b061dd3b1758cbd31fa0d9ec5f51050350e44d36b03dff80473daa7abc06faf4

Analysis

max time kernel
119s
max time network
86s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
01/09/2023, 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b061dd3b1758cbd31fa0d9ec5f51050350e44d36b03dff80473daa7abc06faf4.exe
Size

1.4MB
MD5

8a26374f11b740c6ab52180a1921ad67
SHA1

3c4dfbc638fd0aee99158393812f4a82d6ebf8d5
SHA256

b061dd3b1758cbd31fa0d9ec5f51050350e44d36b03dff80473daa7abc06faf4
SHA512

55b7ab386f6eb8f13528594c3bd9dba481105718bd242fc690df4b41003f9a83961aaad28cb028aa6e6b5e6f87e3dfa0e3c42dcb506d265af9ec37a393e99a93
SSDEEP

24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk

Score

8^/10

evasion persistence upx

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
1028	netsh.exe
212	netsh.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000700000001afef-133.dat	acprotect
behavioral1/files/0x000700000001afef-132.dat	acprotect

Executes dropped EXE 3 IoCs

pid	Process
4024	7z.exe
4000	ratt.exe
3352	ratt.exe

Loads dropped DLL 1 IoCs

pid	Process
4024	7z.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000001aff2-128.dat	upx
behavioral1/memory/4024-130-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/files/0x000700000001aff2-131.dat	upx
behavioral1/files/0x000700000001afef-133.dat	upx
behavioral1/memory/4024-134-0x0000000010000000-0x00000000100E2000-memory.dmp	upx
behavioral1/files/0x000700000001afef-132.dat	upx
behavioral1/memory/4024-138-0x0000000000400000-0x0000000000432000-memory.dmp	upx

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ratt = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ratt.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2116	PING.EXE

