metasploit | e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53

Analysis

max time kernel
108s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
06/12/2024, 08:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe
Size

5.2MB
MD5

4786e70687f230ac3d08946bd3b08540
SHA1

bcc4228899c875d3444be0830b5e4bdd5d9b096a
SHA256

e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53
SHA512

2719b5bb5d5797b530463e0e132496a224ea061fc897c66779037214c5e63c5b1a7df3422c1e6f9ddd2101cacda344e013b2c11ae078ec4bd8ea22332a213486
SSDEEP

98304:P1hAmoqJW0jB4vmdRQcYduvjhK4OQyyuz/21wH8LHd/F902scBcwucGeR7:NemFM0jB4v+zfjhFO+mH8L9/F7fbuc

Score

10^/10

metasploit neshta njrat rezero backdoor discovery evasion persistence spyware stealer trojan upx vmprotect

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

ReZero

web-authentication.gl.at.ply.gg:23352

Mutex

0bed19877875a0f3385bb55897b96af0

Attributes

reg_key
0bed19877875a0f3385bb55897b96af0
splitter
|'|'|

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Signatures

Detect Neshta payload 43 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016cc9-53.dat	family_neshta
behavioral1/files/0x0007000000016d17-64.dat	family_neshta
behavioral1/files/0x0007000000016d42-87.dat	family_neshta
behavioral1/files/0x0001000000010315-97.dat	family_neshta
behavioral1/files/0x0001000000010313-96.dat	family_neshta
behavioral1/files/0x000400000001033b-95.dat	family_neshta
behavioral1/memory/2652-109-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x000d000000010685-94.dat	family_neshta
behavioral1/files/0x000100000000f7ea-124.dat	family_neshta
behavioral1/files/0x000100000000f707-132.dat	family_neshta
behavioral1/files/0x000100000000f832-134.dat	family_neshta
behavioral1/files/0x000100000000f831-133.dat	family_neshta
behavioral1/files/0x000100000000f876-136.dat	family_neshta
behavioral1/files/0x00010000000117fb-143.dat	family_neshta
behavioral1/files/0x0001000000011875-148.dat	family_neshta
behavioral1/files/0x0001000000011b56-157.dat	family_neshta
behavioral1/files/0x00010000000108f7-168.dat	family_neshta
behavioral1/files/0x0003000000012143-170.dat	family_neshta
behavioral1/files/0x0003000000012142-169.dat	family_neshta
behavioral1/files/0x000300000001213f-171.dat	family_neshta
behavioral1/files/0x0003000000012141-174.dat	family_neshta
behavioral1/files/0x0003000000012183-175.dat	family_neshta
behavioral1/files/0x0003000000012144-173.dat	family_neshta
behavioral1/files/0x0003000000012182-172.dat	family_neshta
behavioral1/files/0x0001000000010693-178.dat	family_neshta
behavioral1/files/0x0001000000010b0c-182.dat	family_neshta
behavioral1/files/0x0001000000011871-194.dat	family_neshta
behavioral1/files/0x0001000000010f4b-202.dat	family_neshta
behavioral1/files/0x0001000000010f93-204.dat	family_neshta
behavioral1/files/0x000100000001107d-211.dat	family_neshta
behavioral1/files/0x0001000000011a14-216.dat	family_neshta
behavioral1/files/0x0001000000011b59-224.dat	family_neshta
behavioral1/files/0x0001000000011272-223.dat	family_neshta
behavioral1/files/0x0001000000011b1e-222.dat	family_neshta
behavioral1/memory/2160-245-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2700-248-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2468-247-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1668-249-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2160-250-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2468-252-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2468-256-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2160-257-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2700-261-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables cmd.exe use via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "2"	reg.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1232	attrib.exe
2248	attrib.exe

Executes dropped EXE 9 IoCs

pid	Process
2784	Server.exe
2160	2.exe
2652	FatRat.exe
2684	2.exe
2468	svchost.com
2700	svchost.com
1512	FatRat.exe
1668	svchost.com
2224	WIDGET~1.EXE

