metasploit | e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53

Analysis

max time kernel
106s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2024, 08:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe
Size

5.2MB
MD5

4786e70687f230ac3d08946bd3b08540
SHA1

bcc4228899c875d3444be0830b5e4bdd5d9b096a
SHA256

e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53
SHA512

2719b5bb5d5797b530463e0e132496a224ea061fc897c66779037214c5e63c5b1a7df3422c1e6f9ddd2101cacda344e013b2c11ae078ec4bd8ea22332a213486
SSDEEP

98304:P1hAmoqJW0jB4vmdRQcYduvjhK4OQyyuz/21wH8LHd/F902scBcwucGeR7:NemFM0jB4v+zfjhFO+mH8L9/F7fbuc

Score

10^/10

metasploit neshta backdoor discovery persistence spyware stealer trojan upx vmprotect

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Signatures

Detect Neshta payload 61 IoCs

resource	yara_rule
behavioral2/files/0x0031000000023b75-24.dat	family_neshta
behavioral2/files/0x000a000000023b77-35.dat	family_neshta
behavioral2/files/0x000b000000023b76-52.dat	family_neshta
behavioral2/files/0x0004000000020352-75.dat	family_neshta
behavioral2/files/0x00010000000202b1-74.dat	family_neshta
behavioral2/files/0x0004000000020340-73.dat	family_neshta
behavioral2/files/0x000100000002029e-72.dat	family_neshta
behavioral2/files/0x0008000000020241-81.dat	family_neshta
behavioral2/files/0x00010000000214e4-95.dat	family_neshta
behavioral2/files/0x00010000000214e3-94.dat	family_neshta
behavioral2/files/0x00010000000214e2-93.dat	family_neshta
behavioral2/files/0x0001000000022f33-98.dat	family_neshta
behavioral2/files/0x0001000000022f31-107.dat	family_neshta
behavioral2/files/0x0001000000022f72-108.dat	family_neshta
behavioral2/files/0x0001000000022f34-103.dat	family_neshta
behavioral2/files/0x0001000000016855-119.dat	family_neshta
behavioral2/files/0x0001000000016805-122.dat	family_neshta
behavioral2/files/0x00010000000167e9-126.dat	family_neshta
behavioral2/files/0x000100000001dbe7-134.dat	family_neshta
behavioral2/files/0x000100000001dbe5-133.dat	family_neshta
behavioral2/files/0x0001000000016970-148.dat	family_neshta
behavioral2/files/0x000100000001dbdb-131.dat	family_neshta
behavioral2/files/0x0001000000016917-150.dat	family_neshta
behavioral2/files/0x000500000001e0b6-158.dat	family_neshta
behavioral2/files/0x000e00000001f3d2-163.dat	family_neshta
behavioral2/files/0x00010000000228ec-174.dat	family_neshta
behavioral2/files/0x0002000000000727-177.dat	family_neshta
behavioral2/files/0x00020000000215d4-178.dat	family_neshta
behavioral2/files/0x000400000001e689-181.dat	family_neshta
behavioral2/files/0x000b00000001ee13-190.dat	family_neshta
behavioral2/files/0x000500000001e8b0-189.dat	family_neshta
behavioral2/files/0x000e00000001e5cf-188.dat	family_neshta
behavioral2/files/0x000300000001e8b7-180.dat	family_neshta
behavioral2/files/0x000300000001e866-179.dat	family_neshta
behavioral2/files/0x000a00000001e7f6-191.dat	family_neshta
behavioral2/memory/5092-207-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3300-208-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x000400000002034d-210.dat	family_neshta
behavioral2/files/0x0007000000020288-211.dat	family_neshta
behavioral2/files/0x0006000000020220-212.dat	family_neshta
behavioral2/files/0x0006000000020228-213.dat	family_neshta
behavioral2/files/0x000400000002033f-215.dat	family_neshta
behavioral2/files/0x0006000000020237-219.dat	family_neshta
behavioral2/files/0x0004000000020313-218.dat	family_neshta
behavioral2/files/0x0001000000020299-217.dat	family_neshta
behavioral2/files/0x000100000002022f-216.dat	family_neshta
behavioral2/files/0x000600000002021c-214.dat	family_neshta
behavioral2/files/0x000600000002023f-220.dat	family_neshta
behavioral2/files/0x00010000000225e2-224.dat	family_neshta
behavioral2/files/0x0001000000022f32-225.dat	family_neshta
behavioral2/files/0x0002000000020317-222.dat	family_neshta
behavioral2/files/0x0001000000021539-223.dat	family_neshta
behavioral2/memory/544-226-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5092-227-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3300-228-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/544-229-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5092-230-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3300-231-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3300-235-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/544-237-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5092-234-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FatRat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Server.exe