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
3832	powershell.exe
3832	powershell.exe
3832	powershell.exe
2188	powershell.exe
2188	powershell.exe
2188	powershell.exe
212	powershell.exe
212	powershell.exe
212	powershell.exe
4516	powershell.exe
4516	powershell.exe
4516	powershell.exe
4560	powershell.exe
4560	powershell.exe
4560	powershell.exe
4304	powershell.exe
4304	powershell.exe
4304	powershell.exe
4000	ratt.exe
4000	ratt.exe
4000	ratt.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4728	WMIC.exe
Token: SeSecurityPrivilege	4728	WMIC.exe
Token: SeTakeOwnershipPrivilege	4728	WMIC.exe
Token: SeLoadDriverPrivilege	4728	WMIC.exe
Token: SeSystemProfilePrivilege	4728	WMIC.exe
Token: SeSystemtimePrivilege	4728	WMIC.exe
Token: SeProfSingleProcessPrivilege	4728	WMIC.exe
Token: SeIncBasePriorityPrivilege	4728	WMIC.exe
Token: SeCreatePagefilePrivilege	4728	WMIC.exe
Token: SeBackupPrivilege	4728	WMIC.exe
Token: SeRestorePrivilege	4728	WMIC.exe
Token: SeShutdownPrivilege	4728	WMIC.exe
Token: SeDebugPrivilege	4728	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4728	WMIC.exe
Token: SeRemoteShutdownPrivilege	4728	WMIC.exe
Token: SeUndockPrivilege	4728	WMIC.exe
Token: SeManageVolumePrivilege	4728	WMIC.exe
Token: 33	4728	WMIC.exe
Token: 34	4728	WMIC.exe
Token: 35	4728	WMIC.exe
Token: 36	4728	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4728	WMIC.exe
Token: SeSecurityPrivilege	4728	WMIC.exe
Token: SeTakeOwnershipPrivilege	4728	WMIC.exe
Token: SeLoadDriverPrivilege	4728	WMIC.exe
Token: SeSystemProfilePrivilege	4728	WMIC.exe
Token: SeSystemtimePrivilege	4728	WMIC.exe
Token: SeProfSingleProcessPrivilege	4728	WMIC.exe
Token: SeIncBasePriorityPrivilege	4728	WMIC.exe
Token: SeCreatePagefilePrivilege	4728	WMIC.exe
Token: SeBackupPrivilege	4728	WMIC.exe
Token: SeRestorePrivilege	4728	WMIC.exe
Token: SeShutdownPrivilege	4728	WMIC.exe
Token: SeDebugPrivilege	4728	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4728	WMIC.exe
Token: SeRemoteShutdownPrivilege	4728	WMIC.exe
Token: SeUndockPrivilege	4728	WMIC.exe
Token: SeManageVolumePrivilege	4728	WMIC.exe
Token: 33	4728	WMIC.exe
Token: 34	4728	WMIC.exe
Token: 35	4728	WMIC.exe
Token: 36	4728	WMIC.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	212	powershell.exe
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	4560	powershell.exe
Token: SeDebugPrivilege	4304	powershell.exe
Token: SeIncreaseQuotaPrivilege	168	WMIC.exe
Token: SeSecurityPrivilege	168	WMIC.exe
Token: SeTakeOwnershipPrivilege	168	WMIC.exe
Token: SeLoadDriverPrivilege	168	WMIC.exe
Token: SeSystemProfilePrivilege	168	WMIC.exe
Token: SeSystemtimePrivilege	168	WMIC.exe
Token: SeProfSingleProcessPrivilege	168	WMIC.exe
Token: SeIncBasePriorityPrivilege	168	WMIC.exe
Token: SeCreatePagefilePrivilege	168	WMIC.exe
Token: SeBackupPrivilege	168	WMIC.exe
Token: SeRestorePrivilege	168	WMIC.exe
Token: SeShutdownPrivilege	168	WMIC.exe
Token: SeDebugPrivilege	168	WMIC.exe
Token: SeSystemEnvironmentPrivilege	168	WMIC.exe
Token: SeRemoteShutdownPrivilege	168	WMIC.exe
Token: SeUndockPrivilege	168	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 2208	4868	b061dd3b1758cbd31fa0d9ec5f51050350e44d36b03dff80473daa7abc06faf4.exe	70
PID 4868 wrote to memory of 2208	4868	b061dd3b1758cbd31fa0d9ec5f51050350e44d36b03dff80473daa7abc06faf4.exe	70