Loads dropped DLL 15 IoCs

pid	Process
2328	e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe
2328	e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe
2328	e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe
2328	e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe
2328	e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe
2160	2.exe
2700	svchost.com
2700	svchost.com
2160	2.exe
2468	svchost.com
2468	svchost.com
2468	svchost.com
2468	svchost.com
2468	svchost.com
1668	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	2.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2328-44-0x0000000000400000-0x0000000000CA4000-memory.dmp	vmprotect
behavioral1/memory/2328-43-0x0000000000400000-0x0000000000CA4000-memory.dmp	vmprotect
behavioral1/memory/2328-82-0x0000000000400000-0x0000000000CA4000-memory.dmp	vmprotect

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows	attrib.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Tasks\Microsoft\Windows	attrib.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2328	e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000016d3b-77.dat	upx
behavioral1/memory/2684-85-0x0000000140000000-0x0000000140022000-memory.dmp	upx
behavioral1/memory/2684-244-0x0000000140000000-0x0000000140022000-memory.dmp	upx
behavioral1/memory/2684-259-0x0000000140000000-0x0000000140022000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	2.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	2.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	2.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	2.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	2.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	2.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	2.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	2.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	2.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	2.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	2.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	2.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	2.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	2.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	2.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	2.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	2.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\user32dll.bat	cmd.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows	attrib.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	FatRat.exe
File created	C:\Windows\user32dll.bat	cmd.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows	attrib.exe
File opened for modification	C:\Windows\Web\Wallpaper\Windows	attrib.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows	attrib.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	2.exe
File opened for modification	C:\Windows\svchost.com	FatRat.exe
File opened for modification	C:\Windows\Help\Windows	attrib.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows	attrib.exe
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FatRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WIDGET~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FatRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	2.exe

