abe0a71622dc48c4176e92bdf436a83a7cf4b2ee7c7c8222610c7c5d164ee340

Analysis

max time kernel
187s
max time network
133s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14-10-2023 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abe0a71622dc48c4176e92bdf436a83a7cf4b2ee7c7c8222610c7c5d164ee340.exe
Size

1.4MB
MD5

ae9e85d6e11f83b95812c072249bd504
SHA1

e0f4bcef2a2e0501b06e4a45a5f0063ce1e5c644
SHA256

abe0a71622dc48c4176e92bdf436a83a7cf4b2ee7c7c8222610c7c5d164ee340
SHA512

8752e01e26096cf44986119c7a04fba03a11587f48183b1aebca82a9ef2a0bafaca370ab385c8ca0fc29d922745d4854bf9743083d962e7fe5fd4f6fcf19b10b
SSDEEP

24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk

Score

8^/10

evasion persistence upx

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
1616	netsh.exe
1520	netsh.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0032000000015604-73.dat	acprotect
behavioral1/files/0x0032000000015604-72.dat	acprotect

Executes dropped EXE 3 IoCs

pid	Process
1708	7z.exe
2932	ratt.exe
2064	ratt.exe

Loads dropped DLL 5 IoCs

pid	Process
2504	cmd.exe
2504	cmd.exe
1708	7z.exe
3064	powershell.exe
2504	cmd.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000015c58-66.dat	upx
behavioral1/files/0x0007000000015c58-69.dat	upx
behavioral1/memory/2504-68-0x0000000000180000-0x00000000001B2000-memory.dmp	upx
behavioral1/files/0x0032000000015604-73.dat	upx
behavioral1/files/0x0032000000015604-72.dat	upx
behavioral1/files/0x0007000000015c58-67.dat	upx
behavioral1/files/0x0007000000015c58-70.dat	upx
behavioral1/memory/1708-75-0x0000000010000000-0x00000000100E2000-memory.dmp	upx
behavioral1/memory/1708-77-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/1708-87-0x0000000000400000-0x0000000000432000-memory.dmp	upx