PID 4868 wrote to memory of 2208	4868	b061dd3b1758cbd31fa0d9ec5f51050350e44d36b03dff80473daa7abc06faf4.exe	70
PID 2208 wrote to memory of 3588	2208	cmd.exe	73
PID 2208 wrote to memory of 3588	2208	cmd.exe	73
PID 2208 wrote to memory of 3588	2208	cmd.exe	73
PID 3588 wrote to memory of 4884	3588	cmd.exe	74
PID 3588 wrote to memory of 4884	3588	cmd.exe	74
PID 3588 wrote to memory of 4884	3588	cmd.exe	74
PID 2208 wrote to memory of 3548	2208	cmd.exe	75
PID 2208 wrote to memory of 3548	2208	cmd.exe	75
PID 2208 wrote to memory of 3548	2208	cmd.exe	75
PID 3548 wrote to memory of 4728	3548	cmd.exe	76
PID 3548 wrote to memory of 4728	3548	cmd.exe	76
PID 3548 wrote to memory of 4728	3548	cmd.exe	76
PID 2208 wrote to memory of 3832	2208	cmd.exe	78
PID 2208 wrote to memory of 3832	2208	cmd.exe	78
PID 2208 wrote to memory of 3832	2208	cmd.exe	78
PID 2208 wrote to memory of 2188	2208	cmd.exe	79
PID 2208 wrote to memory of 2188	2208	cmd.exe	79
PID 2208 wrote to memory of 2188	2208	cmd.exe	79
PID 2208 wrote to memory of 212	2208	cmd.exe	80
PID 2208 wrote to memory of 212	2208	cmd.exe	80
PID 2208 wrote to memory of 212	2208	cmd.exe	80
PID 2208 wrote to memory of 4516	2208	cmd.exe	81
PID 2208 wrote to memory of 4516	2208	cmd.exe	81
PID 2208 wrote to memory of 4516	2208	cmd.exe	81
PID 2208 wrote to memory of 4560	2208	cmd.exe	82
PID 2208 wrote to memory of 4560	2208	cmd.exe	82
PID 2208 wrote to memory of 4560	2208	cmd.exe	82
PID 2208 wrote to memory of 4024	2208	cmd.exe	83
PID 2208 wrote to memory of 4024	2208	cmd.exe	83
PID 2208 wrote to memory of 4024	2208	cmd.exe	83
PID 2208 wrote to memory of 4304	2208	cmd.exe	84
PID 2208 wrote to memory of 4304	2208	cmd.exe	84
PID 2208 wrote to memory of 4304	2208	cmd.exe	84
PID 4304 wrote to memory of 212	4304	powershell.exe	85
PID 4304 wrote to memory of 212	4304	powershell.exe	85
PID 4304 wrote to memory of 212	4304	powershell.exe	85
PID 4304 wrote to memory of 1028	4304	powershell.exe	86
PID 4304 wrote to memory of 1028	4304	powershell.exe	86
PID 4304 wrote to memory of 1028	4304	powershell.exe	86
PID 4304 wrote to memory of 4540	4304	powershell.exe	87
PID 4304 wrote to memory of 4540	4304	powershell.exe	87
PID 4304 wrote to memory of 4540	4304	powershell.exe	87
PID 4540 wrote to memory of 168	4540	cmd.exe	88
PID 4540 wrote to memory of 168	4540	cmd.exe	88
PID 4540 wrote to memory of 168	4540	cmd.exe	88
PID 4304 wrote to memory of 1688	4304	powershell.exe	90
PID 4304 wrote to memory of 1688	4304	powershell.exe	90
PID 4304 wrote to memory of 1688	4304	powershell.exe	90
PID 1688 wrote to memory of 4420	1688	cmd.exe	91
PID 1688 wrote to memory of 4420	1688	cmd.exe	91
PID 1688 wrote to memory of 4420	1688	cmd.exe	91
PID 4304 wrote to memory of 4000	4304	powershell.exe	92
PID 4304 wrote to memory of 4000	4304	powershell.exe	92
PID 4304 wrote to memory of 4000	4304	powershell.exe	92
PID 4304 wrote to memory of 4044	4304	powershell.exe	93
PID 4304 wrote to memory of 4044	4304	powershell.exe	93
PID 4304 wrote to memory of 4044	4304	powershell.exe	93
PID 2208 wrote to memory of 4580	2208	cmd.exe	94
PID 2208 wrote to memory of 4580	2208	cmd.exe	94
PID 2208 wrote to memory of 4580	2208	cmd.exe	94
PID 2208 wrote to memory of 3352	2208	cmd.exe	95