Modifies registry key 1 TTPs 5 IoCs

Modify Registry

T1112

pid	Process
2616	reg.exe
2872	reg.exe
3060	reg.exe
680	reg.exe
1988	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2328	e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe
2328	e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2784	2328	e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe	31
PID 2328 wrote to memory of 2784	2328	e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe	31
PID 2328 wrote to memory of 2784	2328	e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe	31
PID 2328 wrote to memory of 2784	2328	e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe	31
PID 2328 wrote to memory of 2160	2328	e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe	32
PID 2328 wrote to memory of 2160	2328	e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe	32
PID 2328 wrote to memory of 2160	2328	e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe	32
PID 2328 wrote to memory of 2160	2328	e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe	32
PID 2328 wrote to memory of 2652	2328	e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe	33
PID 2328 wrote to memory of 2652	2328	e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe	33
PID 2328 wrote to memory of 2652	2328	e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe	33
PID 2328 wrote to memory of 2652	2328	e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe	33
PID 2160 wrote to memory of 2684	2160	2.exe	34
PID 2160 wrote to memory of 2684	2160	2.exe	34
PID 2160 wrote to memory of 2684	2160	2.exe	34
PID 2160 wrote to memory of 2684	2160	2.exe	34
PID 2684 wrote to memory of 2468	2684	2.exe	35
PID 2684 wrote to memory of 2468	2684	2.exe	35
PID 2684 wrote to memory of 2468	2684	2.exe	35
PID 2684 wrote to memory of 2468	2684	2.exe	35
PID 2468 wrote to memory of 1104	2468	svchost.com	36
PID 2468 wrote to memory of 1104	2468	svchost.com	36
PID 2468 wrote to memory of 1104	2468	svchost.com	36
PID 2468 wrote to memory of 1104	2468	svchost.com	36
PID 2652 wrote to memory of 2700	2652	FatRat.exe	38
PID 2652 wrote to memory of 2700	2652	FatRat.exe	38
PID 2652 wrote to memory of 2700	2652	FatRat.exe	38
PID 2652 wrote to memory of 2700	2652	FatRat.exe	38
PID 2700 wrote to memory of 1512	2700	svchost.com	39
PID 2700 wrote to memory of 1512	2700	svchost.com	39
PID 2700 wrote to memory of 1512	2700	svchost.com	39
PID 2700 wrote to memory of 1512	2700	svchost.com	39
PID 1104 wrote to memory of 2864	1104	cmd.exe	40
PID 1104 wrote to memory of 2864	1104	cmd.exe	40
PID 1104 wrote to memory of 2864	1104	cmd.exe	40
PID 1104 wrote to memory of 2864	1104	cmd.exe	40
PID 1104 wrote to memory of 2616	1104	cmd.exe	41
PID 1104 wrote to memory of 2616	1104	cmd.exe	41
PID 1104 wrote to memory of 2616	1104	cmd.exe	41
PID 1104 wrote to memory of 2616	1104	cmd.exe	41
PID 1104 wrote to memory of 2872	1104	cmd.exe	42
PID 1104 wrote to memory of 2872	1104	cmd.exe	42
PID 1104 wrote to memory of 2872	1104	cmd.exe	42
PID 1104 wrote to memory of 2872	1104	cmd.exe	42
PID 1104 wrote to memory of 3060	1104	cmd.exe	43
PID 1104 wrote to memory of 3060	1104	cmd.exe	43
PID 1104 wrote to memory of 3060	1104	cmd.exe	43
PID 1104 wrote to memory of 3060	1104	cmd.exe	43
PID 1104 wrote to memory of 1988	1104	cmd.exe	44
PID 1104 wrote to memory of 1988	1104	cmd.exe	44
PID 1104 wrote to memory of 1988	1104	cmd.exe	44
PID 1104 wrote to memory of 1988	1104	cmd.exe	44
PID 1104 wrote to memory of 680	1104	cmd.exe	45
PID 1104 wrote to memory of 680	1104	cmd.exe	45
PID 1104 wrote to memory of 680	1104	cmd.exe	45
PID 1104 wrote to memory of 680	1104	cmd.exe	45
PID 1104 wrote to memory of 1232	1104	cmd.exe	46
PID 1104 wrote to memory of 1232	1104	cmd.exe	46
PID 1104 wrote to memory of 1232	1104	cmd.exe	46
PID 1104 wrote to memory of 1232	1104	cmd.exe	46
PID 2784 wrote to memory of 1668	2784	Server.exe	48
PID 2784 wrote to memory of 1668	2784	Server.exe	48
PID 2784 wrote to memory of 1668	2784	Server.exe	48
PID 2784 wrote to memory of 1668	2784	Server.exe	48

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1232	attrib.exe
2248	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe
"C:\Users\Admin\AppData\Local\Temp\e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\WIDGET~1.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1668
  - - C:\Users\Admin\AppData\Roaming\WIDGET~1.EXE
      C:\Users\Admin\AppData\Roaming\WIDGET~1.EXE
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2224
- C:\Users\Admin\AppData\Local\Temp\2.exe
  "C:\Users\Admin\AppData\Local\Temp\2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Users\Admin\AppData\Local\Temp\3582-490\2.exe
    "C:\Users\Admin\AppData\Local\Temp\3582-490\2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E84C.tmp\E84D.bat C:\Users\Admin\AppData\Local\Temp\3582-490\2.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2468
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\E84C.tmp\E84D.bat C:\Users\Admin\AppData\Local\Temp\3582-490\2.exe
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1104
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce/v "User32" /t REG_SZ /d "C:\Windows\user32dll.bat" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2864
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Polices\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        6⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2616
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 2 /f
        6⤵
        Disables cmd.exe use via registry modification
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2872
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
        6⤵
        Disables RegEdit via registry modification
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3060
      - C:\Windows\SysWOW64\reg.exe
        
        Reg Delete HKLM\System\CurrentControlSet\Control\SafeBoot\*.* /q
        6⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1988
      - C:\Windows\SysWOW64\reg.exe
        