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ratt = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ratt.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2972	powershell.exe
2984	powershell.exe
1100	powershell.exe
1748	powershell.exe
2812	powershell.exe
3064	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2420	WMIC.exe
Token: SeSecurityPrivilege	2420	WMIC.exe
Token: SeTakeOwnershipPrivilege	2420	WMIC.exe
Token: SeLoadDriverPrivilege	2420	WMIC.exe
Token: SeSystemProfilePrivilege	2420	WMIC.exe
Token: SeSystemtimePrivilege	2420	WMIC.exe
Token: SeProfSingleProcessPrivilege	2420	WMIC.exe
Token: SeIncBasePriorityPrivilege	2420	WMIC.exe
Token: SeCreatePagefilePrivilege	2420	WMIC.exe
Token: SeBackupPrivilege	2420	WMIC.exe
Token: SeRestorePrivilege	2420	WMIC.exe
Token: SeShutdownPrivilege	2420	WMIC.exe
Token: SeDebugPrivilege	2420	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2420	WMIC.exe
Token: SeRemoteShutdownPrivilege	2420	WMIC.exe
Token: SeUndockPrivilege	2420	WMIC.exe
Token: SeManageVolumePrivilege	2420	WMIC.exe
Token: 33	2420	WMIC.exe
Token: 34	2420	WMIC.exe
Token: 35	2420	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2420	WMIC.exe
Token: SeSecurityPrivilege	2420	WMIC.exe
Token: SeTakeOwnershipPrivilege	2420	WMIC.exe
Token: SeLoadDriverPrivilege	2420	WMIC.exe
Token: SeSystemProfilePrivilege	2420	WMIC.exe
Token: SeSystemtimePrivilege	2420	WMIC.exe
Token: SeProfSingleProcessPrivilege	2420	WMIC.exe
Token: SeIncBasePriorityPrivilege	2420	WMIC.exe
Token: SeCreatePagefilePrivilege	2420	WMIC.exe
Token: SeBackupPrivilege	2420	WMIC.exe
Token: SeRestorePrivilege	2420	WMIC.exe
Token: SeShutdownPrivilege	2420	WMIC.exe
Token: SeDebugPrivilege	2420	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2420	WMIC.exe
Token: SeRemoteShutdownPrivilege	2420	WMIC.exe
Token: SeUndockPrivilege	2420	WMIC.exe
Token: SeManageVolumePrivilege	2420	WMIC.exe
Token: 33	2420	WMIC.exe
Token: 34	2420	WMIC.exe
Token: 35	2420	WMIC.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeIncreaseQuotaPrivilege	2440	WMIC.exe
Token: SeSecurityPrivilege	2440	WMIC.exe
Token: SeTakeOwnershipPrivilege	2440	WMIC.exe
Token: SeLoadDriverPrivilege	2440	WMIC.exe
Token: SeSystemProfilePrivilege	2440	WMIC.exe
Token: SeSystemtimePrivilege	2440	WMIC.exe
Token: SeProfSingleProcessPrivilege	2440	WMIC.exe
Token: SeIncBasePriorityPrivilege	2440	WMIC.exe
Token: SeCreatePagefilePrivilege	2440	WMIC.exe
Token: SeBackupPrivilege	2440	WMIC.exe
Token: SeRestorePrivilege	2440	WMIC.exe
Token: SeShutdownPrivilege	2440	WMIC.exe
Token: SeDebugPrivilege	2440	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2440	WMIC.exe
Token: SeRemoteShutdownPrivilege	2440	WMIC.exe
Token: SeUndockPrivilege	2440	WMIC.exe
Token: SeManageVolumePrivilege	2440	WMIC.exe
Token: 33	2440	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2504	2604	abe0a71622dc48c4176e92bdf436a83a7cf4b2ee7c7c8222610c7c5d164ee340.exe	29
PID 2604 wrote to memory of 2504	2604	abe0a71622dc48c4176e92bdf436a83a7cf4b2ee7c7c8222610c7c5d164ee340.exe	29
PID 2604 wrote to memory of 2504	2604	abe0a71622dc48c4176e92bdf436a83a7cf4b2ee7c7c8222610c7c5d164ee340.exe	29