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4044	attrib.exe

C:\Users\Admin\AppData\Local\Temp\b061dd3b1758cbd31fa0d9ec5f51050350e44d36b03dff80473daa7abc06faf4.exe
"C:\Users\Admin\AppData\Local\Temp\b061dd3b1758cbd31fa0d9ec5f51050350e44d36b03dff80473daa7abc06faf4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3588
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup myip.opendns.com. resolver1.opendns.com
      4⤵
      PID:4884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3548
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get Domain
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4728
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3832
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2188
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:212
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4516
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4560
- - C:\Users\Admin\AppData\Local\Temp\7z.exe
    7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4024
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4304
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:212
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1028
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4540
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic computersystem where name="WWLJQVHC" set AutomaticManagedPagefile=False
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:168
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1688
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=20000
        5⤵
        
        PID:4420
  - - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe
      "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4000
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 8 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
        5⤵
        
        PID:4848
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 8
        6⤵
        Runs ping.exe
        
        PID:2116
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      Views/modifies file attributes
      PID:4044
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "ratt" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe" /F
    3⤵
    - Adds Run key to start application
    PID:4580
- - C:\Users\Admin\AppData\Local\Temp\ratt.exe
    "ratt.exe"
    3⤵
    - Executes dropped EXE
    PID:3352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe

Filesize
600.4MB

MD5
eb9ebf80dbddcdcdc74efa1c22030fd9

SHA1
67713532a17b2551d19bb77106a0bf3ec36acee4

SHA256
2ee59e2a18ad5dc9a28015260c6ce81a1ed6295309f59230e86554e2feb3c7c1

SHA512
3bc41581f0d4edd09137d7f71bb072b1c383c60990f069b2a1f675761764cb2c9fa79db101a8ea0d79916133ed8c548f2de4db9d44b441493ebd0d9eecd702b2

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe

Filesize
434.1MB

MD5
a498f5ea04d593dd68249ab98b890908

SHA1
d3da7a04d7d8eecdaabfff364532440fe8e0f809

SHA256
75417dc96c112b2ed91fd930047c16b83c4aa9d18ea7bc55a73dbd76af77bf30

SHA512
ce8f7a6923c0a0f305e8969876f14d3b5601717e74db0cd6008a0ce3b5cdf8b9325e207a662c3a8bc9b8788690ec65ac802890db2485215768c3fab29e277ea5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
60952b89631826da5c0181c0adb2a93a

SHA1
8346d46460bd75fa7f8f0caf8eada56c17063c70

SHA256
8790e4c65452fd6a0f772eb447f38254d5e91090461d945daaf195c82077d83e

SHA512
5e7f9a8a4ab52c3c70baaf20323f1c7381dbaf414766baa312d17a3144e18348da34e6ad481cb26433fe5f01228cdbb4225ebef3bac74c594dd545ac09fde589

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
c70bb2fe7ff28bccd9dc7ff1b1b3bad3

SHA1
0069e287949e47e70cb6084c09ab98a5885d19c7

SHA256
3cba73e955378815126b33a8ac5350496f60b78ffd14ce8cd6fe251249af4db8

SHA512
9d5b609c2b312cca3bce583ecc11f6edb448315e47544e71fe6564818959876d77e5962e78363e6af0c3240478e52e15f3f4174831b4b6e94a90b623c1c46f1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
30a7561b37d0fb61c393a040dfdd99e7

SHA1
d385efab2889cf30fd210a4db4ff90210d605a5d

SHA256
76ae9b585e4f390ccf09c90b616671fbe7d049ed5d9ad00d386f6e8fc6f4e06f

SHA512
88d4a9f4f552e5c09859544e1edeae1ae532a5d35486dd29dfd4d5bfd1d059b7a2562c4997ae39c99244169b4d31a7dfa8653014d1fe3a75b52087f42a2b99ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
9871f5f64e104f04bd0f320ed525c185

SHA1
3916d9f73b6a345c0ed3622f7a4f2370a5b719f7

SHA256
d7d8e9390c42b66d1d6f2786b3d4d76cc688bf854eacc9fcac0d5d5f8ece5d6f

SHA512
b09553aa5ebb9ffcfa3fd430554c59a158a1033ca6eee6a2af2681e1a9c5b7f0e70b59a01c068fdde554ce766ddb13cfcbfa2494191691ed7451b329e20c1639

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
8d319c05012bcec85a4c758d82969157

SHA1
fe0d0ef8361a25f31002d7a2f2f720616f0691ef

SHA256
3c3f7b0a99bb288601b34301d54448a296e265a5a57453210e9a1d1a3cd9f9ef

SHA512
d7bba5486f8a1e80725ed1878a53bcbe818c025803959dd54433a5d959e2f144ef943b48e9b0ff5fea57232aa897dc1b0aef66fcbe09f868de53b873d071b3e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Add.ps1