        Reg Delete HKLM\System\CurrentControlSet\Control\SafeBoot /q
        6⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:680
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Windows +h /S /D
        6⤵
        Sets file to hidden
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:1232
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\Program Files (x86) +h /S /D
        6⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2248
- C:\Users\Admin\AppData\Local\Temp\FatRat.exe
  "C:\Users\Admin\AppData\Local\Temp\FatRat.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FatRat.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\FatRat.exe
      C:\Users\Admin\AppData\Local\Temp\3582-490\FatRat.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
859KB

MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe

Filesize
137KB

MD5
e1833678885f02b5e3cf1b3953456557

SHA1
c197e763500002bc76a8d503933f1f6082a8507a

SHA256
bd9a16d8d7590a2ec827913db5173f8beb1d1ef44dab1920ef52a307f922bc14

SHA512
fe107e1c8631ec6ac94f772e6a7be1fdc2a533fe3cfcf36b1ff018c8d01bd7f1f818f0a2448f736838c953cd516ea7327c416dea20706ed2420327af8ef01abe

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe

Filesize
373KB

MD5
2f6f7891de512f6269c8e8276aa3ea3e

SHA1
53f648c482e2341b4718a60f9277198711605c80

SHA256
d1ee54eb64f31247f182fd62037e64cdb3876e1100bc24883192bf46bab42c86

SHA512
c677f4f7bfb2e02cd0babed896be00567aad08304cbff3a85fcc9816b10247fedd026fee769c9bd45277a4f2814eabe6534f0b04ea804d0095a47a1477188dd6

Download Submit
C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE

Filesize
100KB

MD5
6a091285d13370abb4536604b5f2a043

SHA1
8bb4aad8cadbd3894c889de85e7d186369cf6ff1

SHA256
909205de592f50532f01b4ac7b573b891f7e6e596b44ff94187b1ba4bcc296bb

SHA512
9696e4f60a5b1166535ca8ca3fb495d718086463d1a12fa1facc08219ad5b918208ddd2a102f7955e29153b081e05985c4ae6e4302ab36d548bb62991a47db18

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE

Filesize
130KB

MD5
7ce8bcabb035b3de517229dbe7c5e67d

SHA1
8e43cd79a7539d240e7645f64fd7f6e9e0f90ab9

SHA256
81a3a1dc3104973a100bf8d114b6be35da03767a0cbbaf925f970ffcbe5f217c

SHA512
be7fcd50b4f71b458ca001b7c019bf1169ec089d7a1ce05355134b11cbe75a5a29811f9efec803877aeb1a1d576ea2628926e0131361db23214275af6e89e80c

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE

Filesize
2.4MB

MD5
a741183f8c4d83467c51abab1ff68d7b

SHA1
ddb4a6f3782c0f03f282c2bed765d7b065aadcc6

SHA256
78be3aeb507db7e4ee7468c6b9384ee0459deebd503e06bd4988c52247ecea24

SHA512
c15dbecc0754a662892ecaff4b9b6c1bad46f710d8e1b973f86eaee467444f8e5764b31ace8f5a9a5e936947cc4dcb97cb1b14a6930c1025f38a3544393b6b18

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE

Filesize
270KB

MD5
93c3e336e307036165cb84f845478b7e

SHA1
a27d9bb914069ba513cb05a7f212f8ca53ca38ab

SHA256
06d17877bf8a3691a0915add8d2b705722dccfba0f8c6daf48116e6166ab1ab5

SHA512
07d2e5cf240410e5e2378527686ea1c560185ccfc59dfe5cfa4e0bfd5c3653be4f0fa07f6398238a9de690593b8ce56acb2c657d1f06dadedab72f09bd250c9a

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE

Filesize
153KB

MD5
12a5d7cade13ae01baddf73609f8fbe9

SHA1
34e425f4a21db8d7902a78107d29aec1bde41e06

SHA256
94e8ea2ed536484492d746f6f5808192cb81ae3c35f55d60826a2db64a254dd5

SHA512
a240f5c59226749792cfb9fbd76b086d2544a493b834a72c0bfd8b076ed753ec8876ff056fc35f63f5497183d985f8f8c5c7b6abbcad70981f1ec83af1b3bd76