PID 2604 wrote to memory of 2504	2604	abe0a71622dc48c4176e92bdf436a83a7cf4b2ee7c7c8222610c7c5d164ee340.exe	29
PID 2504 wrote to memory of 2520	2504	cmd.exe	31
PID 2504 wrote to memory of 2520	2504	cmd.exe	31
PID 2504 wrote to memory of 2520	2504	cmd.exe	31
PID 2504 wrote to memory of 2520	2504	cmd.exe	31
PID 2520 wrote to memory of 2668	2520	cmd.exe	32
PID 2520 wrote to memory of 2668	2520	cmd.exe	32
PID 2520 wrote to memory of 2668	2520	cmd.exe	32
PID 2520 wrote to memory of 2668	2520	cmd.exe	32
PID 2504 wrote to memory of 2664	2504	cmd.exe	33
PID 2504 wrote to memory of 2664	2504	cmd.exe	33
PID 2504 wrote to memory of 2664	2504	cmd.exe	33
PID 2504 wrote to memory of 2664	2504	cmd.exe	33
PID 2664 wrote to memory of 2420	2664	cmd.exe	34
PID 2664 wrote to memory of 2420	2664	cmd.exe	34
PID 2664 wrote to memory of 2420	2664	cmd.exe	34
PID 2664 wrote to memory of 2420	2664	cmd.exe	34
PID 2504 wrote to memory of 2972	2504	cmd.exe	36
PID 2504 wrote to memory of 2972	2504	cmd.exe	36
PID 2504 wrote to memory of 2972	2504	cmd.exe	36
PID 2504 wrote to memory of 2972	2504	cmd.exe	36
PID 2504 wrote to memory of 2984	2504	cmd.exe	37
PID 2504 wrote to memory of 2984	2504	cmd.exe	37
PID 2504 wrote to memory of 2984	2504	cmd.exe	37
PID 2504 wrote to memory of 2984	2504	cmd.exe	37
PID 2504 wrote to memory of 1100	2504	cmd.exe	38
PID 2504 wrote to memory of 1100	2504	cmd.exe	38
PID 2504 wrote to memory of 1100	2504	cmd.exe	38
PID 2504 wrote to memory of 1100	2504	cmd.exe	38
PID 2504 wrote to memory of 1748	2504	cmd.exe	39
PID 2504 wrote to memory of 1748	2504	cmd.exe	39
PID 2504 wrote to memory of 1748	2504	cmd.exe	39
PID 2504 wrote to memory of 1748	2504	cmd.exe	39
PID 2504 wrote to memory of 2812	2504	cmd.exe	40
PID 2504 wrote to memory of 2812	2504	cmd.exe	40
PID 2504 wrote to memory of 2812	2504	cmd.exe	40
PID 2504 wrote to memory of 2812	2504	cmd.exe	40
PID 2504 wrote to memory of 1708	2504	cmd.exe	41
PID 2504 wrote to memory of 1708	2504	cmd.exe	41
PID 2504 wrote to memory of 1708	2504	cmd.exe	41
PID 2504 wrote to memory of 1708	2504	cmd.exe	41
PID 2504 wrote to memory of 3064	2504	cmd.exe	42
PID 2504 wrote to memory of 3064	2504	cmd.exe	42
PID 2504 wrote to memory of 3064	2504	cmd.exe	42
PID 2504 wrote to memory of 3064	2504	cmd.exe	42
PID 3064 wrote to memory of 1520	3064	powershell.exe	43
PID 3064 wrote to memory of 1520	3064	powershell.exe	43
PID 3064 wrote to memory of 1520	3064	powershell.exe	43
PID 3064 wrote to memory of 1520	3064	powershell.exe	43
PID 3064 wrote to memory of 1616	3064	powershell.exe	44
PID 3064 wrote to memory of 1616	3064	powershell.exe	44
PID 3064 wrote to memory of 1616	3064	powershell.exe	44
PID 3064 wrote to memory of 1616	3064	powershell.exe	44
PID 3064 wrote to memory of 2272	3064	powershell.exe	45
PID 3064 wrote to memory of 2272	3064	powershell.exe	45
PID 3064 wrote to memory of 2272	3064	powershell.exe	45
PID 3064 wrote to memory of 2272	3064	powershell.exe	45
PID 2272 wrote to memory of 2440	2272	cmd.exe	46
PID 2272 wrote to memory of 2440	2272	cmd.exe	46
PID 2272 wrote to memory of 2440	2272	cmd.exe	46
PID 2272 wrote to memory of 2440	2272	cmd.exe	46