Filesize
1KB

MD5
0df43097e0f0acd04d9e17fb43d618b9

SHA1
69b3ade12cb228393a93624e65f41604a17c83b6

SHA256
c8e4a63337a25f55f75ad10ab2b420d716bad4b35a2044fd39dcd5936419d873

SHA512
01ae71dd2ee040baad6f4b9afcfbaeca2b9f6cc7d60ade5de637238d65c17d74292734666f4ae6b533f6bf1007c46387d8e690d97c3b7a535bcd6f216e70c4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2fkpzwfk.1a0.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.7z

Filesize
693KB

MD5
7de6fdf3629c73bf0c29a96fa23ae055

SHA1
dcb37f6d43977601c6460b17387a89b9e4c0609a

SHA256
069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff

SHA512
d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.bat

Filesize
1KB

MD5
7ea1fec84d76294d9256ae3dca7676b2

SHA1
1e335451d1cbb6951bc77bf75430f4d983491342

SHA256
9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

SHA512
ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
745.1MB

MD5
be788bb3680cf3809d9678ee6f7ba321

SHA1
499f01d5f654f83e172004dcc03f99abdd251734

SHA256
03a17a2b669f72df082569ea477977d824796da3b6b7a8d0e6f91f2629ef406b

SHA512
83c0b885740a57b84b2c909d0d6bb25baaa49d62499773030b59058325f37a5fcf39a1cd59ef9c229ca7289af7250034f6652e449625b67c2d260b285ddb9a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
187.2MB

MD5
7f55b6a71b6b3d953d9102e0547c0b21

SHA1
560faac3912d5a9179297bb33619a41520c499c7

SHA256
c5991ef3c4aab63276508338f62f22cd753e508eaa080ec1e81e7b708dda0d35

SHA512
6997159f35e78616c484869d46ecd6ac74336e4886ea4ca6c82a4dcfa7aff02137dba507bd989ab84e759909143220ed23a3d4a227b376e82624c2e3b8bb7b0c

Download Submit
\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
memory/212-68-0x0000000004860000-0x0000000004870000-memory.dmp

Filesize
64KB

Download
memory/212-103-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/212-82-0x0000000004860000-0x0000000004870000-memory.dmp

Filesize
64KB

Download
memory/212-81-0x0000000004860000-0x0000000004870000-memory.dmp

Filesize
64KB

Download
memory/212-69-0x0000000004860000-0x0000000004870000-memory.dmp

Filesize
64KB

Download
memory/212-67-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/2188-48-0x0000000007110000-0x0000000007120000-memory.dmp

Filesize
64KB

Download
memory/2188-63-0x0000000007110000-0x0000000007120000-memory.dmp

Filesize
64KB

Download
memory/2188-64-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/2188-60-0x0000000007110000-0x0000000007120000-memory.dmp

Filesize
64KB

Download
memory/2188-47-0x0000000007110000-0x0000000007120000-memory.dmp

Filesize
64KB

Download
memory/2188-46-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/3832-22-0x00000000070A0000-0x00000000070C2000-memory.dmp

Filesize
136KB

Download
memory/3832-19-0x0000000004970000-0x00000000049A6000-memory.dmp

Filesize
216KB

Download
memory/3832-17-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/3832-18-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

Filesize
64KB

Download
memory/3832-28-0x0000000008240000-0x00000000082B6000-memory.dmp

Filesize
472KB

Download
memory/3832-40-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

Filesize
64KB

Download
memory/3832-39-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

Filesize
64KB

Download
memory/3832-27-0x0000000007F00000-0x0000000007F4B000-memory.dmp

Filesize
300KB

Download
memory/3832-26-0x00000000071C0000-0x00000000071DC000-memory.dmp

Filesize
112KB

Download
memory/3832-25-0x0000000007AB0000-0x0000000007E00000-memory.dmp

Filesize
3.3MB

Download
memory/3832-24-0x0000000007A40000-0x0000000007AA6000-memory.dmp

Filesize
408KB

Download
memory/3832-23-0x0000000007220000-0x0000000007286000-memory.dmp

Filesize
408KB

Download
memory/3832-43-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/3832-21-0x0000000007310000-0x0000000007938000-memory.dmp