Executes dropped EXE 6 IoCs

pid	Process
4504	Server.exe
5092	2.exe
3300	FatRat.exe
2816	FatRat.exe
544	svchost.com
1824	WIDGET~1.EXE

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	FatRat.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/4080-7-0x0000000000400000-0x0000000000CA4000-memory.dmp	vmprotect
behavioral2/memory/4080-12-0x0000000000400000-0x0000000000CA4000-memory.dmp	vmprotect
behavioral2/memory/4080-41-0x0000000000400000-0x0000000000CA4000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4080	e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023b76-38.dat	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	2.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	FatRat.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	FatRat.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	2.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	FatRat.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	2.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	2.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	FatRat.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	2.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	FatRat.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	2.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	FatRat.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	FatRat.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	FatRat.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	FatRat.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	2.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	2.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	FatRat.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	2.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	2.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	FatRat.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	FatRat.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	FatRat.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	2.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	svchost.com

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	2.exe
File opened for modification	C:\Windows\svchost.com	FatRat.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FatRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FatRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WIDGET~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	2.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FatRat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	FatRat.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	Server.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4080	e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe
4080	e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe
4080	e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe
4080	e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 4504	4080	e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe	82
PID 4080 wrote to memory of 4504	4080	e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe	82
PID 4080 wrote to memory of 4504	4080	e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe	82
PID 4080 wrote to memory of 5092	4080	e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe	83
PID 4080 wrote to memory of 5092	4080	e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe	83
PID 4080 wrote to memory of 5092	4080	e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe	83
PID 4080 wrote to memory of 3300	4080	e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe	84
PID 4080 wrote to memory of 3300	4080	e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe	84
PID 4080 wrote to memory of 3300	4080	e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe	84
PID 3300 wrote to memory of 2816	3300	FatRat.exe	85
PID 3300 wrote to memory of 2816	3300	FatRat.exe	85
PID 3300 wrote to memory of 2816	3300	FatRat.exe	85
PID 4504 wrote to memory of 544	4504	Server.exe	86
PID 4504 wrote to memory of 544	4504	Server.exe	86
PID 4504 wrote to memory of 544	4504	Server.exe	86
PID 544 wrote to memory of 1824	544	svchost.com	87
PID 544 wrote to memory of 1824	544	svchost.com	87
PID 544 wrote to memory of 1824	544	svchost.com	87

C:\Users\Admin\AppData\Local\Temp\e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe
"C:\Users\Admin\AppData\Local\Temp\e47a6e0f33fb40a39911e4bd2a187f5686962867b8f5c5645c23090fa2855b53N.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\WIDGET~1.EXE"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:544
  - - C:\Users\Admin\AppData\Roaming\WIDGET~1.EXE
      C:\Users\Admin\AppData\Roaming\WIDGET~1.EXE
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1824
- C:\Users\Admin\AppData\Local\Temp\2.exe
  "C:\Users\Admin\AppData\Local\Temp\2.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:5092
- C:\Users\Admin\AppData\Local\Temp\FatRat.exe
  "C:\Users\Admin\AppData\Local\Temp\FatRat.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Users\Admin\AppData\Local\Temp\3582-490\FatRat.exe
    "C:\Users\Admin\AppData\Local\Temp\3582-490\FatRat.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

Filesize
328KB

MD5
39c8a4c2c3984b64b701b85cb724533b

SHA1
c911f4c4070dfe9a35d9adcb7de6e6fb1482ce00

SHA256
888a1dd0033e5d758a4e731e3e55357de866e80d03b1b194375f714e1fd4351d

SHA512
f42ca2962fe60cff1a13dea8b81ff0647b317c785ee4f5159c38487c34d33aecba8478757047d31ab2ee893fbdcb91a21655353456ba6a018fc71b2278db4db2

