c82e6ba4402a6a53bb7f50b3fa1aaa393e664041a273f320d668e8c434431e7a

Analysis

max time kernel
81s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 00:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c82e6ba4402a6a53bb7f50b3fa1aaa393e664041a273f320d668e8c434431e7a.exe
Size

1.4MB
MD5

612e1743d65d418e8ffc964b7f97db4c
SHA1

392d8cca71de78fd64e485b5f468d178d14d299e
SHA256

c82e6ba4402a6a53bb7f50b3fa1aaa393e664041a273f320d668e8c434431e7a
SHA512

b428e7ab3d7a79a330f7612404e536cd95d1a7c8a813a88a23dbc3b49bb0cd253cc97ed38ec7b37832923861db2e6624b66a776a9d8081df4db67c5999dcedf9
SSDEEP

24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk

Score

8^/10

evasion upx

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
4924	netsh.exe
4612	netsh.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000800000002322a-103.dat	acprotect
behavioral2/files/0x000800000002322a-104.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	c82e6ba4402a6a53bb7f50b3fa1aaa393e664041a273f320d668e8c434431e7a.exe

Executes dropped EXE 2 IoCs

pid	Process
984	7z.exe
4392	ratt.exe

Loads dropped DLL 1 IoCs

pid	Process
984	7z.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000600000002324c-100.dat	upx
behavioral2/memory/984-101-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral2/files/0x000600000002324c-102.dat	upx
behavioral2/files/0x000800000002322a-103.dat	upx
behavioral2/files/0x000800000002322a-104.dat	upx
behavioral2/memory/984-105-0x0000000010000000-0x00000000100E2000-memory.dmp	upx
behavioral2/memory/984-107-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral2/memory/984-109-0x0000000010000000-0x00000000100E2000-memory.dmp	upx
behavioral2/memory/984-112-0x0000000000400000-0x0000000000432000-memory.dmp	upx

