neshta | 721216f6098893f78ccb62cff66865d99574bb84037ba362dc34d1701c998aa7

Analysis

max time kernel
151s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 14:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

721216f6098893f78ccb62cff66865d99574bb84037ba362dc34d1701c998aa7.exe
Size

219KB
MD5

59dc3967141ca52cb7ca453e49466c2c
SHA1

1e8b462485397258d714de677bb51c39c0ad71bd
SHA256

721216f6098893f78ccb62cff66865d99574bb84037ba362dc34d1701c998aa7
SHA512

1dc35f36cdc9ba324dbe2111a184e8c32f8028f0e64b70632d0b3cb335067425540ea2e6d8277952210b59b5fa9895409061dfb79a51bc73bf5d0aa5935ac81f
SSDEEP

3072:y07eXGQEShPWt1/2Rxvbd44G2vt2e+AVCm+QKNFknJG39OsTh3m28LWv1:8GtSVO1+RVhG8keXv2K/K

Score

10^/10

neshta njrat غروف الثالث evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

غروف الثالث

wwee222.zapto.org:443

Mutex

d5a38e9b5f206c41f8851bf04a251d26

Attributes

reg_key
d5a38e9b5f206c41f8851bf04a251d26
splitter
|'|'|

Signatures

Detect Neshta payload 23 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Server.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\Server.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\odt\OFFICE~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~3.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI391D~1.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	family_neshta
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs
persistence

Modify Registry
T1112

Change Default File Association
T1042

Processes:

Server.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" Server.exe
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 5 IoCs

Processes:

njRat Crypter.exeServer.exeServer.exesvchost.comchrome.exe

pid process

4132 njRat Crypter.exe
1560 Server.exe
4832 Server.exe
4808 svchost.com
1528 chrome.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4788 netsh.exe

pid	process
4132	njRat Crypter.exe
1560	Server.exe
4832	Server.exe
4808	svchost.com
1528	chrome.exe

pid	process
4788	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

721216f6098893f78ccb62cff66865d99574bb84037ba362dc34d1701c998aa7.exeServer.exeServer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	721216f6098893f78ccb62cff66865d99574bb84037ba362dc34d1701c998aa7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Server.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

chrome.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d5a38e9b5f206c41f8851bf04a251d26 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome.exe\" .."	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\d5a38e9b5f206c41f8851bf04a251d26 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome.exe\" .."	chrome.exe

Drops file in Program Files directory 64 IoCs

Processes:

Server.exesvchost.com

description	ioc	process
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	Server.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	Server.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	Server.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	Server.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	Server.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXE	Server.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	Server.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	Server.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXE	Server.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	Server.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	Server.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	Server.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	Server.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~3.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	Server.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	Server.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	Server.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	Server.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	Server.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI391D~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	Server.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	Server.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	Server.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~1.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	Server.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	Server.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	Server.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	Server.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	Server.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	Server.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	Server.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	Server.exe

Drops file in Windows directory 3 IoCs

Processes:

Server.exesvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	Server.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

Server.exeServer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	Server.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

Processes:

chrome.exe

pid	process
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

chrome.exe

description pid process

Token: SeDebugPrivilege 1528 chrome.exe

description	pid	process
Token: SeDebugPrivilege	1528	chrome.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

721216f6098893f78ccb62cff66865d99574bb84037ba362dc34d1701c998aa7.exeServer.exeServer.exesvchost.comchrome.exe