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
127KB

MD5
857228f0cfaf7f60edea0bd7bcb71e8c

SHA1
b52bc4db729c60991c55e67e5862553667093d81

SHA256
2c4fdbb93e11d0264718872ef88625bf4d129fbb622beb7c92c7b04dbb76eb91

SHA512
a2fe020b365b07f2a5d29dcac41e2d77e8fac4610a771e435c1620bfb2632f70f67415780f87110efca71b383ebcebad8f034dd89f397d4f160cbb9a9927c3c7

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE

Filesize
5.7MB

MD5
1de44508a7e8f14d8a4505eb3d0ed2f1

SHA1
a0fa23cab720fed79a28d9be986c0976fa4a0638

SHA256
40b49d3b15b02f916fb27a9ca6909f0c038416ed44364f9a2e3604bb0d3244f5

SHA512
77bf69cf200da92b960ef7c93e0d73203713cca42604102f23311beea832ebdbcd6d0fec7599cf31e079c30251e3c2705050cb3711e30960ed07d57d1bc21290

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe

Filesize
216KB

MD5
0a10087474efe5e9d65eda6b04eb67a0

SHA1
f3bec2aa01056841be2eabe1a086091f22617f16

SHA256
2808e12482865db3c031a4f6669fcaba312ac2d4faa40ae45e08f8cb47fa9611

SHA512
279eb5550afa1a180d47bbd224e8f246d50e163797bd4ff2ad95b34b6b5a69040f37f8d987faf29d13d15a812b99c100ad4345cb7752d33b3c59a2dcc73175cd

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe

Filesize
9.4MB

MD5
4b2192864374f21ee6cb90b81c8b98a9

SHA1
131c29e7354fe6e32153d5dcf4d52c8f9c9d3091

SHA256
b29d2b87e91f82d764ee7ab5947dbf9f3e2b9dc473e571ef1b67622d35cb9b9a

SHA512
2361cfb375b597f6100dd0c84340c34041db4da2ca0bd72e1aba7782e73c43c9ef920c83e367eb16bf213ecb3518e97c6417a5f666a298deefd23f4260b52f2b

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

Filesize
2.5MB

MD5
12fd9fcb97cb1e45c020e7bac06b2c91

SHA1
90c6fce6c9c40666ecc0c3964308bb2401676703

SHA256
8cec6976f1f5c004627ac249302e29127f4c7d2cda4df8263bf75281edec7a25

SHA512
c805cc4ca9bbc3e4c961e2685712d44c85aed275cdfd2f6c3c20898c647efbd442fb0b8da0186d06fce88288e9fdec25830c48cb107b73da466098ab19353953

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE

Filesize
183KB

MD5
9dfcdd1ab508b26917bb2461488d8605

SHA1
4ba6342bcf4942ade05fb12db83da89dc8c56a21

SHA256
ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5

SHA512
1afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

Filesize
131KB

MD5
5791075058b526842f4601c46abd59f5

SHA1
b2748f7542e2eebcd0353c3720d92bbffad8678f

SHA256
5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394

SHA512
83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE

Filesize
254KB

MD5
4ddc609ae13a777493f3eeda70a81d40

SHA1
8957c390f9b2c136d37190e32bccae3ae671c80a

SHA256
16d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950

SHA512
9d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE

Filesize
386KB

MD5
8c753d6448183dea5269445738486e01

SHA1
ebbbdc0022ca7487cd6294714cd3fbcb70923af9

SHA256
473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997

SHA512
4f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE

Filesize
92KB

MD5
176436d406fd1aabebae353963b3ebcf

SHA1
9ffdfdb8cc832a0c6501c4c0e85b23a0f7eff57a

SHA256
2f947e3ca624ce7373080b4a3934e21644fb070a53feeaae442b15b849c2954f

SHA512
a2d1a714e0c1e5463260c64048ba8fd5064cfa06d4a43d02fc04a30748102ff5ba86d20a08e611e200dc778e2b7b3ae808da48132a05a61aa09ac424a182a06a