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe

Filesize
1.2MB

MD5
467aee41a63b9936ce9c5cbb3fa502cd

SHA1
19403cac6a199f6cd77fc5ac4a6737a9a9782dc8

SHA256
99e5bea5f632ef4af76e4e5108486d5e99386c3d451b983bcd3ad2a49cc04039

SHA512
00c9ccdbbd6fd1be0c2dafd485d811be9bf2076d4efeabc256179befd92679b964e80edcb90ef21f3e874578fdb0003878227f560ca76498865770280f87113e

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE

Filesize
125KB

MD5
46e43f94482a27df61e1df44d764826b

SHA1
8b4eab017e85f8103c60932c5efe8dff12dc5429

SHA256
dc6658dec5bf89f65f2d4b9bdb27634bac0bf5354c792bc8970a2b39f535facd

SHA512
ce5bdd3f9a2394ffda83c93fc5604d972f90bd72e6aded357bdf27a2b21a0469f6ac71ce40d9fb4ed8c845468c4171a3c5b4501edbae79447c4f4e08342d4560

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE

Filesize
155KB

MD5
96a14f39834c93363eebf40ae941242c

SHA1
5a3a676403d4e6ad0a51d0f0e2bbdd636ae5d6fc

SHA256
8ee4aa23eb92c4aba9a46b18ac249a5fa11c5abb7e2c1ca82cd5196401db790a

SHA512
fbf307a8053e9478a52cfdf8e8bad3d7c6664c893458786ae6ee4fffc6fe93006e99a2a60c97fb62dad1addd5247621517f4edee5d9545717c4587a272cef9a2

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE

Filesize
230KB

MD5
e5589ec1e4edb74cc7facdaac2acabfd

SHA1
9b12220318e848ed87bb7604d6f6f5df5dbc6b3f

SHA256
6ce92587a138ec07dac387a294d0bbe8ab629599d1a2868d2afaccea3b245d67

SHA512
f36ab33894681f51b9cec7ea5a738eb081a56bcd7625bdd2f5ef2c084e4beb7378be8f292af3aeae79d9317ba57cc41df89f00aef52e58987bdb2eac3f48171a

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE

Filesize
155KB

MD5
f7c714dbf8e08ca2ed1a2bfb8ca97668

SHA1
cc78bf232157f98b68b8d81327f9f826dabb18ab

SHA256
fc379fda348644fef660a3796861c122aa2dd5498e80279d1279a7ddb259e899

SHA512
28bc04c4df3f632865e68e83d045b3ecd2a263e62853c922b260d0734026e8a1541988fcbf4ddc9cf3aba6863214d6c6eb51f8bbb2586122a7cb01a70f08d16c

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE

Filesize
207KB

MD5
3b0e91f9bb6c1f38f7b058c91300e582

SHA1
6e2e650941b1a96bb0bb19ff26a5d304bb09df5f

SHA256
57c993cadf4bf84810cea23a7112c6e260624beaab48d0e4332d3462900fec1d

SHA512
a4fbe28a0135f4632e0a5b6bd775f8d010250b0fbfe223db1fe81d18552a6bc166ebce807853ba02e6a476e9829454805e415ca828a5e043bd1e63dc53599d0f

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE

Filesize
265KB

MD5
25e165d6a9c6c0c77ee1f94c9e58754b

SHA1
9b614c1280c75d058508bba2a468f376444b10c1

SHA256
8bbe59987228dd9ab297f9ea34143ea1e926bfb19f3d81c2904ab877f31e1217

SHA512
7d55c7d86ccabb6e9769ebca44764f4d89e221d5756e5c5d211e52c271e3ce222df90bc9938248e2e210d6695f30f6280d929d19ef41c09d3ea31688ae24d4bf

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE

Filesize
342KB

MD5
5da33a7b7941c4e76208ee7cddec8e0b

SHA1
cdd2e7b9b0e4be68417d4618e20a8283887c489c

SHA256
531e735e4e8940dfe21e30be0d4179ceaecb57ce431cf63c5044e07048ac1751

SHA512
977aeecfbc693c9d5746fedf08b99e0b0f6fd7b0c7b41ac2b34a832e68a2e6f3c68f38af2e65c87075fcf00c1c6103e34324df45d7da9412cbbeea7e410794b6