description	pid	process	target process
PID 3464 wrote to memory of 4132	3464	721216f6098893f78ccb62cff66865d99574bb84037ba362dc34d1701c998aa7.exe	njRat Crypter.exe
PID 3464 wrote to memory of 4132	3464	721216f6098893f78ccb62cff66865d99574bb84037ba362dc34d1701c998aa7.exe	njRat Crypter.exe
PID 3464 wrote to memory of 1560	3464	721216f6098893f78ccb62cff66865d99574bb84037ba362dc34d1701c998aa7.exe	Server.exe
PID 3464 wrote to memory of 1560	3464	721216f6098893f78ccb62cff66865d99574bb84037ba362dc34d1701c998aa7.exe	Server.exe
PID 3464 wrote to memory of 1560	3464	721216f6098893f78ccb62cff66865d99574bb84037ba362dc34d1701c998aa7.exe	Server.exe
PID 1560 wrote to memory of 4832	1560	Server.exe	Server.exe
PID 1560 wrote to memory of 4832	1560	Server.exe	Server.exe
PID 1560 wrote to memory of 4832	1560	Server.exe	Server.exe
PID 4832 wrote to memory of 4808	4832	Server.exe	svchost.com
PID 4832 wrote to memory of 4808	4832	Server.exe	svchost.com
PID 4832 wrote to memory of 4808	4832	Server.exe	svchost.com
PID 4808 wrote to memory of 1528	4808	svchost.com	chrome.exe
PID 4808 wrote to memory of 1528	4808	svchost.com	chrome.exe
PID 4808 wrote to memory of 1528	4808	svchost.com	chrome.exe
PID 1528 wrote to memory of 4788	1528	chrome.exe	netsh.exe
PID 1528 wrote to memory of 4788	1528	chrome.exe	netsh.exe
PID 1528 wrote to memory of 4788	1528	chrome.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\721216f6098893f78ccb62cff66865d99574bb84037ba362dc34d1701c998aa7.exe
"C:\Users\Admin\AppData\Local\Temp\721216f6098893f78ccb62cff66865d99574bb84037ba362dc34d1701c998aa7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3464

C:\Users\Admin\AppData\Local\Temp\njRat Crypter.exe
"C:\Users\Admin\AppData\Local\Temp\njRat Crypter.exe"
2⤵
- Executes dropped EXE
PID:4132

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1560

C:\Users\Admin\AppData\Local\Temp\3582-490\Server.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\Server.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4832

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\chrome.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4808

C:\Users\Admin\AppData\Local\Temp\chrome.exe
C:\Users\Admin\AppData\Local\Temp\chrome.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\chrome.exe" "chrome.exe" ENABLE
6⤵
- Modifies Windows Firewall
PID:4788

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe
Filesize
942KB

MD5
2d3cc5612a414f556f925a3c1cb6a1d6

SHA1
0fee45317280ed326e941cc2d0df848c4e74e894

SHA256
fe46de1265b6fe2e316aca33d7f7f45c6ffdf7c49a044b464fd9dc88ec92091b

SHA512
cc49b200adf92a915da6f9b73417543d4dcc77414e0c4bd2ce3bfdfc5d151e0b28249f8d64f6b7087cf8c3bab6aeeab5b152ac6199cb7cc63e64a66b4f03a9f5

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE
Filesize
178KB

MD5
f1e707e6e6a6bd544e1f4c04dae68f0b

SHA1
7328d139b7378264796838c9b7ffedc233589cde

SHA256
98764ffe0366a01ae235033054556e52d6061633dfb6fba210940c89500809d2

SHA512
18a16bdb76f2749ed318873122b6e6374449d20cec4ae6a9fa1368a830a17064be266840dc89fe587ee0667b1d5b2942e32947a6e429109900816179ecdfe9cf

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE
Filesize
178KB

MD5
22913149a9d766c415c21e613e4e1d1b

SHA1
36b33b1ab48615ebe7bd25472d50ba3de56a21c6

SHA256
495ac0a638059cb60b2eebf3ac5e8fd17d5fbc7424195308f19e2ffeac3e0ced

SHA512
d9e5396bb24e3ad7ba31b45e8e1bfeb74c32895ab3af6544715c5db04da0442fafd82b06c49a920d964cf0a8fac7a58ccef4a173f1a5879c6733748edc180b14

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI391D~1.EXE
Filesize
138KB

MD5
82649a1761880ef4a8d1e3bee7c12768

SHA1
fc84b999ab23833a6d7819ee767848310f8bf81b

SHA256
1afb1832d6a6ca187553f7c0e2edb57045d7bbbe43c404a4ba920a6804712ea5

SHA512
23b04a99a5d95f2b8f976fa9443c05fcd1ab875758de379155ae4c6ce5a736a3853cc288e9348671b61289b3037001974be20cc9422d5761c75e294c465614bd