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE

Filesize
147KB

MD5
3b35b268659965ab93b6ee42f8193395

SHA1
8faefc346e99c9b2488f2414234c9e4740b96d88

SHA256
750824b5f75c91a6c2eeb8c5e60ae28d7a81e323d3762c8652255bfea5cba0bb

SHA512
035259a7598584ddb770db3da4e066b64dc65638501cdd8ff9f8e2646f23b76e3dfffa1fb5ed57c9bd15bb4efa3f7dd33fdc2e769e5cc195c25de0e340eb89ab

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe

Filesize
125KB

MD5
cce8964848413b49f18a44da9cb0a79b

SHA1
0b7452100d400acebb1c1887542f322a92cbd7ae

SHA256
fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5

SHA512
bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE

Filesize
142KB

MD5
92dc0a5b61c98ac6ca3c9e09711e0a5d

SHA1
f809f50cfdfbc469561bced921d0bad343a0d7b4

SHA256
3e9da97a7106122245e77f13f3f3cc96c055d732ab841eb848d03ac25401c1bc

SHA512
d9eefb19f82e0786d9be0dbe5e339d25473fb3a09682f40c6d190d4c320cca5556abb72b5d97c6b0da4f8faefdc6d39ac9d0415fdf94ebcc90ecdf2e513c6a31

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

Filesize
278KB

MD5
12c29dd57aa69f45ddd2e47620e0a8d9

SHA1
ba297aa3fe237ca916257bc46370b360a2db2223

SHA256
22a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880

SHA512
255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE

Filesize
494KB

MD5
3cf2747c62b5c411c47629bfc599fb11

SHA1
d93d60d5ee813349aedb5ad0c32e2d1dd54601c5

SHA256
5da7c65f24da18f8600264d1ff4a810f02bc134e03a0818055e6de1809436e31

SHA512
49b2366cfda43bc025596c2c38c231bd5e2c9f76c2f9fd7165b4d99a6132a482e9e2d8c53b9aa2c36cb940dd83c71f229417f58f82d2a5f9e4a2e57cacb775d7

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe

Filesize
1.2MB

MD5
8e42f3a4a399d84e67ed633ba23863cb

SHA1
02ebfa5274214dcc48acfd24b8da3fb5cb93f6c6

SHA256
42716ea8beca9e555cef3b78a2fbf836c9da034318d625262810290309d955db

SHA512
0f6af721a89c2cf7249ecb1cc0a263c6252f8762b7381b35ccff6347d7d069799d2f0561bec0a651d690fbf29c98050bf15b604d3cca668b7437503ba102492f

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe

Filesize
595KB

MD5
407713382581beff0589e4c0915a5c14

SHA1
a8239c8d8ee345a10a73c388ec5ee44ef552591f

SHA256
ac2e74f9c3ea5cecea6d893d71e039317ad29c23e13c6808ac37f833b4c5d115

SHA512
ebd092db531ec7efdeb2aae80b8ce22f29e6e46f6ac0b3b824625040faf3a9e4ad3067270b457ab41c0c085a6eed7829f84e2ef36f5cedb3e88cf1c875c6056e

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE

Filesize
121KB

MD5
cbd96ba6abe7564cb5980502eec0b5f6

SHA1
74e1fe1429cec3e91f55364e5cb8385a64bb0006

SHA256
405b8bd647fa703e233b8b609a18999abe465a8458168f1daf23197bd2ea36aa

SHA512
a551001853f6b93dfbc6cf6a681820af31330a19d5411076ff3dbce90937b3d92173085a15f29ebf56f2ef12a4e86860ac6723ebc89c98ea31ea7a6c7e3d7cdc

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe

Filesize
325KB

MD5
9a8d683f9f884ddd9160a5912ca06995

SHA1
98dc8682a0c44727ee039298665f5d95b057c854

SHA256
5e2e22ead49ce9cc11141dbeebbe5b93a530c966695d8efc2083f00e6be53423

SHA512
6aecf8c5cb5796d6879f8643e20c653f58bad70820896b0019c39623604d5b3c8a4420562ab051c6685edce60aa068d9c2dbb4413a7b16c6d01a9ac10dc22c12