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE

Filesize
439KB

MD5
400836f307cf7dbfb469cefd3b0391e7

SHA1
7af3cbb12d3b2d8b5d9553c687c6129d1dd90a10

SHA256
cb5c5abb625a812d47007c75e3855be3f29da527a41cf03730ad5c81f3eb629a

SHA512
aa53cb304478585d6f83b19a6de4a7938ba2570d380a565a56ff5365aed073d5f56b95ad3228eb7d1e7e6110c6172a58b97bd6a5e57e4a8d39e762ed31dc17c8

Download Submit
C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE

Filesize
85KB

MD5
685db5d235444f435b5b47a5551e0204

SHA1
99689188f71829cc9c4542761a62ee4946c031ff

SHA256
fde30bfdd34c7187d02eabe49f2386b4661321534b50032a838b179a21737411

SHA512
a06d711574fbe32f07d20e1d82b7664addd664bf4a7ee07a8f98889172afe3653f324b5915968950b18e76bbfc5217a29704057fd0676611629aa9eb888af54a

Download Submit
C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE

Filesize
287KB

MD5
aa862d43cd8259716b6510c26af0269c

SHA1
513dad3d8a4b786f961644aed2bbeb10a5e8f999

SHA256
a2b85f985e19e929ab3ae775cd7086d45174c298b0c13a057ff4cf5eb2008fb7

SHA512
581ed3ff14d9ee9ccb1ed9ee0440276af88e63b23c95726fc36239280e9f96167eaeff5490f3694467a0fd72bbc66ad4e56439ce574a8655382762239353beca

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE

Filesize
150KB

MD5
946b2d8f68ca1c24ed6ee4118c78c17b

SHA1
bf60e7c43f7bdab08b6102cf701ae97ad6c09d3f

SHA256
65353203a36f2ddb752ba64468fe30b903fa4f2225db835a6e6f92cf52e53d8d

SHA512
432d592817d0e16fb35bdd0af9a0e7850c889a654f5faee4703d16b64d754e205cad5cb8d17028e6af164a937a950652944558e563b206bc23bc8917c515964c

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE

Filesize
184KB

MD5
67a6e518de5b8401669ccf03059f1bac

SHA1
98ccf378e8c7e3ada48c4f6ca52b9293e141ce84

SHA256
c554dfea900392e9eb4a0ab658f76a5a1de1e41bdce80382b5943dd78fc9516f

SHA512
4e7b1922328d1e05e7faf456f61375df081faacca415c5242e12f081dee4d7f03835a9776295c77e7788984188f27ff358d72bc9100dbb250975aaaf2e95777c

Download Submit
C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE

Filesize
127KB

MD5
154b891ad580307b09612e413a0e65ac

SHA1
fc900c7853261253b6e9f86335ea8d8ad10c1c60

SHA256
8a3598c889dbcb1dca548a6193517ed7becb74c780003203697a2db22222a483

SHA512
39bf032033b445fc5f450abec298ea3f71cadecfeafc624f2eb1f9a1d343a272181a874b46b58bb18168f2f14d498c3b917c3392d4c724fe4e5ae749113c2ad6

Download Submit
C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE

Filesize
2.1MB

MD5
6b63036a88f260b7a08da9814cf17ce0

SHA1
cac1bd549343a1c3fcefacc2d588155a00c4467b

SHA256
8f9fb3c2ce132a64e157738feaf82bb512ec03d03fa2da95c26470defeef513d

SHA512
383b8676a85e0f2447536bd15019c23bed15a51d633dafe5ac7bcbea75d8064ef9fd938461eab25df7f3eae3de18b87640e8cc12e95f7b58de1209937d8da284