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1856	attrib.exe

C:\Users\Admin\AppData\Local\Temp\abe0a71622dc48c4176e92bdf436a83a7cf4b2ee7c7c8222610c7c5d164ee340.exe
"C:\Users\Admin\AppData\Local\Temp\abe0a71622dc48c4176e92bdf436a83a7cf4b2ee7c7c8222610c7c5d164ee340.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup myip.opendns.com. resolver1.opendns.com
      4⤵
      PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get Domain
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2420
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2972
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2984
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1100
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1748
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2812
- - C:\Users\Admin\AppData\Local\Temp\7z.exe
    7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1708
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps1
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1520
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1616
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2272
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic computersystem where name="GPFFWLPI" set AutomaticManagedPagefile=False
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:2024
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=20000
        5⤵
        
        PID:1904
  - - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe
      "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      Executes dropped EXE
      PID:2932
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      Views/modifies file attributes
      PID:1856
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "ratt" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe" /F
    3⤵
    - Adds Run key to start application
    PID:956
- - C:\Users\Admin\AppData\Local\Temp\ratt.exe
    "ratt.exe"
    3⤵
    - Executes dropped EXE
    PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe

Filesize
49.4MB

MD5
110c85e95a13168ae418227a2beb2b9b

SHA1
d3e13797aa06638b683d988475d55cfa9a2ff1f3

SHA256
f40fcfd3fbc91cc26ebff824ad7eff3b913fec7a62e8c0e64082bd987af2e13e

SHA512
bffceea5e8c1033e80832f007fe5fac9be5936c4ab27d64ca05cfe2793c39fb56960bacb7407dfd89d25ebc0ee1d3bd9a241a7d6df220c7783ed65dae49056ab

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe

Filesize
49.4MB

MD5
110c85e95a13168ae418227a2beb2b9b

SHA1
d3e13797aa06638b683d988475d55cfa9a2ff1f3

SHA256
f40fcfd3fbc91cc26ebff824ad7eff3b913fec7a62e8c0e64082bd987af2e13e

SHA512
bffceea5e8c1033e80832f007fe5fac9be5936c4ab27d64ca05cfe2793c39fb56960bacb7407dfd89d25ebc0ee1d3bd9a241a7d6df220c7783ed65dae49056ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Add.ps1

Filesize
1KB

MD5
0df43097e0f0acd04d9e17fb43d618b9

SHA1
69b3ade12cb228393a93624e65f41604a17c83b6

SHA256
c8e4a63337a25f55f75ad10ab2b420d716bad4b35a2044fd39dcd5936419d873

SHA512
01ae71dd2ee040baad6f4b9afcfbaeca2b9f6cc7d60ade5de637238d65c17d74292734666f4ae6b533f6bf1007c46387d8e690d97c3b7a535bcd6f216e70c4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.7z

Filesize
693KB

MD5
7de6fdf3629c73bf0c29a96fa23ae055

SHA1
dcb37f6d43977601c6460b17387a89b9e4c0609a

SHA256
069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff

SHA512
d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.bat

Filesize
1KB

MD5
7ea1fec84d76294d9256ae3dca7676b2

SHA1
1e335451d1cbb6951bc77bf75430f4d983491342

SHA256
9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

SHA512
ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.bat

Filesize
1KB

MD5
7ea1fec84d76294d9256ae3dca7676b2

SHA1
1e335451d1cbb6951bc77bf75430f4d983491342

SHA256
9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

SHA512
ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
43.7MB

MD5
07156432fe8461b8e5de3cba6b77c578

SHA1
23d0e6249a9e5069e2334ada502b96cd23eb5c74

SHA256
597c70a06197a642bd35621759ceb4313fb87d5a27fec85965c742cd0fd5d797

SHA512
8ac50e24fcff92779d46008a66d9ae2f4634440ec948ff4202c063d97f5b09846de35910ba035e8a0c06b37b580432728dec082a382bbf949150558dedfc52cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
745.1MB

MD5
be788bb3680cf3809d9678ee6f7ba321

SHA1
499f01d5f654f83e172004dcc03f99abdd251734

SHA256
03a17a2b669f72df082569ea477977d824796da3b6b7a8d0e6f91f2629ef406b

SHA512
83c0b885740a57b84b2c909d0d6bb25baaa49d62499773030b59058325f37a5fcf39a1cd59ef9c229ca7289af7250034f6652e449625b67c2d260b285ddb9a8e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C65J94BG4GLZKF6P3B7U.temp

Filesize
7KB

MD5
12fab41a5b883f5b98d71c221724387f

SHA1
d26ba55981d6ca9c2a3c96e0165e14473cf429d5

SHA256
77f1d175ebfe8618a922192b31eaaf26cc6a63626d82e6c24cd4623ba1f9ccf1

SHA512
5722f6115dc573bf0457ede4736a96357c1c82eb9dca67b539e6b493501a9683193e50fcf4d37e816b1035fe528b223d42cdb327c32991f3d66d32e97fa94a37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
12fab41a5b883f5b98d71c221724387f

