58cdced3d481ccab7bc5a930787c014d641255fa5665a2017b07292b2974c967

Analysis

max time kernel
139s
max time network
104s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
02/09/2023, 11:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

58cdced3d481ccab7bc5a930787c014d641255fa5665a2017b07292b2974c967.exe
Size

1.4MB
MD5

c1003b6f15f4c7e81041596d4cd1aee0
SHA1

1f69408c6a007bbe4900cc467580f492d77beb09
SHA256

58cdced3d481ccab7bc5a930787c014d641255fa5665a2017b07292b2974c967
SHA512

7243dab27b469e257951b5e928ca1e8e90db95706fc83b6b63cac53f7639c10b3d6eecc30f98c7750c5adb8aeaf239b6eb49c4659ff62a15d882bbd009ad9da2
SSDEEP

24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-307324125-4249701739-3835089310-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\Music\\rot.exe,"	reg.exe

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
4820	netsh.exe
3764	netsh.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000800000001afa7-135.dat	acprotect
behavioral1/files/0x000800000001afa7-136.dat	acprotect

Executes dropped EXE 3 IoCs

pid	Process
5092	7z.exe
4192	ratt.exe
3000	ratt.exe

Loads dropped DLL 1 IoCs

pid	Process
5092	7z.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000001afc5-132.dat	upx
behavioral1/memory/5092-133-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/files/0x000700000001afc5-134.dat	upx
behavioral1/files/0x000800000001afa7-135.dat	upx
behavioral1/files/0x000800000001afa7-136.dat	upx
behavioral1/memory/5092-137-0x0000000010000000-0x00000000100E2000-memory.dmp	upx
behavioral1/memory/5092-141-0x0000000000400000-0x0000000000432000-memory.dmp	upx

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ratt = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ratt.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3064	PING.EXE
4132	PING.EXE