Download Submit
C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE

Filesize
549KB

MD5
61631e66dbe2694a93e5dc936dd273be

SHA1
b1838b8ca92fa5ca89e1108ceb2630a6ecd2b8c2

SHA256
5811b7b694d99c703b4c4bc72d6b7d846d05b2b0f45a7e3e4279cdb6fd81265f

SHA512
323463c267ccdb701d5967198f4f72158056f5a6e889c47bf19d1a670233ab071a5fe8c108430beb67753b77af1c59028007101a8e1266618fe91fa0127b4dcf

Download Submit
C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE

Filesize
606KB

MD5
9b1c9f74ac985eab6f8e5b27441a757b

SHA1
9a2cf7d2518c5f5db405e5bd8d37bf62dcaf34f5

SHA256
2a189b995a7283b503bb5864dd9ca57976b3812a6a34aaf89a7551336c43bc24

SHA512
d72e83aeaf1d34627a6c6aa469821af8a8d464a72c764fbb064484adea509a8c1d3628e2166859286e84daae8ebdf4f800693ce203984a8c313b1f2263e101c4

Download Submit
C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE

Filesize
1.4MB

MD5
5ae9c0c497949584ffa06f028a6605ab

SHA1
eb24dbd3c8952ee20411691326d650f98d24e992

SHA256
07dd9364be7babc5f9a08f0ccd828a9a55137845df1782b147f12943f234ea4e

SHA512
2e99bb500c281c367cc54fa283905b2537905ea4fe8986f676adbb1aaf58460dd2db082bb46a3dbe9dc836fbae3ee8832990839432dd99c74de58cc9b9295788

Download Submit
C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE

Filesize
1.8MB

MD5
fc87e701e7aab07cd97897512ab33660

SHA1
65dcd8e5715f2e4973fb6b271ffcb4af9cefae53

SHA256
bb1814297615d6b22fa20ee4f8613c8bc9fa67d93cb7fe032f46f377569e2f46

SHA512
b03e3b3f7b0f11b85757d8bf5678542f4281407e95cf8e074da4ddc421c217fcfaf23cc927ccd0bbca2891a424b2d3565072aba6406dc46c2fa1fdba7a249eec

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\2.exe

Filesize
45KB

MD5
ddb085c51c1d739d35e6cfb3f647b6a7

SHA1
309b857dc06c0e458a5b2207157f97bdbe033bbe

SHA256
f6ecd05109a7894fd71e26efb6a9c7f211682b026d28508af792abecce2322b5

SHA512
04f6b7ca78d4c2bb9270e07c774077d79e64b6703919bfa3215f27c022993ae7b110e1ea47fb9bf06e1d7b30e1626f0b4c476d2624cc2a657a073edf2865e121

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\FatRat.exe

Filesize
72KB

MD5
ccf360d4e7bb60abcae997f1929c44dd

SHA1
207dc16a638fb40f9cad4b18dd0ef83aa3fd2def

SHA256
0530f03b56c5a156c5057ba986548ddf87c1df0b5c9912313989d85c9ac23276

SHA512
b53eaef698fae41c1ab9be84f1a59d8564145061e03834e598db947cebaee9b9715fff48a33c76479b1a521e73850c77b370f4e371f8f829a58f7c69c2c372a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\E84C.tmp\E84D.bat

Filesize
839B

MD5
8159aa71b5044098310a7465ea5e55a4

SHA1
5b716785948726da036a87f9e9afa036c904b8aa

SHA256
0fdb8d2f173ca750975e1c4387903f92c558ec3afb6068071ef1ec6445d899f9

SHA512
cc8f450a776eec4b66232a5de7a1c6d87a01beeb58004e1c181923b431e58010811feadc662273bd84634209345806da2f802ebcaeaa286b9bbc9bc4bcc26a57

Download Submit
C:\Windows\directx.sys

Filesize
55B

MD5
ac8ea289cb3cc24e9d0995ba8790a34f

SHA1
3449eef600bdf383377738eb4c7ef9f0cf84b731

SHA256
e5082eaea351be68c2bcbf2d66953d5160b85771cf791135fb58767842865db9

SHA512
ddbb44f74a41eb5bd6d96acee8f2bcdf982289473e1f696242e4e2b83b6f7cdf3bbf70ca280c7df3db4096eb3337c8de77fd246a85f7af72470b960cc7d2953f