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe

Filesize
325KB

MD5
892cf4fc5398e07bf652c50ef2aa3b88

SHA1
c399e55756b23938057a0ecae597bd9dbe481866

SHA256
e2262c798729169f697e6c30e5211cde604fd8b14769311ff4ea81abba8c2781

SHA512
f16a9e4b1150098c5936ec6107c36d47246dafd5a43e9f4ad9a31ecab69cc789c768691fa23a1440fae7f6e93e8e62566b5c86f7ed6bb4cfe26368149ea8c167

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe

Filesize
546KB

MD5
1106ff26e23d003793c9d5bef018ecba

SHA1
e0a2ce8fa76f2e95d7d8a29e80f6fa765ce6a9ef

SHA256
059db5529603304417e4b8deb7d9f5be475863a23b6c8db7d99599b814d17e9d

SHA512
2cc7f4495c6d6754c132b808efafca5438cbd2e8d31accd090b579710bdfce0d98a1497f682b8478da255d6a7f1b1efca21ef6d5aa633a55d866f9f84d933102

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE

Filesize
262KB

MD5
cef23c0d66813029721b02e1b397826f

SHA1
31d8263edd8defa6a7e5e902d6ee2a7a5b857ee3

SHA256
f44146a1ed13a6c8969fcfc362e76c4970c33e7ce168e183313b8b390ef7fcd0

SHA512
6c438e4978562fb3715cea54f70c89896212ee7603089cbb59b96b08e5bff2344f8a2a7b5fd9ae044e4c6d57f50c839b2389160407d641b28511c50cdf0c646c

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE

Filesize
146KB

MD5
d9a290f7aec8aff3591c189b3cf8610a

SHA1
7558d29fb32018897c25e0ac1c86084116f1956c

SHA256
41bed95cb1101181a97460e2395efebb0594849e6f48b80a2b7c376ddf5ce0ea

SHA512
b55ab687a75c11ba99c64be42ad8471576aa2df10ce1bb61e902e98827e3a38cd922e365751bd485cac089c2bd8bccf939a578da7238506b77fe02a3eb7994c6

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE

Filesize
258KB

MD5
d9186b6dd347f1cf59349b6fc87f0a98

SHA1
6700d12be4bd504c4c2a67e17eea8568416edf93

SHA256
a892284c97c8888a589ea84f88852238b8cd97cc1f4af85b93b5c5264f5c40d4

SHA512
a29cc26028a68b0145cb20ec353a4406ec86962ff8c3630c96e0627639cf76e0ea1723b7b44592ea4f126c4a48d85d92f930294ae97f72ecc95e3a752a475087

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE

Filesize
335KB

MD5
e4351f1658eab89bbd70beb15598cf1c

SHA1
e18fbfaee18211fd9e58461145306f9bc4f459ea

SHA256
4c783822b873188a9ced8bd4888e1736e3d4f51f6b3b7a62675b0dc85277e0eb

SHA512
57dbc6418011bcac298e122990b14ed1461c53b5f41cb4986d1d3bbbb516c764a7c205fc4da3722399fdb9122f28e4ec98f39d2af80d4b6a64d7bd7944d1c218

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE

Filesize
433KB

MD5
674eddc440664b8b854bc397e67ee338

SHA1
af9d74243ee3ea5f88638172f592ed89bbbd7e0d

SHA256
20bbf92426732ff7269b4f2f89d404d5fee0fa6a20944004d2eeb3cc2d1fa457

SHA512
5aced0e2235f113e323d6b28be74da5e4da4dc881629461df4644a52bccd717dc6d2632c40ed8190b3ad060b8b62c347757a0bbe82680d892114c1f0529146b7

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE

Filesize
1.7MB

MD5
4754ef85cf5992c484e75c0859cd0c12

SHA1
199b550e52f74d5a9932b1210979bc79a9b8f6fd

SHA256
da6de758d909ff5b7fb150a4a6a6b9774951aa2bd7c93966ea8951647386c330

SHA512
22c557807b81aac91c65643abb73f212d13f7c4504b6bb14e82bd9cf91319f2daadafa67425d91fa95f1d39c3700684f928e7d68468cb192c4c0be71b9f9b5ab