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2112	powershell.exe
2112	powershell.exe
2112	powershell.exe
3324	powershell.exe
3324	powershell.exe
3324	powershell.exe
3412	powershell.exe
3412	powershell.exe
3412	powershell.exe
948	powershell.exe
948	powershell.exe
948	powershell.exe
4548	powershell.exe
4548	powershell.exe
4548	powershell.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
4192	ratt.exe
4192	ratt.exe
4192	ratt.exe
4192	ratt.exe
4192	ratt.exe
4192	ratt.exe
4192	ratt.exe
4192	ratt.exe
4192	ratt.exe
4192	ratt.exe
4192	ratt.exe
4192	ratt.exe
4192	ratt.exe
4192	ratt.exe
4192	ratt.exe
4192	ratt.exe
3000	ratt.exe
3000	ratt.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1380	WMIC.exe
Token: SeSecurityPrivilege	1380	WMIC.exe
Token: SeTakeOwnershipPrivilege	1380	WMIC.exe
Token: SeLoadDriverPrivilege	1380	WMIC.exe
Token: SeSystemProfilePrivilege	1380	WMIC.exe
Token: SeSystemtimePrivilege	1380	WMIC.exe
Token: SeProfSingleProcessPrivilege	1380	WMIC.exe
Token: SeIncBasePriorityPrivilege	1380	WMIC.exe
Token: SeCreatePagefilePrivilege	1380	WMIC.exe
Token: SeBackupPrivilege	1380	WMIC.exe
Token: SeRestorePrivilege	1380	WMIC.exe
Token: SeShutdownPrivilege	1380	WMIC.exe
Token: SeDebugPrivilege	1380	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1380	WMIC.exe
Token: SeRemoteShutdownPrivilege	1380	WMIC.exe
Token: SeUndockPrivilege	1380	WMIC.exe
Token: SeManageVolumePrivilege	1380	WMIC.exe
Token: 33	1380	WMIC.exe
Token: 34	1380	WMIC.exe
Token: 35	1380	WMIC.exe
Token: 36	1380	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1380	WMIC.exe
Token: SeSecurityPrivilege	1380	WMIC.exe
Token: SeTakeOwnershipPrivilege	1380	WMIC.exe
Token: SeLoadDriverPrivilege	1380	WMIC.exe
Token: SeSystemProfilePrivilege	1380	WMIC.exe
Token: SeSystemtimePrivilege	1380	WMIC.exe
Token: SeProfSingleProcessPrivilege	1380	WMIC.exe
Token: SeIncBasePriorityPrivilege	1380	WMIC.exe
Token: SeCreatePagefilePrivilege	1380	WMIC.exe
Token: SeBackupPrivilege	1380	WMIC.exe
Token: SeRestorePrivilege	1380	WMIC.exe
Token: SeShutdownPrivilege	1380	WMIC.exe
Token: SeDebugPrivilege	1380	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1380	WMIC.exe
Token: SeRemoteShutdownPrivilege	1380	WMIC.exe
Token: SeUndockPrivilege	1380	WMIC.exe
Token: SeManageVolumePrivilege	1380	WMIC.exe
Token: 33	1380	WMIC.exe
Token: 34	1380	WMIC.exe
Token: 35	1380	WMIC.exe
Token: 36	1380	WMIC.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	3324	powershell.exe
Token: SeDebugPrivilege	3412	powershell.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	4548	powershell.exe
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeIncreaseQuotaPrivilege	4480	WMIC.exe
Token: SeSecurityPrivilege	4480	WMIC.exe
Token: SeTakeOwnershipPrivilege	4480	WMIC.exe
Token: SeLoadDriverPrivilege	4480	WMIC.exe
Token: SeSystemProfilePrivilege	4480	WMIC.exe
Token: SeSystemtimePrivilege	4480	WMIC.exe
Token: SeProfSingleProcessPrivilege	4480	WMIC.exe
Token: SeIncBasePriorityPrivilege	4480	WMIC.exe
Token: SeCreatePagefilePrivilege	4480	WMIC.exe
Token: SeBackupPrivilege	4480	WMIC.exe
Token: SeRestorePrivilege	4480	WMIC.exe
Token: SeShutdownPrivilege	4480	WMIC.exe
Token: SeDebugPrivilege	4480	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4480	WMIC.exe
Token: SeRemoteShutdownPrivilege	4480	WMIC.exe
Token: SeUndockPrivilege	4480	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4136 wrote to memory of 4380	4136	58cdced3d481ccab7bc5a930787c014d641255fa5665a2017b07292b2974c967.exe	69