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~1.EXE
Filesize
281KB

MD5
716d1330048d881ff40aecf334eb295a

SHA1
6d70ff496f57a059c869752f26004837aa9da2a3

SHA256
c1f6495c23d9dc1bf1011388577b2e0ad1f19d376e79d575fb32905e0c9865f5

SHA512
87f7c3226a495f0ea7f8b49b684b91247e75ed4ac66153d4668a7aa1277778bac5e2045dbf990d9ae830b460aa79d4422d48fa3e58e35c904c89e1519c57a0fd

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE
Filesize
287KB

MD5
3187a65469cf0bee0e5c66af3afee773

SHA1
c4155263eb60eaac6d4b8960b7a6e1f064c1c4fd

SHA256
cd67f379ef3747dabc72e0a3b6fe73cdcb7e59b5b716b84497c9d44675ec34f4

SHA512
6e57f69cce1de4ab2a45a16437bee784ad7c21f5ef422350c5a6e8cf1aa5003f9dd41deb1fbc5779a29786f49552b05354e0891ae3acaa979414e6338c8f270f

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~3.EXE
Filesize
244KB

MD5
fd4739ad26d293132d8e4ae11773b5ff

SHA1
20d4201da77108d659de983fa9e23c0cc65825c4

SHA256
ab390f70e7074104558d8709cac4627bad6633a83813dfa3a80418708f7ba1e3

SHA512
7d72f2a48d6f5386e22a2e5d191659f54cec2e99ddcce879ee65ccd6fc7e6a8070834bde9a87b467523501471b98fa582cb9a08b26f709dc8b9170c2662f90fa

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE
Filesize
2.8MB

MD5
31ad1ca6f3c4f33d294fa97666607157

SHA1
76bcc63d4db4e9a1fd7c719b623d649ac065ffed

SHA256
89e85fa1f92a31bb7a019dc29ef8df2248e1e72c3ea3c01ef2f3494387e79d6b

SHA512
ffd534a8944185c59c9f23ded9b5dd4be041df37ec652cc487a56429d2057b5141de5ce23ecad0ff1d6d6499104051453ae3f51d19fbebf2570f1be6b478b829

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE
Filesize
1.1MB

MD5
a5d9eaa7d52bffc494a5f58203c6c1b5

SHA1
97928ba7b61b46a1a77a38445679d040ffca7cc8

SHA256
34b8662d38e7d3d6394fa6c965d943d2c82ea06ba9d7a0af4f8e0571fb5a9c48

SHA512
b6fdc8389bb4d736d608600469be6a4b0452aa3ea082f9a0791022a14c02b8fb7dcd62df133b0518e91283094eaba2be9318316f72d2c4aae6286d3e8686e787

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe
Filesize
3.2MB

MD5
5119e350591269f44f732b470024bb7c

SHA1
4ccd48e4c6ba6e162d1520760ee3063e93e2c014

SHA256
2b3aa9642b291932ba7f9f3d85221402a9d27078f56ef0e9c6bca633616e3873

SHA512
599b4ec673169d42a348d1117737b4ad4d7539574153df5a5c7689130c9ac5ff5cd00f3c8ec39adf32ff2b56be074081efcabb6456272c649703c3ea6cdaded4

Download Submit
C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE
Filesize
485KB

MD5
86749cd13537a694795be5d87ef7106d

SHA1
538030845680a8be8219618daee29e368dc1e06c

SHA256
8c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5

SHA512
7b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c

Download Submit
C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE
Filesize
674KB

MD5
97510a7d9bf0811a6ea89fad85a9f3f3

SHA1
2ac0c49b66a92789be65580a38ae9798237711db

SHA256
c48abbc29405559e68cc9f8fc6d218aa317a9d0023839c7846ca509c1f563fea

SHA512
2a93e2a3bd187fdde160f87ef777ccd1d1c398d547b7c869e6b64469b9418ad04d887cdfe94af7407476377bf2d009f576de3935c025b7aefbab26fbcd8f90fb