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe

Filesize
290KB

MD5
7975e085c5990e5f6cce33801d3c1e74

SHA1
00ef175713841b92c214ffc01a7ce75b1283a78f

SHA256
746df41a73e931f422c88a3c65bf59a904f174d5899dfd16ef2841d7f05c1aa3

SHA512
857f503fbed30f414249e280117531341f8381326046672db333f1f39fd19e80ee4129447a5d2344ae5edd90b711e51f649a3c2924f844e57c11fffefb438c60

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe

Filesize
3.6MB

MD5
6ce350ad38c8f7cbe5dd8fda30d11fa1

SHA1
4f232b8cccd031c25378b4770f85e8038e8655d8

SHA256
06a3bb0bdd2da870bc8dc2c6b760855cea7821273ce59fc0be158149e52915ba

SHA512
4c18a112fec391f443a4ae217ac6d1850e0cfdad4b2d2cbe3f61cb01c0a1400ea6bd5c3ffe0a9978ead50e7f6cfab96ae5090bb9a611f988f1a86ccaa5d4cd4f

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE

Filesize
2.8MB

MD5
eb008f1890fed6dc7d13a25ff9c35724

SHA1
751d3b944f160b1f77c1c8852af25b65ae9d649c

SHA256
a9b7b9155af49d651b092bb1665447059f7a1d0061f88fa320d4f956b9723090

SHA512
9cfe3480f24bf8970ad5773cb9df51d132ee90ada35cbf8ec1222e09a60ae46b2ff4b96862fea19085b1c32f93c47c69f604589fa3f4af17e5d67bef893b6bf1

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE

Filesize
1.3MB

MD5
27543bab17420af611ccc3029db9465a

SHA1
f0f96fd53f9695737a3fa6145bc5a6ce58227966

SHA256
75530dc732f35cc796d19edd11ae6d6f6ef6499ddcf2e57307582b1c5299554c

SHA512
a62c2dd60e1df309ec1bb48ea85184914962ba83766f29d878569549ca20fca68f304f4494702d9e5f09adedc2166e48ee0bc1f4a5d9e245c5490daf15036bea

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE

Filesize
1.1MB

MD5
a5d9eaa7d52bffc494a5f58203c6c1b5

SHA1
97928ba7b61b46a1a77a38445679d040ffca7cc8

SHA256
34b8662d38e7d3d6394fa6c965d943d2c82ea06ba9d7a0af4f8e0571fb5a9c48

SHA512
b6fdc8389bb4d736d608600469be6a4b0452aa3ea082f9a0791022a14c02b8fb7dcd62df133b0518e91283094eaba2be9318316f72d2c4aae6286d3e8686e787

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE

Filesize
1.1MB

MD5
5c78384d8eb1f6cb8cb23d515cfe7c98

SHA1
b732ab6c3fbf2ded8a4d6c8962554d119f59082e

SHA256
9abd7f0aa942ee6b263cdc4b32a4110ddb95e43ad411190f0ea48c0064884564

SHA512
99324af5f8fb70a9d01f97d845a4c6999053d6567ba5b80830a843a1634b02eaf3c0c04ced924cf1b1be9b4d1dbbcb95538385f7f85ad84d3eaaa6dcdebcc8a6

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe

Filesize
3.2MB

MD5
5119e350591269f44f732b470024bb7c

SHA1
4ccd48e4c6ba6e162d1520760ee3063e93e2c014

SHA256
2b3aa9642b291932ba7f9f3d85221402a9d27078f56ef0e9c6bca633616e3873

SHA512
599b4ec673169d42a348d1117737b4ad4d7539574153df5a5c7689130c9ac5ff5cd00f3c8ec39adf32ff2b56be074081efcabb6456272c649703c3ea6cdaded4

Download Submit
C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE

Filesize
485KB

MD5
86749cd13537a694795be5d87ef7106d

SHA1
538030845680a8be8219618daee29e368dc1e06c

SHA256
8c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5

SHA512
7b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c

Download Submit
C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE

Filesize
650KB

MD5
558fdb0b9f097118b0c928bb6062370a

SHA1
ad971a9a4cac3112a494a167e1b7736dcd6718b3

SHA256
90cee4a89cc1401ac464818226b7df69aa930804cefce56758d4e2ea0009d924

SHA512
5d08d5428e82fb3dad55c19e2c029de8f16e121faac87575b97f468b0ec312b3e0696225546cba91addaaf8f2451d44ae6386b4e4f7f621ce45055f3be797d7c