PID 4136 wrote to memory of 4380	4136	58cdced3d481ccab7bc5a930787c014d641255fa5665a2017b07292b2974c967.exe	69
PID 4136 wrote to memory of 4380	4136	58cdced3d481ccab7bc5a930787c014d641255fa5665a2017b07292b2974c967.exe	69
PID 4380 wrote to memory of 1448	4380	cmd.exe	72
PID 4380 wrote to memory of 1448	4380	cmd.exe	72
PID 4380 wrote to memory of 1448	4380	cmd.exe	72
PID 1448 wrote to memory of 3268	1448	cmd.exe	73
PID 1448 wrote to memory of 3268	1448	cmd.exe	73
PID 1448 wrote to memory of 3268	1448	cmd.exe	73
PID 4380 wrote to memory of 4792	4380	cmd.exe	74
PID 4380 wrote to memory of 4792	4380	cmd.exe	74
PID 4380 wrote to memory of 4792	4380	cmd.exe	74
PID 4792 wrote to memory of 1380	4792	cmd.exe	75
PID 4792 wrote to memory of 1380	4792	cmd.exe	75
PID 4792 wrote to memory of 1380	4792	cmd.exe	75
PID 4380 wrote to memory of 2112	4380	cmd.exe	77
PID 4380 wrote to memory of 2112	4380	cmd.exe	77
PID 4380 wrote to memory of 2112	4380	cmd.exe	77
PID 4380 wrote to memory of 3324	4380	cmd.exe	78
PID 4380 wrote to memory of 3324	4380	cmd.exe	78
PID 4380 wrote to memory of 3324	4380	cmd.exe	78
PID 4380 wrote to memory of 3412	4380	cmd.exe	79
PID 4380 wrote to memory of 3412	4380	cmd.exe	79
PID 4380 wrote to memory of 3412	4380	cmd.exe	79
PID 4380 wrote to memory of 948	4380	cmd.exe	80
PID 4380 wrote to memory of 948	4380	cmd.exe	80
PID 4380 wrote to memory of 948	4380	cmd.exe	80
PID 4380 wrote to memory of 4548	4380	cmd.exe	81
PID 4380 wrote to memory of 4548	4380	cmd.exe	81
PID 4380 wrote to memory of 4548	4380	cmd.exe	81
PID 4380 wrote to memory of 5092	4380	cmd.exe	82
PID 4380 wrote to memory of 5092	4380	cmd.exe	82
PID 4380 wrote to memory of 5092	4380	cmd.exe	82
PID 4380 wrote to memory of 5004	4380	cmd.exe	83
PID 4380 wrote to memory of 5004	4380	cmd.exe	83
PID 4380 wrote to memory of 5004	4380	cmd.exe	83
PID 5004 wrote to memory of 4820	5004	powershell.exe	84
PID 5004 wrote to memory of 4820	5004	powershell.exe	84
PID 5004 wrote to memory of 4820	5004	powershell.exe	84
PID 5004 wrote to memory of 3764	5004	powershell.exe	85
PID 5004 wrote to memory of 3764	5004	powershell.exe	85
PID 5004 wrote to memory of 3764	5004	powershell.exe	85
PID 5004 wrote to memory of 3556	5004	powershell.exe	86
PID 5004 wrote to memory of 3556	5004	powershell.exe	86
PID 5004 wrote to memory of 3556	5004	powershell.exe	86
PID 3556 wrote to memory of 4480	3556	cmd.exe	87
PID 3556 wrote to memory of 4480	3556	cmd.exe	87
PID 3556 wrote to memory of 4480	3556	cmd.exe	87
PID 5004 wrote to memory of 1472	5004	powershell.exe	88
PID 5004 wrote to memory of 1472	5004	powershell.exe	88
PID 5004 wrote to memory of 1472	5004	powershell.exe	88
PID 1472 wrote to memory of 708	1472	cmd.exe	89
PID 1472 wrote to memory of 708	1472	cmd.exe	89
PID 1472 wrote to memory of 708	1472	cmd.exe	89
PID 5004 wrote to memory of 4192	5004	powershell.exe	90
PID 5004 wrote to memory of 4192	5004	powershell.exe	90
PID 5004 wrote to memory of 4192	5004	powershell.exe	90
PID 5004 wrote to memory of 2164	5004	powershell.exe	91
PID 5004 wrote to memory of 2164	5004	powershell.exe	91
PID 5004 wrote to memory of 2164	5004	powershell.exe	91
PID 4380 wrote to memory of 2848	4380	cmd.exe	92
PID 4380 wrote to memory of 2848	4380	cmd.exe	92
PID 4380 wrote to memory of 2848	4380	cmd.exe	92
PID 4192 wrote to memory of 4996	4192	ratt.exe	95

