-144-0x0000000008D70000-0x0000000009314000-memory.dmp

Filesize
5.6MB

Download
memory/1616-143-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/1616-142-0x0000000007EB0000-0x0000000007ED2000-memory.dmp

Filesize
136KB

Download
memory/1616-141-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/1616-140-0x0000000007D70000-0x0000000007D78000-memory.dmp

Filesize
32KB

Download
memory/1616-139-0x0000000007E40000-0x0000000007E5A000-memory.dmp

Filesize
104KB

Download
memory/1616-107-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/1616-138-0x0000000007D20000-0x0000000007D2E000-memory.dmp

Filesize
56KB

Download
memory/1616-109-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/1616-137-0x0000000007DA0000-0x0000000007E36000-memory.dmp

Filesize
600KB

Download
memory/1616-136-0x0000000007B70000-0x0000000007B7A000-memory.dmp

Filesize
40KB

Download
memory/1616-121-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/1616-122-0x0000000007990000-0x00000000079C2000-memory.dmp

Filesize
200KB

Download
memory/1616-123-0x0000000071040000-0x000000007108C000-memory.dmp

Filesize
304KB

Download
memory/1616-133-0x0000000006DB0000-0x0000000006DCE000-memory.dmp

Filesize
120KB

Download
memory/1616-156-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/1616-135-0x0000000007B20000-0x0000000007B3A000-memory.dmp

Filesize
104KB

Download
memory/1848-78-0x00000000752F0000-0x0000000075AA0000-memory.dmp

Filesize
7.7MB

Download
memory/1848-65-0x00000000752F0000-0x0000000075AA0000-memory.dmp

Filesize
7.7MB

Download
memory/1848-66-0x0000000002B00000-0x0000000002B10000-memory.dmp

Filesize
64KB

Download
memory/3156-99-0x0000000010000000-0x00000000100E2000-memory.dmp

Filesize
904KB

Download
memory/3156-95-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3156-103-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3588-15-0x0000000004730000-0x0000000004766000-memory.dmp

Filesize
216KB

Download
memory/3588-16-0x0000000004EB0000-0x00000000054D8000-memory.dmp

Filesize
6.2MB

Download
memory/3588-17-0x0000000004D40000-0x0000000004D62000-memory.dmp

Filesize
136KB

Download
memory/3588-18-0x0000000005610000-0x0000000005676000-memory.dmp

Filesize
408KB

Download
memory/3588-14-0x0000000004870000-0x0000000004880000-memory.dmp

Filesize
64KB

Download
memory/3588-13-0x00000000752F0000-0x0000000075AA0000-memory.dmp

Filesize
7.7MB

Download
memory/3588-19-0x0000000005680000-0x00000000056E6000-memory.dmp

Filesize
408KB

Download
memory/3588-29-0x0000000005D10000-0x0000000005D2E000-memory.dmp

Filesize
120KB

Download
memory/3588-30-0x0000000004870000-0x0000000004880000-memory.dmp

Filesize
64KB

Download
memory/3588-32-0x00000000752F0000-0x0000000075AA0000-memory.dmp

Filesize
7.7MB

Download
memory/4368-47-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/4368-33-0x00000000752F0000-0x0000000075AA0000-memory.dmp

Filesize
7.7MB

Download
memory/4368-48-0x00000000752F0000-0x0000000075AA0000-memory.dmp

Filesize
7.7MB

Download
memory/4368-34-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/4368-35-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/4412-159-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/4412-160-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/4412-152-0x0000000004D20000-0x0000000004DBC000-memory.dmp

Filesize
624KB

Download
memory/4412-150-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/4412-151-0x0000000000C80000-0x0000000000E36000-memory.dmp

Filesize
1.7MB

Download
memory/4412-154-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/4412-166-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/4412-158-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/4412-157-0x0000000004EB0000-0x0000000004EBA000-memory.dmp

Filesize
40KB

Download
memory/4412-153-0x0000000004ED0000-0x0000000004F62000-memory.dmp

Filesize
584KB

Download
memory/5088-79-0x00000000752F0000-0x0000000075AA0000-memory.dmp

Filesize
7.7MB

Download
memory/5088-80-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/5088-92-0x00000000752F0000-0x0000000075AA0000-memory.dmp

Filesize
7.7MB

Download