metasploit | bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f

Analysis

max time kernel
106s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe
Size

5.2MB
MD5

386d04e063ab5bb7eb21863ab6ce6d8a
SHA1

58e1ce124c0a38f900d703cb786869f05924ef02
SHA256

bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f
SHA512

a47ac301a0e4fc403a4855f5ee5c6f89a11e1a71e697e2dd2741f0006ceda0821adea721e36cbd6d9df4cb7772d25e35497c28a35b208e2a01076d3f3294cd31
SSDEEP

98304:P1hAmoqJW0jB4vmdRQcYduvjhK4OQyyuz/21wH8LHd/F902scBcwucGeR7E:NemFM0jB4v+zfjhFO+mH8L9/F7fbucA

Score

10^/10

metasploit neshta backdoor discovery persistence spyware stealer trojan upx vmprotect

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Signatures

Detect Neshta payload 64 IoCs

resource	yara_rule
behavioral2/files/0x000400000001e4e1-24.dat	family_neshta
behavioral2/files/0x000300000001e5b2-36.dat	family_neshta
behavioral2/files/0x000400000001e5b4-55.dat	family_neshta
behavioral2/files/0x000800000002024a-83.dat	family_neshta
behavioral2/files/0x00010000000225ec-88.dat	family_neshta
behavioral2/files/0x00010000000214ee-90.dat	family_neshta
behavioral2/files/0x00010000000214ef-97.dat	family_neshta
behavioral2/files/0x00010000000214f0-109.dat	family_neshta
behavioral2/files/0x0001000000016857-126.dat	family_neshta
behavioral2/files/0x00010000000167cb-125.dat	family_neshta
behavioral2/files/0x00010000000167cd-124.dat	family_neshta
behavioral2/files/0x0001000000016807-128.dat	family_neshta
behavioral2/files/0x00010000000167eb-134.dat	family_neshta
behavioral2/files/0x000100000001dbbc-138.dat	family_neshta
behavioral2/files/0x0001000000016919-153.dat	family_neshta
behavioral2/files/0x0001000000016972-151.dat	family_neshta
behavioral2/files/0x000100000001691b-146.dat	family_neshta
behavioral2/files/0x00010000000167b2-123.dat	family_neshta
behavioral2/files/0x0001000000016804-122.dat	family_neshta
behavioral2/files/0x000400000001e6d6-165.dat	family_neshta
behavioral2/files/0x000b00000001e82b-171.dat	family_neshta
behavioral2/files/0x000300000001e899-162.dat	family_neshta
behavioral2/files/0x0001000000022f6e-120.dat	family_neshta
behavioral2/files/0x0001000000022f70-119.dat	family_neshta
behavioral2/files/0x0001000000022f2f-118.dat	family_neshta
behavioral2/files/0x0001000000022f32-117.dat	family_neshta
behavioral2/files/0x0001000000022f6f-116.dat	family_neshta
behavioral2/files/0x0001000000022f31-114.dat	family_neshta
behavioral2/files/0x000300000001e8ea-181.dat	family_neshta
behavioral2/files/0x00020000000215dd-186.dat	family_neshta
behavioral2/files/0x000b00000001e628-183.dat	family_neshta
behavioral2/files/0x000b00000001ee19-188.dat	family_neshta
behavioral2/files/0x000500000001e8e3-187.dat	family_neshta
behavioral2/files/0x000e00000001f3d3-182.dat	family_neshta
behavioral2/files/0x000500000001e45c-180.dat	family_neshta
behavioral2/files/0x000200000000072b-179.dat	family_neshta
behavioral2/files/0x0001000000022f30-113.dat	family_neshta
behavioral2/memory/532-204-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1852-205-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x0008000000020229-209.dat	family_neshta
behavioral2/files/0x00010000000202a4-218.dat	family_neshta
behavioral2/files/0x0006000000020240-220.dat	family_neshta
behavioral2/files/0x000400000002031e-219.dat	family_neshta
behavioral2/files/0x000400000002035d-217.dat	family_neshta
behavioral2/files/0x00010000000202bc-216.dat	family_neshta
behavioral2/files/0x000400000002034b-215.dat	family_neshta
behavioral2/files/0x00010000000202a9-214.dat	family_neshta
behavioral2/files/0x000100000002023a-213.dat	family_neshta
behavioral2/files/0x000400000002034a-212.dat	family_neshta
behavioral2/files/0x0006000000020227-211.dat	family_neshta
behavioral2/files/0x0006000000020231-210.dat	family_neshta
behavioral2/files/0x0007000000020293-208.dat	family_neshta
behavioral2/files/0x0004000000020358-207.dat	family_neshta
behavioral2/memory/4976-221-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/532-222-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1852-223-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4976-224-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/532-225-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1852-226-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4976-227-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/532-228-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1852-229-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/532-233-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1852-232-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	FatRat.exe

Executes dropped EXE 6 IoCs

pid	Process
3180	Server.exe
532	2.exe
1852	FatRat.exe
4768	FatRat.exe
4976	svchost.com
4056	WIDGET~1.EXE