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2164	attrib.exe

C:\Users\Admin\AppData\Local\Temp\58cdced3d481ccab7bc5a930787c014d641255fa5665a2017b07292b2974c967.exe
"C:\Users\Admin\AppData\Local\Temp\58cdced3d481ccab7bc5a930787c014d641255fa5665a2017b07292b2974c967.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1448
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup myip.opendns.com. resolver1.opendns.com
      4⤵
      PID:3268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4792
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get Domain
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1380
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2112
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3324
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3412
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:948
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4548
- - C:\Users\Admin\AppData\Local\Temp\7z.exe
    7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5092
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5004
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:4820
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:3764
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3556
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic computersystem where name="WWLJQVHC" set AutomaticManagedPagefile=False
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4480
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1472
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=20000
        5⤵
        
        PID:708
  - - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe
      "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4192
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 9 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
        5⤵
        
        PID:4996
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 9
        6⤵
        Runs ping.exe
        
        PID:3064
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
        6⤵
        Modifies WinLogon for persistence
        
        PID:2160
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 12 > nul && copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 12 > nul && "C:\Users\Admin\Music\rot.exe"
        5⤵
        
        PID:1536
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 12
        6⤵
        Runs ping.exe
        
        PID:4132
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      Views/modifies file attributes
      PID:2164
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "ratt" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe" /F
    3⤵
    - Adds Run key to start application
    PID:2848
- - C:\Users\Admin\AppData\Local\Temp\ratt.exe
    "ratt.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe

Filesize
547.1MB

MD5
20ea5f25aba614c50c2f064ad8605d67

SHA1
bcc17fc637f71ef0164050ea2b4150fb5b9bf532

SHA256
0b5cb35cfc8b473d53445682c5119b7dc361b4e35d47f87416eae1361f5ff535

SHA512
bc7ced743c0e6cb683e0652da5b249399c6bfe0fdc0013222fe0015c67082bf48c50629ad629dac055a640cc405352fc78c6a924ff1105d6df8363115a3072d9

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe

Filesize
375.8MB

MD5
704529f739a5ddae58d3f6f0cde642c3

SHA1
da8d6d55b7db38679807f0425271b5aba8dd7bf7

SHA256
20cb6d8d8aa370c3e8beb465c0a7228e36760156f12862ce73c1aec6a3b70b58

SHA512
dda82a14f5018fff256322c6837f1ee1a7ba963aaed96b7da7d9a95701e82691e05dbd1a7a4e5bc92eb2b874ebffa62b858cf7864c56dc91fa8790ef5cdd7071

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
0f5cbdca905beb13bebdcf43fb0716bd

SHA1
9e136131389fde83297267faf6c651d420671b3f

SHA256
a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060

SHA512
a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
5bb757c9c39b9a7a135d1332a19da60b

SHA1
7793bef391b2f49fbda54078142a619c2f925401

SHA256
a7db6d94e89ef9ebbc2e6b66e30c6bd42fa124bbc6d21902d4adcfc75e89286e

SHA512
aa6e1fa8b7f78dc55dfda34616066e058582e27cc858cc9210b5fc7d1fce396d11a5f5fef9bfeef6a5d0a004248d1810fb3db2681b55b2cedb217a3a20de4e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
2df1aeb056053e24d9403d8852493413

SHA1
cebd187c1b5bbab1e1a677c1e9dcadf79757106c

SHA256
6fdd62451b49912bf2fcf531905c064fc970ca5f93e23d273d4ac4d4ef7379e6

SHA512
5b3a475a441baefab6365efa37f2dcc03df3b69c56adc28a4b377e4a1f6cebaecaa9ce0d87b45f1392846242b87228d87d0f8f6153ad3f05cc6a9d650ee7e30d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
5139eeb36a55d9552b1585215e43ab3b

SHA1
a0f6b33eb901b976a17a0f320dac58cf1b7ede28

SHA256
65898869fc53fce8fad4e05f1df4163f68fb433cdd85c074dbf07a563de97d3e

SHA512
807fbc7d8bbd4af0c9fb8e4dce79c424bade2afe434c54c4b03f29d3728160b31da063ffc5516d77a678794bb60b3c05585f01f8fb501d51357e99f0042a3005

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
9e0081c6d41a4653c85b961fb073c12e

SHA1
c30c2877b79dc14b8291e41637573a9c440517da

SHA256
0bbea65a9917f8f34bdd4be88d402d6f579b6809fcfa6a0c018e6a710c41e27b

SHA512
b5c1c18e7ad277bf48bab58c7c605a93ce570e88443c91c89496d5deb42c4030e0ff8c5f5cbc72782f81d0e9394d38b3a4717a863eaf5925f06c3e06e5d9c076

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
15abdfbf86cc085db0998b72d7c6a913