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
4708	PING.EXE
2272	PING.EXE
3800	PING.EXE
2348	PING.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2968	powershell.exe
2968	powershell.exe
2404	powershell.exe
2404	powershell.exe
368	powershell.exe
368	powershell.exe
2088	powershell.exe
2088	powershell.exe
1128	powershell.exe
1128	powershell.exe
1128	powershell.exe
1944	powershell.exe
1944	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2020	WMIC.exe
Token: SeSecurityPrivilege	2020	WMIC.exe
Token: SeTakeOwnershipPrivilege	2020	WMIC.exe
Token: SeLoadDriverPrivilege	2020	WMIC.exe
Token: SeSystemProfilePrivilege	2020	WMIC.exe
Token: SeSystemtimePrivilege	2020	WMIC.exe
Token: SeProfSingleProcessPrivilege	2020	WMIC.exe
Token: SeIncBasePriorityPrivilege	2020	WMIC.exe
Token: SeCreatePagefilePrivilege	2020	WMIC.exe
Token: SeBackupPrivilege	2020	WMIC.exe
Token: SeRestorePrivilege	2020	WMIC.exe
Token: SeShutdownPrivilege	2020	WMIC.exe
Token: SeDebugPrivilege	2020	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2020	WMIC.exe
Token: SeRemoteShutdownPrivilege	2020	WMIC.exe
Token: SeUndockPrivilege	2020	WMIC.exe
Token: SeManageVolumePrivilege	2020	WMIC.exe
Token: 33	2020	WMIC.exe
Token: 34	2020	WMIC.exe
Token: 35	2020	WMIC.exe
Token: 36	2020	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2020	WMIC.exe
Token: SeSecurityPrivilege	2020	WMIC.exe
Token: SeTakeOwnershipPrivilege	2020	WMIC.exe
Token: SeLoadDriverPrivilege	2020	WMIC.exe
Token: SeSystemProfilePrivilege	2020	WMIC.exe
Token: SeSystemtimePrivilege	2020	WMIC.exe
Token: SeProfSingleProcessPrivilege	2020	WMIC.exe
Token: SeIncBasePriorityPrivilege	2020	WMIC.exe
Token: SeCreatePagefilePrivilege	2020	WMIC.exe
Token: SeBackupPrivilege	2020	WMIC.exe
Token: SeRestorePrivilege	2020	WMIC.exe
Token: SeShutdownPrivilege	2020	WMIC.exe
Token: SeDebugPrivilege	2020	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2020	WMIC.exe
Token: SeRemoteShutdownPrivilege	2020	WMIC.exe
Token: SeUndockPrivilege	2020	WMIC.exe
Token: SeManageVolumePrivilege	2020	WMIC.exe
Token: 33	2020	WMIC.exe
Token: 34	2020	WMIC.exe
Token: 35	2020	WMIC.exe
Token: 36	2020	WMIC.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	368	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeIncreaseQuotaPrivilege	5116	WMIC.exe
Token: SeSecurityPrivilege	5116	WMIC.exe
Token: SeTakeOwnershipPrivilege	5116	WMIC.exe
Token: SeLoadDriverPrivilege	5116	WMIC.exe
Token: SeSystemProfilePrivilege	5116	WMIC.exe
Token: SeSystemtimePrivilege	5116	WMIC.exe
Token: SeProfSingleProcessPrivilege	5116	WMIC.exe
Token: SeIncBasePriorityPrivilege	5116	WMIC.exe
Token: SeCreatePagefilePrivilege	5116	WMIC.exe
Token: SeBackupPrivilege	5116	WMIC.exe
Token: SeRestorePrivilege	5116	WMIC.exe
Token: SeShutdownPrivilege	5116	WMIC.exe
Token: SeDebugPrivilege	5116	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5116	WMIC.exe
Token: SeRemoteShutdownPrivilege	5116	WMIC.exe
Token: SeUndockPrivilege	5116	WMIC.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 1380	1316	c82e6ba4402a6a53bb7f50b3fa1aaa393e664041a273f320d668e8c434431e7a.exe	83
PID 1316 wrote to memory of 1380	1316	c82e6ba4402a6a53bb7f50b3fa1aaa393e664041a273f320d668e8c434431e7a.exe	83
PID 1316 wrote to memory of 1380	1316	c82e6ba4402a6a53bb7f50b3fa1aaa393e664041a273f320d668e8c434431e7a.exe	83
PID 1380 wrote to memory of 652	1380	cmd.exe	86
PID 1380 wrote to memory of 652	1380	cmd.exe	86
PID 1380 wrote to memory of 652	1380	cmd.exe	86
PID 652 wrote to memory of 2096	652	cmd.exe	87
PID 652 wrote to memory of 2096	652	cmd.exe	87
PID 652 wrote to memory of 2096	652	cmd.exe	87
PID 1380 wrote to memory of 2612	1380	cmd.exe	88
PID 1380 wrote to memory of 2612	1380	cmd.exe	88
PID 1380 wrote to memory of 2612	1380	cmd.exe	88
PID 2612 wrote to memory of 2020	2612	cmd.exe	89
PID 2612 wrote to memory of 2020	2612	cmd.exe	89
PID 2612 wrote to memory of 2020	2612	cmd.exe	89
PID 1380 wrote to memory of 2968	1380	cmd.exe	92
PID 1380 wrote to memory of 2968	1380	cmd.exe	92
PID 1380 wrote to memory of 2968	1380	cmd.exe	92
PID 1380 wrote to memory of 2404	1380	cmd.exe	97
PID 1380 wrote to memory of 2404	1380	cmd.exe	97
PID 1380 wrote to memory of 2404	1380	cmd.exe	97
PID 1380 wrote to memory of 368	1380	cmd.exe	98
PID 1380 wrote to memory of 368	1380	cmd.exe	98
PID 1380 wrote to memory of 368	1380	cmd.exe	98
PID 1380 wrote to memory of 2088	1380	cmd.exe	101
PID 1380 wrote to memory of 2088	1380	cmd.exe	101
PID 1380 wrote to memory of 2088	1380	cmd.exe	101
PID 1380 wrote to memory of 1128	1380	cmd.exe	103
PID 1380 wrote to memory of 1128	1380	cmd.exe	103
PID 1380 wrote to memory of 1128	1380	cmd.exe	103
PID 1380 wrote to memory of 984	1380	cmd.exe	104
PID 1380 wrote to memory of 984	1380	cmd.exe	104
PID 1380 wrote to memory of 984	1380	cmd.exe	104
PID 1380 wrote to memory of 1944	1380	cmd.exe	106
PID 1380 wrote to memory of 1944	1380	cmd.exe	106
PID 1380 wrote to memory of 1944	1380	cmd.exe	106
PID 1944 wrote to memory of 4924	1944	powershell.exe	107
PID 1944 wrote to memory of 4924	1944	powershell.exe	107
PID 1944 wrote to memory of 4924	1944	powershell.exe	107
PID 1944 wrote to memory of 4612	1944	powershell.exe	108
PID 1944 wrote to memory of 4612	1944	powershell.exe	108
PID 1944 wrote to memory of 4612	1944	powershell.exe	108
PID 1944 wrote to memory of 2424	1944	powershell.exe	109
PID 1944 wrote to memory of 2424	1944	powershell.exe	109
PID 1944 wrote to memory of 2424	1944	powershell.exe	109
PID 2424 wrote to memory of 5116	2424	cmd.exe	110
PID 2424 wrote to memory of 5116	2424	cmd.exe	110
PID 2424 wrote to memory of 5116	2424	cmd.exe	110
PID 1944 wrote to memory of 1656	1944	powershell.exe	111
PID 1944 wrote to memory of 1656	1944	powershell.exe	111
PID 1944 wrote to memory of 1656	1944	powershell.exe	111
PID 1656 wrote to memory of 1100	1656	cmd.exe	112
PID 1656 wrote to memory of 1100	1656	cmd.exe	112
PID 1656 wrote to memory of 1100	1656	cmd.exe	112
PID 1944 wrote to memory of 4392	1944	powershell.exe	113
PID 1944 wrote to memory of 4392	1944	powershell.exe	113
PID 1944 wrote to memory of 4392	1944	powershell.exe	113