SHA1
d26ba55981d6ca9c2a3c96e0165e14473cf429d5

SHA256
77f1d175ebfe8618a922192b31eaaf26cc6a63626d82e6c24cd4623ba1f9ccf1

SHA512
5722f6115dc573bf0457ede4736a96357c1c82eb9dca67b539e6b493501a9683193e50fcf4d37e816b1035fe528b223d42cdb327c32991f3d66d32e97fa94a37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
12fab41a5b883f5b98d71c221724387f

SHA1
d26ba55981d6ca9c2a3c96e0165e14473cf429d5

SHA256
77f1d175ebfe8618a922192b31eaaf26cc6a63626d82e6c24cd4623ba1f9ccf1

SHA512
5722f6115dc573bf0457ede4736a96357c1c82eb9dca67b539e6b493501a9683193e50fcf4d37e816b1035fe528b223d42cdb327c32991f3d66d32e97fa94a37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
12fab41a5b883f5b98d71c221724387f

SHA1
d26ba55981d6ca9c2a3c96e0165e14473cf429d5

SHA256
77f1d175ebfe8618a922192b31eaaf26cc6a63626d82e6c24cd4623ba1f9ccf1

SHA512
5722f6115dc573bf0457ede4736a96357c1c82eb9dca67b539e6b493501a9683193e50fcf4d37e816b1035fe528b223d42cdb327c32991f3d66d32e97fa94a37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
12fab41a5b883f5b98d71c221724387f

SHA1
d26ba55981d6ca9c2a3c96e0165e14473cf429d5

SHA256
77f1d175ebfe8618a922192b31eaaf26cc6a63626d82e6c24cd4623ba1f9ccf1

SHA512
5722f6115dc573bf0457ede4736a96357c1c82eb9dca67b539e6b493501a9683193e50fcf4d37e816b1035fe528b223d42cdb327c32991f3d66d32e97fa94a37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
12fab41a5b883f5b98d71c221724387f

SHA1
d26ba55981d6ca9c2a3c96e0165e14473cf429d5

SHA256
77f1d175ebfe8618a922192b31eaaf26cc6a63626d82e6c24cd4623ba1f9ccf1

SHA512
5722f6115dc573bf0457ede4736a96357c1c82eb9dca67b539e6b493501a9683193e50fcf4d37e816b1035fe528b223d42cdb327c32991f3d66d32e97fa94a37

Download Submit
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe

Filesize
49.4MB

MD5
110c85e95a13168ae418227a2beb2b9b

SHA1
d3e13797aa06638b683d988475d55cfa9a2ff1f3

SHA256
f40fcfd3fbc91cc26ebff824ad7eff3b913fec7a62e8c0e64082bd987af2e13e

SHA512
bffceea5e8c1033e80832f007fe5fac9be5936c4ab27d64ca05cfe2793c39fb56960bacb7407dfd89d25ebc0ee1d3bd9a241a7d6df220c7783ed65dae49056ab

Download Submit
\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
43.8MB

MD5
d800b7c4fb3a9011e01cd92031aa8f7f

SHA1
c4a34481045682ba924eec4e5796d928ecfd46c8

SHA256
b9ef910c1ba128966af9e6e1b660d4b39234a8c5ed2d40a976ee0631cc4489f2

SHA512
ec84b1511875d07793d0b8e685d5d0f6939aef57501ee6611d5fb91eebae946f73d131f16c684bb11be9873758f2780606e41531ea9bbbd767919f6939989967