SHA1
fbe0aa40975d62061e2e9231319c0c93f42c5ebf

SHA256
86731169ae6343b30984555a406c4ddc27ade2f32c76754d00a11de25030d975

SHA512
5ee717c7a848778ca8ac6e17054b11728d7e47b9141b08f8618085f6a002d68be9d96cb08447c2bf9ddd57dee7d5eae15cd663ecc71287161fa40bff5c0acb48

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Add.ps1

Filesize
1KB

MD5
0df43097e0f0acd04d9e17fb43d618b9

SHA1
69b3ade12cb228393a93624e65f41604a17c83b6

SHA256
c8e4a63337a25f55f75ad10ab2b420d716bad4b35a2044fd39dcd5936419d873

SHA512
01ae71dd2ee040baad6f4b9afcfbaeca2b9f6cc7d60ade5de637238d65c17d74292734666f4ae6b533f6bf1007c46387d8e690d97c3b7a535bcd6f216e70c4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fnp1pbc4.4xp.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.7z

Filesize
693KB

MD5
7de6fdf3629c73bf0c29a96fa23ae055

SHA1
dcb37f6d43977601c6460b17387a89b9e4c0609a

SHA256
069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff

SHA512
d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.bat

Filesize
1KB

MD5
7ea1fec84d76294d9256ae3dca7676b2

SHA1
1e335451d1cbb6951bc77bf75430f4d983491342

SHA256
9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

SHA512
ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
745.1MB

MD5
be788bb3680cf3809d9678ee6f7ba321

SHA1
499f01d5f654f83e172004dcc03f99abdd251734

SHA256
03a17a2b669f72df082569ea477977d824796da3b6b7a8d0e6f91f2629ef406b

SHA512
83c0b885740a57b84b2c909d0d6bb25baaa49d62499773030b59058325f37a5fcf39a1cd59ef9c229ca7289af7250034f6652e449625b67c2d260b285ddb9a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
278.7MB

MD5
d96e64786655940dcb22853588cdf32b

SHA1
0817c27dc2624888a581d7604302642ab2b08fd5

SHA256
7a3fd513a8735112b53dda2a2ff03910f9b48bb9898837cdd3f846793547723b

SHA512
cf8fc51b5c5711a7a294b6a2d06ef17feba4fab6ff37e652f574d150a422fad45bfddf6639f9cb08452fc1bc4714db2d6d87dbdedbe678f6091f4ca85496a0b6

Download Submit
\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
memory/948-107-0x0000000006B50000-0x0000000006B60000-memory.dmp

Filesize
64KB

Download
memory/948-105-0x0000000006B50000-0x0000000006B60000-memory.dmp

Filesize
64KB

Download
memory/948-93-0x0000000007A90000-0x0000000007DE0000-memory.dmp

Filesize
3.3MB

Download
memory/948-109-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/948-92-0x0000000006B50000-0x0000000006B60000-memory.dmp

Filesize
64KB

Download
memory/948-91-0x0000000006B50000-0x0000000006B60000-memory.dmp

Filesize
64KB

Download
memory/948-90-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/2112-39-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/2112-28-0x0000000008930000-0x00000000089A6000-memory.dmp

Filesize
472KB

Download
memory/2112-18-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/2112-17-0x0000000007130000-0x0000000007166000-memory.dmp

Filesize
216KB

Download
memory/2112-19-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/2112-20-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/2112-21-0x0000000007860000-0x0000000007E88000-memory.dmp

Filesize
6.2MB

Download
memory/2112-22-0x0000000007800000-0x0000000007822000-memory.dmp

Filesize
136KB

Download
memory/2112-23-0x0000000007F00000-0x0000000007F66000-memory.dmp

Filesize
408KB

Download
memory/2112-24-0x00000000081C0000-0x0000000008226000-memory.dmp

Filesize
408KB

Download
memory/2112-25-0x00000000082C0000-0x0000000008610000-memory.dmp

Filesize
3.3MB

Download
memory/2112-26-0x0000000007FC0000-0x0000000007FDC000-memory.dmp

Filesize
112KB

Download
memory/2112-27-0x0000000008610000-0x000000000865B000-memory.dmp

Filesize
300KB

Download
memory/2112-44-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/2112-40-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3324-63-0x00000000074C0000-0x00000000074D0000-memory.dmp