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3792	attrib.exe

C:\Users\Admin\AppData\Local\Temp\c82e6ba4402a6a53bb7f50b3fa1aaa393e664041a273f320d668e8c434431e7a.exe
"C:\Users\Admin\AppData\Local\Temp\c82e6ba4402a6a53bb7f50b3fa1aaa393e664041a273f320d668e8c434431e7a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:652
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup myip.opendns.com. resolver1.opendns.com
      4⤵
      PID:2096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get Domain
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2020
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2968
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2404
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:368
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2088
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1128
- - C:\Users\Admin\AppData\Local\Temp\7z.exe
    7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:984
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:4924
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:4612
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2424
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic computersystem where name="HFPAJDPV" set AutomaticManagedPagefile=False
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5116
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1656
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=20000
        5⤵
        
        PID:1100
  - - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe
      "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      Executes dropped EXE
      PID:4392
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 8 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
        5⤵
        
        PID:3136
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 8
        6⤵
        Runs ping.exe
        
        PID:4708
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
        6⤵
        
        PID:2176
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 18 > nul && copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 18 > nul && "C:\Users\Admin\Music\rot.exe"
        5⤵
        
        PID:3676
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 18
        6⤵
        Runs ping.exe
        
        PID:2272
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      Views/modifies file attributes
      PID:3792
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "ratt" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe" /F
    3⤵
    PID:3880
- - C:\Users\Admin\AppData\Local\Temp\ratt.exe
    "ratt.exe"
    3⤵
    PID:452
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 12 > nul && copy "C:\Users\Admin\AppData\Local\Temp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 12 > nul && "C:\Users\Admin\Music\rot.exe"
      4⤵
      PID:1448
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 12
        5⤵
        Runs ping.exe
        
        PID:3800
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 12
        5⤵
        Runs ping.exe
        
        PID:2348
    - - C:\Users\Admin\Music\rot.exe
        
        "C:\Users\Admin\Music\rot.exe"
        5⤵
        
        PID:3888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe

Filesize
312.1MB

MD5
6e8e9798ed6369a8c57424ead8d49683

SHA1
f15ad2dbefc9c94d9521519def4ad14923309323

SHA256
5dc2a954de6b275754041fc8fb9f00a9dfd4d094e120ccb398f71f99d640907e

SHA512
da1a2b8340948680f4b2e7bf4b040266d9ce2fcd6932ec6ef3a10fdafa9ed162100d05dcc92fc1e78d998c5b1f37ff8eef825c8a5b058073e821bced69195f15