Filesize
6.2MB

Download
memory/3832-20-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

Filesize
64KB

Download
memory/4000-445-0x0000000073D30000-0x000000007441E000-memory.dmp

Filesize
6.9MB

Download
memory/4000-447-0x0000000000080000-0x0000000000236000-memory.dmp

Filesize
1.7MB

Download
memory/4000-449-0x0000000004E40000-0x0000000004EDC000-memory.dmp

Filesize
624KB

Download
memory/4024-138-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4024-130-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4024-134-0x0000000010000000-0x00000000100E2000-memory.dmp

Filesize
904KB

Download
memory/4304-149-0x0000000007F80000-0x0000000007FCB000-memory.dmp

Filesize
300KB

Download
memory/4304-407-0x0000000009CF0000-0x000000000A368000-memory.dmp

Filesize
6.5MB

Download
memory/4304-414-0x000000000A370000-0x000000000A86E000-memory.dmp

Filesize
5.0MB

Download
memory/4304-413-0x00000000091D0000-0x00000000091F2000-memory.dmp

Filesize
136KB

Download
memory/4304-144-0x0000000073D30000-0x000000007441E000-memory.dmp

Filesize
6.9MB

Download
memory/4304-145-0x00000000066C0000-0x00000000066D0000-memory.dmp

Filesize
64KB

Download
memory/4304-146-0x00000000066C0000-0x00000000066D0000-memory.dmp

Filesize
64KB

Download
memory/4304-147-0x0000000007510000-0x0000000007860000-memory.dmp

Filesize
3.3MB

Download
memory/4304-408-0x0000000009090000-0x00000000090AA000-memory.dmp

Filesize
104KB

Download
memory/4304-381-0x0000000008EC0000-0x0000000008EC8000-memory.dmp

Filesize
32KB

Download
memory/4304-376-0x0000000008EE0000-0x0000000008EFA000-memory.dmp

Filesize
104KB

Download
memory/4304-171-0x0000000008C20000-0x0000000008C53000-memory.dmp

Filesize
204KB

Download
memory/4304-172-0x0000000008BE0000-0x0000000008BFE000-memory.dmp

Filesize
120KB

Download
memory/4304-177-0x0000000008FE0000-0x0000000009085000-memory.dmp

Filesize
660KB

Download
memory/4304-178-0x0000000073D30000-0x000000007441E000-memory.dmp

Filesize
6.9MB

Download
memory/4304-179-0x00000000066C0000-0x00000000066D0000-memory.dmp

Filesize
64KB

Download
memory/4304-180-0x00000000066C0000-0x00000000066D0000-memory.dmp

Filesize
64KB

Download
memory/4304-182-0x0000000009130000-0x00000000091C4000-memory.dmp

Filesize
592KB

Download
memory/4304-181-0x00000000066C0000-0x00000000066D0000-memory.dmp

Filesize
64KB

Download
memory/4304-253-0x00000000066C0000-0x00000000066D0000-memory.dmp

Filesize
64KB

Download
memory/4516-106-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/4516-105-0x0000000006CF0000-0x0000000006D00000-memory.dmp

Filesize
64KB

Download
memory/4516-104-0x0000000006CF0000-0x0000000006D00000-memory.dmp

Filesize
64KB

Download
memory/4516-89-0x0000000006CF0000-0x0000000006D00000-memory.dmp

Filesize
64KB

Download
memory/4516-88-0x0000000006CF0000-0x0000000006D00000-memory.dmp

Filesize
64KB

Download
memory/4516-87-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/4560-109-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/4560-110-0x0000000006EF0000-0x0000000006F00000-memory.dmp

Filesize
64KB

Download
memory/4560-127-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/4560-111-0x0000000006EF0000-0x0000000006F00000-memory.dmp

Filesize
64KB

Download
memory/4560-123-0x0000000006EF0000-0x0000000006F00000-memory.dmp

Filesize
64KB

Download
memory/4560-124-0x0000000006EF0000-0x0000000006F00000-memory.dmp

Filesize
64KB

Download