Filesize
64KB

Download
memory/3324-50-0x00000000074C0000-0x00000000074D0000-memory.dmp

Filesize
64KB

Download
memory/3324-48-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/3324-49-0x00000000074C0000-0x00000000074D0000-memory.dmp

Filesize
64KB

Download
memory/3324-66-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/3324-65-0x00000000074C0000-0x00000000074D0000-memory.dmp

Filesize
64KB

Download
memory/3412-87-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/3412-70-0x0000000007310000-0x0000000007320000-memory.dmp

Filesize
64KB

Download
memory/3412-84-0x0000000007310000-0x0000000007320000-memory.dmp

Filesize
64KB

Download
memory/3412-83-0x0000000007310000-0x0000000007320000-memory.dmp

Filesize
64KB

Download
memory/3412-69-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/3412-71-0x0000000007310000-0x0000000007320000-memory.dmp

Filesize
64KB

Download
memory/4192-446-0x00000000054A0000-0x000000000553C000-memory.dmp

Filesize
624KB

Download
memory/4192-442-0x0000000073EC0000-0x00000000745AE000-memory.dmp

Filesize
6.9MB

Download
memory/4192-447-0x00000000055E0000-0x0000000005672000-memory.dmp

Filesize
584KB

Download
memory/4192-448-0x0000000005860000-0x0000000005870000-memory.dmp

Filesize
64KB

Download
memory/4192-443-0x0000000000A10000-0x0000000000BC6000-memory.dmp

Filesize
1.7MB

Download
memory/4192-449-0x0000000005540000-0x0000000005586000-memory.dmp

Filesize
280KB

Download
memory/4548-111-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/4548-130-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/4548-113-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download
memory/4548-114-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download
memory/4548-126-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download
memory/4548-129-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download
memory/5004-407-0x0000000009320000-0x000000000933A000-memory.dmp

Filesize
104KB

Download
memory/5004-413-0x000000000A520000-0x000000000AA1E000-memory.dmp

Filesize
5.0MB

Download
memory/5004-181-0x0000000009400000-0x0000000009494000-memory.dmp

Filesize
592KB

Download
memory/5004-305-0x0000000002B80000-0x0000000002B90000-memory.dmp

Filesize
64KB

Download
memory/5004-375-0x0000000008FA0000-0x0000000008FBA000-memory.dmp

Filesize
104KB

Download
memory/5004-380-0x0000000008F40000-0x0000000008F48000-memory.dmp

Filesize
32KB

Download
memory/5004-406-0x0000000009EA0000-0x000000000A518000-memory.dmp

Filesize
6.5MB

Download
memory/5004-150-0x00000000081C0000-0x000000000820B000-memory.dmp

Filesize
300KB

Download
memory/5004-412-0x0000000009390000-0x00000000093B2000-memory.dmp

Filesize
136KB

Download
memory/5004-180-0x0000000002B80000-0x0000000002B90000-memory.dmp

Filesize
64KB

Download
memory/5004-147-0x0000000073EC0000-0x00000000745AE000-memory.dmp

Filesize
6.9MB

Download
memory/5004-148-0x0000000007650000-0x00000000079A0000-memory.dmp

Filesize
3.3MB

Download
memory/5004-171-0x0000000073EC0000-0x00000000745AE000-memory.dmp

Filesize
6.9MB

Download
memory/5004-173-0x0000000008EA0000-0x0000000008ED3000-memory.dmp

Filesize
204KB

Download
memory/5004-179-0x0000000009270000-0x0000000009315000-memory.dmp

Filesize
660KB

Download
memory/5004-174-0x0000000008260000-0x000000000827E000-memory.dmp

Filesize
120KB

Download
memory/5092-133-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5092-137-0x0000000010000000-0x00000000100E2000-memory.dmp

Filesize
904KB

Download
memory/5092-141-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download