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe

Filesize
228.4MB

MD5
633bbbcd0b1e749de35bf5efc84b6788

SHA1
c244f6978cbf83f8d3cec7c907e5ec7fa4479d81

SHA256
996aedf9458accaf72e139613f74fbe2ed3666b1e15af99f7b4e97c1ecd0c04a

SHA512
e5beab04cafe680f21d8c4847324c30e463bb4d43f64206b21bd7d3e725afbb1b71e4901a766ad0ecb0fda7e1b881bff5dc77305f5cdd0fe5d5867d5e60f41ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
33b19d75aa77114216dbc23f43b195e3

SHA1
36a6c3975e619e0c5232aa4f5b7dc1fec9525535

SHA256
b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

SHA512
676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ratt.exe.log

Filesize
1KB

MD5
9a2d0ce437d2445330f2646472703087

SHA1
33c83e484a15f35c2caa3af62d5da6b7713a20ae

SHA256
30ea2f716e85f8d14a201e3fb0897d745a01b113342dfb7a9b7ac133c4ef150c

SHA512
a61d18d90bfad9ea8afdfa37537cfea3d5a3d0c161e323fa65840c283bdc87c3de85daaff5519beea2f2719eec1c68398eea8679b55ff733a61052f073162d5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
f7ed55580bc350b76f8078fa0e29ad36

SHA1
03bf70c75eb841b4f1f78b187ae8135028638220

SHA256
6b0274dca566a2ec059a787367b62bf771681efe513e1e6668f1bc1b56b7e0a2

SHA512
fa7ad74359b7c1d3877e0e03a630ae3387a19b7bfe78219a2fb3db31efe6bab293e33a6caba7c0f521f7c6f7ffeffa5cb6df5b1ac83c7bddb3889c8565685aa4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
a91485de6a09d1aa6e44a6215264b108

SHA1
1556099130f4747e9ad6828e28c2c7e375bb7975

SHA256
f60a594f7e3d8fd93e5f1c177a5dc5600cfdb266860457b54778c9cc70fba234

SHA512
c0d9ac828f0c606385b3e6dfe65a8075de6c57e9cc987537765e16584c68376ff7894abee865ccb7573ac8b97e93a1548553ee53a09a7e974ea7450a6171da0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
4cca11f6b353e7fb95b3b7e52fbdba86

SHA1
a17736b3c895f578c42ee411b26f3234dce21366

SHA256
e4b2f2b67df21f0e255957e5e8a9315acc1dfe81ada5e0b7a43044ceba50e353

SHA512
9e2135ce4bbd318289b8e6d43dffe76c370843e270de379ae5dc4fcf63001a6a7c1776b08e86cc6376d20a46f6b3337d317c32635aa46e188b614ec5be410d3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
9f33588bc969f061c0298f5f19261ce2

SHA1
73baf8a93fe6da33aeac76b26b66b55da2cfa1f9

SHA256
e47848415d74e7e4ec24036168bf40f4fc1354854a718288ebf60bf4a73f2fe6

SHA512
d1289f93aab299f9d6fe4214aee0c3cc10410fc3c26ab9e0b4274b0c841b39b0499252c365ad859f4f69ab462f7c2d58e3f112db9549ad8c48557280b1aaa977

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
4a901b6f5c8c5e99d17de400b4dd5173

SHA1
1fae981dbd07ea101899994436345fc2965a9684

SHA256
427040ca647c12d25ca00a808bc7e0baf4e9ef96c2de04427f023b19e0c35607

SHA512
1bb16d35808040fbd3e83ef233e2fa5ce8bfed0affd283cb362707cff1a934aae3bd1cb7ea41991e640d649bb2dab6fa70b931a65fec26db0ce05b4e836243ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Add.ps1

Filesize
1KB

MD5
0df43097e0f0acd04d9e17fb43d618b9

SHA1
69b3ade12cb228393a93624e65f41604a17c83b6

SHA256
c8e4a63337a25f55f75ad10ab2b420d716bad4b35a2044fd39dcd5936419d873

SHA512
01ae71dd2ee040baad6f4b9afcfbaeca2b9f6cc7d60ade5de637238d65c17d74292734666f4ae6b533f6bf1007c46387d8e690d97c3b7a535bcd6f216e70c4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xd5g1nhd.zre.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.7z