Download Submit
C:\Windows\directx.sys

Filesize
45B

MD5
15db81b0c2dd1f0b88b93c2aebbbb392

SHA1
d9b43bd6e3c9c288ec4f9337e0e624b2186fd890

SHA256
00632b7a76b7174edb719f7c809f537eb36931a5d178b0bd5be538e111dcb500

SHA512
be595660289a2cec14772061b15bdc52a153a4ae7a76f9d7e841aad39c9133b4db2912aedecfc6b1a855b0cff05292134732243ff6ac4fde4762a40a3c9a01f9

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe

Filesize
86KB

MD5
d59c194ab2b0248d61ab9c659eba0fcb

SHA1
8bcad802416804c1c6d960904537cf8e58201b82

SHA256
f3ba3930941393350117de1fb68425db11ef4462a256ad5dbc8aae44b48fb8fd

SHA512
04d5955f101763576a930378682ba5ab1fef0c5a3bac3d8baac848544e2469dd6af6a81508d58beb0cb8ad6a0e8eaea740410f6534b26b46423e26bd79695f0a

Download Submit
\Users\Admin\AppData\Local\Temp\FatRat.exe

Filesize
112KB

MD5
618fba54db5ea661575520f4123e00d4

SHA1
ff2e63b913940ebf861ba675876d4f6ab5a3941d

SHA256
bfb6a2c92bf846643cb5964591cde4067d59ce0cb295bc7cfbdbabefad5ea2d5

SHA512
838773f4b14e9e91eef0e3af31d69e0ad727dd43745a5b7e54a8490f49af5fda58c347b371daca45398572a1d803ff03073fb906cfffa2091cb48573dd84040a

Download Submit
\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
37KB

MD5
01ce791be97aa5a1746af78c8fe7ccf5

SHA1
688b851e079fa103a652cd1ae5c84d31eb9d143d

SHA256
fd425b904cc91842cfebc84882bcb75e181f5d647176dfa7dbd8b56fd1976028

SHA512
6f2d785842415383e4e1cd87519313bd7cfdd9612175fe8fb82ab75952d14ce4a3aebeb94eadecad28b4487338439296da8b277b49e93601fe2c0b730b6cbbe6

Download Submit
memory/1668-249-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2160-242-0x0000000002AC0000-0x0000000002AE2000-memory.dmp

Filesize
136KB

Download
memory/2160-84-0x0000000002AC0000-0x0000000002AE2000-memory.dmp

Filesize
136KB

Download
memory/2160-257-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2160-250-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2160-245-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2160-243-0x0000000002AC0000-0x0000000002AE2000-memory.dmp

Filesize
136KB

Download
memory/2160-80-0x0000000002AC0000-0x0000000002AE2000-memory.dmp

Filesize
136KB

Download
memory/2328-31-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2328-36-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2328-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2328-7-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2328-9-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2328-12-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2328-14-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2328-17-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2328-19-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2328-20-0x0000000000408000-0x0000000000768000-memory.dmp

Filesize
3.4MB

Download
memory/2328-23-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2328-25-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2328-28-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2328-30-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2328-2-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2328-33-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2328-35-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2328-4-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2328-43-0x0000000000400000-0x0000000000CA4000-memory.dmp

Filesize
8.6MB

Download
memory/2328-44-0x0000000000400000-0x0000000000CA4000-memory.dmp

Filesize
8.6MB

Download
memory/2328-38-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2328-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2328-117-0x0000000000408000-0x0000000000768000-memory.dmp

Filesize
3.4MB

Download
memory/2328-40-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2328-82-0x0000000000400000-0x0000000000CA4000-memory.dmp

Filesize
8.6MB

Download
memory/2468-247-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2468-252-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2468-256-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2652-109-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2684-244-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/2684-85-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/2684-259-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/2700-248-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2700-261-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2784-113-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download