Download Submit
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe

Filesize
534KB

MD5
8a403bc371b84920c641afa3cf9fef2f

SHA1
d6c9d38f3e571b54132dd7ee31a169c683abfd63

SHA256
614a701b90739e7dbf66b14fbdb6854394290030cc87bbcb3f47e1c45d1f06c3

SHA512
b376ef1f49b793a8cd8b7af587f538cf87cb2fffa70fc144e1d1b7e2e8e365ba4ad0568321a0b1c04e69b4b8b694d77e812597a66be1c59eda626cbf132e2c72

Download Submit
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE

Filesize
6.7MB

MD5
63dc05e27a0b43bf25f151751b481b8c

SHA1
b20321483dac62bce0aa0cef1d193d247747e189

SHA256
7d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce

SHA512
374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

Filesize
674KB

MD5
97510a7d9bf0811a6ea89fad85a9f3f3

SHA1
2ac0c49b66a92789be65580a38ae9798237711db

SHA256
c48abbc29405559e68cc9f8fc6d218aa317a9d0023839c7846ca509c1f563fea

SHA512
2a93e2a3bd187fdde160f87ef777ccd1d1c398d547b7c869e6b64469b9418ad04d887cdfe94af7407476377bf2d009f576de3935c025b7aefbab26fbcd8f90fb

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE

Filesize
674KB

MD5
9c10a5ec52c145d340df7eafdb69c478

SHA1
57f3d99e41d123ad5f185fc21454367a7285db42

SHA256
ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36

SHA512
2704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE

Filesize
495KB

MD5
9597098cfbc45fae685d9480d135ed13

SHA1
84401f03a7942a7e4fcd26e4414b227edd9b0f09

SHA256
45966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c

SHA512
16afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE

Filesize
485KB

MD5
87f15006aea3b4433e226882a56f188d

SHA1
e3ad6beb8229af62b0824151dbf546c0506d4f65

SHA256
8d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919

SHA512
b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{D87AE~1\WINDOW~1.EXE

Filesize
650KB

MD5
2f826daacb184077b67aad3fe30e3413

SHA1
981d415fe70414aaac3a11024e65ae2e949aced8

SHA256
a6180f0aa9c56c32e71fe8dc150131177e4036a5a2111d0f3ec3c341fd813222

SHA512
2a6d9bdf4b7be9b766008e522cbb2c21921ba55d84dfde653ca977f70639e342a9d5548768de29ae2a85031c11dac2ae4b3c76b9136c020a6e7c9a9a5879caeb

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF5AF~1\WINDOW~1.EXE

Filesize
650KB

MD5
72d0addae57f28c993b319bfafa190ac

SHA1
8082ad7a004a399f0edbf447425f6a0f6c772ff3

SHA256
671be498af4e13872784eeae4bae2e462dfac62d51d7057b2b3bebff511b7d18

SHA512
98bcde1133edbff713aa43b944dceb5dae20a9cbdf8009f5b758da20ccfbcdf6d617f609a7094aa52a514373f6695b0fd43c3d601538483816cd08832edd15ab

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

Filesize
536KB

MD5
91490c78c45cbd686ac759b6a252e898

SHA1
51bb6c5aa14cf478b0b6fa0329c7366d1f6fb480

SHA256
47f3331b4f35012d38bc11cdeae0ff7b4ae1186d4e916e3e48a9440438296821

SHA512
f7d44cd6df2c0c492731c14ca27e26605e8cddb9cb9287bf083fe1e43f753cafa11c341f0915510ad1d189466e92bb3f4e219b3599e9df72878bde14518bee35

Download Submit
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\OneDrive.exe