Download Submit
C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE
Filesize
674KB

MD5
9c10a5ec52c145d340df7eafdb69c478

SHA1
57f3d99e41d123ad5f185fc21454367a7285db42

SHA256
ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36

SHA512
2704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f

Download Submit
C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE
Filesize
495KB

MD5
9597098cfbc45fae685d9480d135ed13

SHA1
84401f03a7942a7e4fcd26e4414b227edd9b0f09

SHA256
45966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c

SHA512
16afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164

Download Submit
C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
Filesize
495KB

MD5
07e194ce831b1846111eb6c8b176c86e

SHA1
b9c83ec3b0949cb661878fb1a8b43a073e15baf1

SHA256
d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac

SHA512
55f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5

Download Submit
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe
Filesize
494KB

MD5
05bdfd8a3128ab14d96818f43ebe9c0e

SHA1
495cbbd020391e05d11c52aa23bdae7b89532eb7

SHA256
7b945c7e6b8bfbb489f003ecd1d0dcd4803042003de4646d4206114361a0fbbb

SHA512
8d9b9fc407986bd53fe3b56c96b7371cc782b4bac705253bfb0a2b0b1e6883fdb022f1ac87b8bfd7005291991b6a3dfbaceab54f5d494e0af70f0435a0b8b0da

Download Submit
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE
Filesize
6.7MB

MD5
63dc05e27a0b43bf25f151751b481b8c

SHA1
b20321483dac62bce0aa0cef1d193d247747e189

SHA256
7d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce

SHA512
374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE
Filesize
485KB

MD5
87f15006aea3b4433e226882a56f188d

SHA1
e3ad6beb8229af62b0824151dbf546c0506d4f65

SHA256
8d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919

SHA512
b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\Server.exe
Filesize
78KB

MD5
140c2635f0083c6c50492a05b65f20e8

SHA1
212f47d46a0ae777865ee088c858bc5350050412

SHA256
bce892d02cc15c25a97be62b1875b5e5d6b0f71e5968b03f5df95d9e8afb4644

SHA512
dde4fbab2fd7501f3562cf642972fee880bd123ae133df27ba558018b54f249522a70ebb9020db25227541d2f2c7556066d2b5c36ffd451252cdb43b39256b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\Server.exe
Filesize
78KB

MD5
140c2635f0083c6c50492a05b65f20e8

SHA1
212f47d46a0ae777865ee088c858bc5350050412

SHA256
bce892d02cc15c25a97be62b1875b5e5d6b0f71e5968b03f5df95d9e8afb4644

SHA512
dde4fbab2fd7501f3562cf642972fee880bd123ae133df27ba558018b54f249522a70ebb9020db25227541d2f2c7556066d2b5c36ffd451252cdb43b39256b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
119KB

MD5
98e2bfd9abdfb3a3d2b5ede403268f17

SHA1
f8d5fa6b524835efde55e6dd0b478c8bb2dd6a7e

SHA256
e777cd79db5c1da310a63f207c0134458e958e3c915ef1582f61a0a4248131fd

SHA512
c208f4eb27e075c6a4ba7edeaa2b15233fe1b070a89f070a6d3cadfaef01ac0856946c1f24a527941a99616cb43009293a7fa6814ee41221b00c2074ae016554

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
119KB

MD5
98e2bfd9abdfb3a3d2b5ede403268f17

SHA1
f8d5fa6b524835efde55e6dd0b478c8bb2dd6a7e

SHA256
e777cd79db5c1da310a63f207c0134458e958e3c915ef1582f61a0a4248131fd

SHA512
c208f4eb27e075c6a4ba7edeaa2b15233fe1b070a89f070a6d3cadfaef01ac0856946c1f24a527941a99616cb43009293a7fa6814ee41221b00c2074ae016554