Filesize
693KB

MD5
7de6fdf3629c73bf0c29a96fa23ae055

SHA1
dcb37f6d43977601c6460b17387a89b9e4c0609a

SHA256
069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff

SHA512
d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.bat

Filesize
1KB

MD5
7ea1fec84d76294d9256ae3dca7676b2

SHA1
1e335451d1cbb6951bc77bf75430f4d983491342

SHA256
9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

SHA512
ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
648.6MB

MD5
0d3ea935ce5315155c453583e1156191

SHA1
0fc36901cecd7583576261e9a39c6e8811d60afe

SHA256
bb9521715fa126af63e63b12d3592f30cdbf602040e7cf0e94bd976037768472

SHA512
b359eaa78ce25782b71f8f93035a07ae41820d81ec9123c21bc515db1802a04cff2171e8c1a4adb643d4079abd9d809cc58f4f7efbf297034b5c762839ab1993

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
195.2MB

MD5
35d9a0cf19fb5a1b15ea95dd70c31b92

SHA1
cac54fb23460cdba06ada80f674973ee5aeb3c2d

SHA256
a4cf50b38eb761df68f118b36f5e2c343b0e2df168ac6f347e14226918160391

SHA512
a65fb99c1270ce57df20c463226955a3bc96ec788f340029cfa081afa3d88904dd77d40243bf202ddc7c773a2ead700e5757f3e823da02c8824c7974eb7aa6ae

Download Submit
C:\Users\Admin\Music\rot.exe

Filesize
70.4MB

MD5
b7f756c0fdbfa3bd9c00796eaa8699ac

SHA1
71e98503238aece88d55bd13864392fc80f5346f

SHA256
181ab05ff8d51b5e51c4f95b4b0375b2cdab2cf5db14288fcf053ab6c351abe3

SHA512
d5ecc5c28a584da741e5bef998eb85b15651b8024d3f8a816f8f6ea9a7695afadd27a55e8f8bcbc0ff581d5e6517cfa5c4468a5e5f6c13779d0c00c571b19a03

Download Submit
C:\Users\Admin\Music\rot.exe

Filesize
2.9MB

MD5
4882878a563b467b048ceb3dc371994f

SHA1
1ab590c06adcccd2c6fc64d2e0b680d0ec6d51bd

SHA256
9d90d5a316df92168842c656d91e8355f6e1384b91d43b2cc1341d2191427b4e

SHA512
57cfdfe2e6f34642d81a83092a18cd7d177bdf463943d6e553e3a4c117dc987b577bd0e8ef976824ec2dadd9e73077a1d3c9839d0c3ff77e7bdca6937c6ba53c

Download Submit
C:\Users\Admin\Music\rot.exe

Filesize
2.2MB

MD5
46945a5fffaec2391e50a2ad812f61cc

SHA1
479edbff52d3ce14656b817fcdcff9e7a1d16330

SHA256
80b8c7e2aaeab3495d02639ecccd07313ca96a1cde4ab41f3885badf591016fe

SHA512
73d84df07c6633e0336b087324ed0428721e62a17af102da32d03936949779a650f2fef2870e754fbfd62413a840a7d5306aa826d6dc81d687fe79a31058e517

Download Submit
memory/368-53-0x0000000074510000-0x0000000074CC0000-memory.dmp

Filesize
7.7MB

Download
memory/368-54-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/368-65-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/368-67-0x0000000074510000-0x0000000074CC0000-memory.dmp

Filesize
7.7MB

Download
memory/984-107-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/984-112-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/984-109-0x0000000010000000-0x00000000100E2000-memory.dmp

Filesize
904KB

Download
memory/984-105-0x0000000010000000-0x00000000100E2000-memory.dmp

Filesize
904KB

Download
memory/984-101-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1128-98-0x0000000074510000-0x0000000074CC0000-memory.dmp

Filesize
7.7MB

Download
memory/1128-84-0x0000000074510000-0x0000000074CC0000-memory.dmp

Filesize
7.7MB

Download
memory/1128-85-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/1128-86-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/1944-158-0x0000000007A30000-0x0000000007A44000-memory.dmp

Filesize
80KB

Download
memory/1944-148-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/1944-163-0x0000000008A70000-0x0000000009014000-memory.dmp