Filesize
1.7MB

MD5
e25ffbddf046809226ea738583fd29f9

SHA1
ebda60d1f49cd1c2559d6c0f0a760dac7f38ce98

SHA256
91630469f3d18ebf1be43522b6dcb6547c3b67ab7a17a246e1b2122628dfcd80

SHA512
4417cba81c77c2a60e448b69dc615574ed4862fd97af014ebdf3ffbdde8a6c9bc32aca4881f59037f908a67b674d9e49b817fc1e6865e8f08e374f36baade101

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
86KB

MD5
d59c194ab2b0248d61ab9c659eba0fcb

SHA1
8bcad802416804c1c6d960904537cf8e58201b82

SHA256
f3ba3930941393350117de1fb68425db11ef4462a256ad5dbc8aae44b48fb8fd

SHA512
04d5955f101763576a930378682ba5ab1fef0c5a3bac3d8baac848544e2469dd6af6a81508d58beb0cb8ad6a0e8eaea740410f6534b26b46423e26bd79695f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\2.exe

Filesize
45KB

MD5
ddb085c51c1d739d35e6cfb3f647b6a7

SHA1
309b857dc06c0e458a5b2207157f97bdbe033bbe

SHA256
f6ecd05109a7894fd71e26efb6a9c7f211682b026d28508af792abecce2322b5

SHA512
04f6b7ca78d4c2bb9270e07c774077d79e64b6703919bfa3215f27c022993ae7b110e1ea47fb9bf06e1d7b30e1626f0b4c476d2624cc2a657a073edf2865e121

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\FatRat.exe

Filesize
72KB

MD5
ccf360d4e7bb60abcae997f1929c44dd

SHA1
207dc16a638fb40f9cad4b18dd0ef83aa3fd2def

SHA256
0530f03b56c5a156c5057ba986548ddf87c1df0b5c9912313989d85c9ac23276

SHA512
b53eaef698fae41c1ab9be84f1a59d8564145061e03834e598db947cebaee9b9715fff48a33c76479b1a521e73850c77b370f4e371f8f829a58f7c69c2c372a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\FatRat.exe

Filesize
112KB

MD5
618fba54db5ea661575520f4123e00d4

SHA1
ff2e63b913940ebf861ba675876d4f6ab5a3941d

SHA256
bfb6a2c92bf846643cb5964591cde4067d59ce0cb295bc7cfbdbabefad5ea2d5

SHA512
838773f4b14e9e91eef0e3af31d69e0ad727dd43745a5b7e54a8490f49af5fda58c347b371daca45398572a1d803ff03073fb906cfffa2091cb48573dd84040a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
37KB

MD5
01ce791be97aa5a1746af78c8fe7ccf5

SHA1
688b851e079fa103a652cd1ae5c84d31eb9d143d

SHA256
fd425b904cc91842cfebc84882bcb75e181f5d647176dfa7dbd8b56fd1976028

SHA512
6f2d785842415383e4e1cd87519313bd7cfdd9612175fe8fb82ab75952d14ce4a3aebeb94eadecad28b4487338439296da8b277b49e93601fe2c0b730b6cbbe6

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
memory/544-237-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/544-229-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/544-226-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3300-235-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3300-231-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3300-228-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3300-208-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4080-6-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/4080-5-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/4080-9-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/4080-8-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/4080-1-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/4080-2-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/4080-3-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/4080-4-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/4080-7-0x0000000000400000-0x0000000000CA4000-memory.dmp

Filesize
8.6MB

Download
memory/4080-12-0x0000000000400000-0x0000000000CA4000-memory.dmp

Filesize
8.6MB

Download
memory/4080-0-0x0000000000408000-0x0000000000768000-memory.dmp

Filesize
3.4MB

Download
memory/4080-41-0x0000000000400000-0x0000000000CA4000-memory.dmp

Filesize
8.6MB

Download
memory/4080-42-0x0000000000408000-0x0000000000768000-memory.dmp

Filesize
3.4MB

Download
memory/4504-206-0x0000000073D00000-0x00000000742B1000-memory.dmp

Filesize
5.7MB

Download
memory/4504-37-0x0000000073D02000-0x0000000073D03000-memory.dmp

Filesize
4KB

Download
memory/4504-40-0x0000000073D00000-0x00000000742B1000-memory.dmp

Filesize
5.7MB

Download
memory/5092-207-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5092-230-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5092-227-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5092-234-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download