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome.exe
Filesize
78KB

MD5
140c2635f0083c6c50492a05b65f20e8

SHA1
212f47d46a0ae777865ee088c858bc5350050412

SHA256
bce892d02cc15c25a97be62b1875b5e5d6b0f71e5968b03f5df95d9e8afb4644

SHA512
dde4fbab2fd7501f3562cf642972fee880bd123ae133df27ba558018b54f249522a70ebb9020db25227541d2f2c7556066d2b5c36ffd451252cdb43b39256b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome.exe
Filesize
78KB

MD5
140c2635f0083c6c50492a05b65f20e8

SHA1
212f47d46a0ae777865ee088c858bc5350050412

SHA256
bce892d02cc15c25a97be62b1875b5e5d6b0f71e5968b03f5df95d9e8afb4644

SHA512
dde4fbab2fd7501f3562cf642972fee880bd123ae133df27ba558018b54f249522a70ebb9020db25227541d2f2c7556066d2b5c36ffd451252cdb43b39256b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\njRat Crypter.exe
Filesize
15KB

MD5
7e50de25c6bdd281c430ec1eefc53598

SHA1
945e3424f455bf60f8eb83feb2113718bcbf659f

SHA256
84fc46b07098f923bafe63b24fdb194ac85e79728909b6c56a9fad1df065b0e5

SHA512
1e2f85acd37a39cb0034121c8537d98f266145c9f60003a028bf08834c50e51481b099dd30e338fffea7675b4a0cea5c558be0795013288f74fa540cab4278c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\njRat Crypter.exe
Filesize
15KB

MD5
7e50de25c6bdd281c430ec1eefc53598

SHA1
945e3424f455bf60f8eb83feb2113718bcbf659f

SHA256
84fc46b07098f923bafe63b24fdb194ac85e79728909b6c56a9fad1df065b0e5

SHA512
1e2f85acd37a39cb0034121c8537d98f266145c9f60003a028bf08834c50e51481b099dd30e338fffea7675b4a0cea5c558be0795013288f74fa540cab4278c6

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
f984d3e8ec96345a66b35a323906bb00

SHA1
32e140c40a2df98c2a04f4f431d46ada2eacd614

SHA256
b8536b5e5e83eda7d987e942455fe8c7a1bdc82cb9dfa5f6af58f3000bdddd11

SHA512
cd98fe870d452ef3670bb729f932edd17fa650f152e57019130cb9e4cf63bed6185dfb5ab444ca6b71a06a806a79e7ca67e4b87358b046052e8d6bbefc30c66f

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
f984d3e8ec96345a66b35a323906bb00

SHA1
32e140c40a2df98c2a04f4f431d46ada2eacd614

SHA256
b8536b5e5e83eda7d987e942455fe8c7a1bdc82cb9dfa5f6af58f3000bdddd11

SHA512
cd98fe870d452ef3670bb729f932edd17fa650f152e57019130cb9e4cf63bed6185dfb5ab444ca6b71a06a806a79e7ca67e4b87358b046052e8d6bbefc30c66f

Download Submit
C:\odt\OFFICE~1.EXE
Filesize
5.1MB

MD5
02c3d242fe142b0eabec69211b34bc55

SHA1
ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

SHA256
2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

SHA512
0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

Download Submit
memory/1528-150-0x00000000737F0000-0x0000000073DA1000-memory.dmp

Filesize
5.7MB

Download
memory/1528-146-0x0000000000000000-mapping.dmp

Download
memory/1528-171-0x00000000737F0000-0x0000000073DA1000-memory.dmp

Filesize
5.7MB

Download
memory/1560-135-0x0000000000000000-mapping.dmp

Download
memory/4132-132-0x0000000000000000-mapping.dmp

Download
memory/4132-141-0x00007FFB914B0000-0x00007FFB91EE6000-memory.dmp

Filesize
10.2MB

Download
memory/4788-149-0x0000000000000000-mapping.dmp

Download
memory/4808-142-0x0000000000000000-mapping.dmp

Download
memory/4832-148-0x00000000737F0000-0x0000000073DA1000-memory.dmp

Filesize
5.7MB

Download
memory/4832-138-0x0000000000000000-mapping.dmp

Download
memory/4832-170-0x00000000737F0000-0x0000000073DA1000-memory.dmp

Filesize
5.7MB

Download