Download Submit
memory/1100-47-0x0000000073C90000-0x000000007423B000-memory.dmp

Filesize
5.7MB

Download
memory/1100-49-0x0000000073C90000-0x000000007423B000-memory.dmp

Filesize
5.7MB

Download
memory/1100-46-0x0000000073C90000-0x000000007423B000-memory.dmp

Filesize
5.7MB

Download
memory/1100-48-0x00000000023D0000-0x0000000002410000-memory.dmp

Filesize
256KB

Download
memory/1708-77-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1708-75-0x0000000010000000-0x00000000100E2000-memory.dmp

Filesize
904KB

Download
memory/1708-87-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1748-55-0x0000000073CC0000-0x000000007426B000-memory.dmp

Filesize
5.7MB

Download
memory/1748-56-0x0000000073CC0000-0x000000007426B000-memory.dmp

Filesize
5.7MB

Download
memory/1748-57-0x0000000073CC0000-0x000000007426B000-memory.dmp

Filesize
5.7MB

Download
memory/2064-114-0x000000006FF70000-0x000000007065E000-memory.dmp

Filesize
6.9MB

Download
memory/2064-115-0x00000000003A0000-0x0000000000556000-memory.dmp

Filesize
1.7MB

Download
memory/2064-118-0x000000006FF70000-0x000000007065E000-memory.dmp

Filesize
6.9MB

Download
memory/2064-117-0x00000000049C0000-0x0000000004A00000-memory.dmp

Filesize
256KB

Download
memory/2504-78-0x0000000000180000-0x00000000001B2000-memory.dmp

Filesize
200KB

Download
memory/2504-76-0x0000000000180000-0x00000000001B2000-memory.dmp

Filesize
200KB

Download
memory/2504-71-0x0000000000180000-0x00000000001B2000-memory.dmp

Filesize
200KB

Download
memory/2504-68-0x0000000000180000-0x00000000001B2000-memory.dmp

Filesize
200KB

Download
memory/2812-63-0x0000000073C90000-0x000000007423B000-memory.dmp

Filesize
5.7MB

Download
memory/2812-64-0x0000000073C90000-0x000000007423B000-memory.dmp

Filesize
5.7MB

Download
memory/2812-65-0x0000000073C90000-0x000000007423B000-memory.dmp

Filesize
5.7MB

Download
memory/2932-116-0x000000006FF70000-0x000000007065E000-memory.dmp

Filesize
6.9MB

Download
memory/2932-111-0x0000000000360000-0x0000000000516000-memory.dmp

Filesize
1.7MB

Download
memory/2932-110-0x000000006FF70000-0x000000007065E000-memory.dmp

Filesize
6.9MB

Download
memory/2972-29-0x00000000026D0000-0x0000000002710000-memory.dmp

Filesize
256KB

Download
memory/2972-27-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2972-30-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2972-28-0x00000000026D0000-0x0000000002710000-memory.dmp

Filesize
256KB

Download
memory/2972-26-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2984-40-0x0000000073CC0000-0x000000007426B000-memory.dmp

Filesize
5.7MB

Download
memory/2984-39-0x0000000002810000-0x0000000002850000-memory.dmp

Filesize
256KB

Download
memory/2984-38-0x0000000002810000-0x0000000002850000-memory.dmp

Filesize
256KB

Download
memory/2984-36-0x0000000073CC0000-0x000000007426B000-memory.dmp

Filesize
5.7MB

Download
memory/2984-37-0x0000000073CC0000-0x000000007426B000-memory.dmp

Filesize
5.7MB

Download
memory/3064-104-0x00000000027B0000-0x00000000027F0000-memory.dmp

Filesize
256KB

Download
memory/3064-97-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/3064-109-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/3064-98-0x00000000027B0000-0x00000000027F0000-memory.dmp

Filesize
256KB

Download
memory/3064-96-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/3064-99-0x00000000027B0000-0x00000000027F0000-memory.dmp

Filesize
256KB

Download
memory/3064-103-0x00000000027B0000-0x00000000027F0000-memory.dmp

Filesize
256KB

Download
memory/3064-102-0x00000000027B0000-0x00000000027F0000-memory.dmp

Filesize
256KB

Download
memory/3064-101-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download