Filesize
5.6MB

Download
memory/1944-162-0x0000000007B70000-0x0000000007B92000-memory.dmp

Filesize
136KB

Download
memory/1944-160-0x0000000007A70000-0x0000000007A78000-memory.dmp

Filesize
32KB

Download
memory/1944-159-0x0000000007B40000-0x0000000007B5A000-memory.dmp

Filesize
104KB

Download
memory/1944-157-0x000000007F5D0000-0x000000007F5E0000-memory.dmp

Filesize
64KB

Download
memory/1944-156-0x0000000007A20000-0x0000000007A2E000-memory.dmp

Filesize
56KB

Download
memory/1944-155-0x0000000007A00000-0x0000000007A11000-memory.dmp

Filesize
68KB

Download
memory/1944-154-0x0000000007AA0000-0x0000000007B36000-memory.dmp

Filesize
600KB

Download
memory/1944-153-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/1944-152-0x0000000007870000-0x000000000787A000-memory.dmp

Filesize
40KB

Download
memory/1944-151-0x0000000006B30000-0x0000000006B4A000-memory.dmp

Filesize
104KB

Download
memory/1944-117-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/1944-116-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/1944-118-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/1944-128-0x0000000005E80000-0x00000000061D4000-memory.dmp

Filesize
3.3MB

Download
memory/1944-150-0x0000000007E40000-0x00000000084BA000-memory.dmp

Filesize
6.5MB

Download
memory/1944-130-0x0000000006590000-0x00000000065DC000-memory.dmp

Filesize
304KB

Download
memory/1944-149-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/1944-132-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/1944-133-0x000000007F5D0000-0x000000007F5E0000-memory.dmp

Filesize
64KB

Download
memory/1944-134-0x0000000006AD0000-0x0000000006B02000-memory.dmp

Filesize
200KB

Download
memory/1944-135-0x0000000070260000-0x00000000702AC000-memory.dmp

Filesize
304KB

Download
memory/1944-145-0x00000000052C0000-0x00000000052DE000-memory.dmp

Filesize
120KB

Download
memory/1944-146-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/1944-147-0x0000000007700000-0x00000000077A3000-memory.dmp

Filesize
652KB

Download
memory/2088-69-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/2088-83-0x0000000074510000-0x0000000074CC0000-memory.dmp

Filesize
7.7MB

Download
memory/2088-75-0x0000000005610000-0x0000000005964000-memory.dmp

Filesize
3.3MB

Download
memory/2088-68-0x0000000074510000-0x0000000074CC0000-memory.dmp

Filesize
7.7MB

Download
memory/2088-82-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/2404-50-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/2404-44-0x00000000055A0000-0x00000000058F4000-memory.dmp

Filesize
3.3MB

Download
memory/2404-52-0x0000000074510000-0x0000000074CC0000-memory.dmp

Filesize
7.7MB

Download
memory/2404-38-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/2404-37-0x0000000074510000-0x0000000074CC0000-memory.dmp

Filesize
7.7MB

Download
memory/2968-32-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/2968-16-0x00000000052D0000-0x00000000058F8000-memory.dmp

Filesize
6.2MB

Download
memory/2968-31-0x0000000006230000-0x000000000627C000-memory.dmp

Filesize
304KB

Download
memory/2968-30-0x00000000061F0000-0x000000000620E000-memory.dmp

Filesize
120KB

Download
memory/2968-29-0x0000000005D40000-0x0000000006094000-memory.dmp

Filesize
3.3MB

Download
memory/2968-19-0x0000000005BD0000-0x0000000005C36000-memory.dmp

Filesize
408KB

Download
memory/2968-18-0x0000000005AF0000-0x0000000005B56000-memory.dmp

Filesize
408KB

Download
memory/2968-35-0x0000000074510000-0x0000000074CC0000-memory.dmp

Filesize
7.7MB

Download
memory/2968-13-0x0000000074510000-0x0000000074CC0000-memory.dmp

Filesize
7.7MB

Download
memory/2968-15-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/2968-14-0x0000000004C60000-0x0000000004C96000-memory.dmp

Filesize
216KB

Download
memory/2968-17-0x0000000005220000-0x0000000005242000-memory.dmp

Filesize
136KB

Download
memory/4392-166-0x0000000000240000-0x00000000003F6000-memory.dmp

Filesize
1.7MB

Download
memory/4392-170-0x0000000004CF0000-0x0000000004D82000-memory.dmp

Filesize
584KB

Download
memory/4392-168-0x0000000004B80000-0x0000000004C1C000-memory.dmp

Filesize
624KB

Download
memory/4392-167-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download