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	FatRat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	2.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/3060-7-0x0000000000400000-0x0000000000CA4000-memory.dmp	vmprotect
behavioral2/memory/3060-10-0x0000000000400000-0x0000000000CA4000-memory.dmp	vmprotect
behavioral2/memory/3060-12-0x0000000000400000-0x0000000000CA4000-memory.dmp	vmprotect
behavioral2/memory/3060-43-0x0000000000400000-0x0000000000CA4000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3060	bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000300000001e5b4-38.dat	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	FatRat.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	FatRat.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	FatRat.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	2.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	svchost.com
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	FatRat.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	2.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	FatRat.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	FatRat.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	FatRat.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	FatRat.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	2.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	FatRat.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	2.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	FatRat.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	2.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	2.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	2.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	FatRat.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	2.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	FatRat.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	FatRat.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	FatRat.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	2.exe
File opened for modification	C:\Windows\svchost.com	FatRat.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FatRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WIDGET~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FatRat.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	2.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	FatRat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	FatRat.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	Server.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3060	bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe
3060	bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe
3060	bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe
3060	bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 3180	3060	bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe	85
PID 3060 wrote to memory of 3180	3060	bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe	85
PID 3060 wrote to memory of 3180	3060	bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe	85
PID 3060 wrote to memory of 532	3060	bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe	86
PID 3060 wrote to memory of 532	3060	bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe	86
PID 3060 wrote to memory of 532	3060	bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe	86
PID 3060 wrote to memory of 1852	3060	bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe	87
PID 3060 wrote to memory of 1852	3060	bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe	87
PID 3060 wrote to memory of 1852	3060	bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe	87
PID 1852 wrote to memory of 4768	1852	FatRat.exe	88
PID 1852 wrote to memory of 4768	1852	FatRat.exe	88
PID 1852 wrote to memory of 4768	1852	FatRat.exe	88
PID 3180 wrote to memory of 4976	3180	Server.exe	90
PID 3180 wrote to memory of 4976	3180	Server.exe	90
PID 3180 wrote to memory of 4976	3180	Server.exe	90
PID 4976 wrote to memory of 4056	4976	svchost.com	91
PID 4976 wrote to memory of 4056	4976	svchost.com	91
PID 4976 wrote to memory of 4056	4976	svchost.com	91

C:\Users\Admin\AppData\Local\Temp\bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe
"C:\Users\Admin\AppData\Local\Temp\bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3180
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\WIDGET~1.EXE"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4976
  - - C:\Users\Admin\AppData\Roaming\WIDGET~1.EXE
      C:\Users\Admin\AppData\Roaming\WIDGET~1.EXE
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4056
- C:\Users\Admin\AppData\Local\Temp\2.exe
  "C:\Users\Admin\AppData\Local\Temp\2.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:532
- C:\Users\Admin\AppData\Local\Temp\FatRat.exe
  "C:\Users\Admin\AppData\Local\Temp\FatRat.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Users\Admin\AppData\Local\Temp\3582-490\FatRat.exe
    "C:\Users\Admin\AppData\Local\Temp\3582-490\FatRat.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

Filesize
328KB

MD5
39c8a4c2c3984b64b701b85cb724533b

SHA1
c911f4c4070dfe9a35d9adcb7de6e6fb1482ce00

SHA256
888a1dd0033e5d758a4e731e3e55357de866e80d03b1b194375f714e1fd4351d

SHA512
f42ca2962fe60cff1a13dea8b81ff0647b317c785ee4f5159c38487c34d33aecba8478757047d31ab2ee893fbdcb91a21655353456ba6a018fc71b2278db4db2

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
127KB

MD5
857228f0cfaf7f60edea0bd7bcb71e8c

SHA1
b52bc4db729c60991c55e67e5862553667093d81

SHA256
2c4fdbb93e11d0264718872ef88625bf4d129fbb622beb7c92c7b04dbb76eb91

SHA512
a2fe020b365b07f2a5d29dcac41e2d77e8fac4610a771e435c1620bfb2632f70f67415780f87110efca71b383ebcebad8f034dd89f397d4f160cbb9a9927c3c7

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE

Filesize
5.7MB

MD5
860bc11e2e58c5eb54b6f876d3ab9c15

SHA1
fc63253be5a20c4ed305a4ba28679263d43b2d80

SHA256
dd5f593ee0a354fa9b7701b4944994187f31d21c6827d820c435b401e12ad74a

SHA512
51ff99921cab7a266999fd251beb290fc0cbb8594614e3644c68f2809b6fcf970d9cf5691024379baec5cbd292d10e5ff2dfcaaed34ecae88a838cd02eba3673

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe

Filesize
216KB

MD5
0a10087474efe5e9d65eda6b04eb67a0

SHA1
f3bec2aa01056841be2eabe1a086091f22617f16

SHA256
2808e12482865db3c031a4f6669fcaba312ac2d4faa40ae45e08f8cb47fa9611

SHA512
279eb5550afa1a180d47bbd224e8f246d50e163797bd4ff2ad95b34b6b5a69040f37f8d987faf29d13d15a812b99c100ad4345cb7752d33b3c59a2dcc73175cd

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe

Filesize
9.4MB

MD5
4b2192864374f21ee6cb90b81c8b98a9

SHA1
131c29e7354fe6e32153d5dcf4d52c8f9c9d3091

SHA256
b29d2b87e91f82d764ee7ab5947dbf9f3e2b9dc473e571ef1b67622d35cb9b9a

SHA512
2361cfb375b597f6100dd0c84340c34041db4da2ca0bd72e1aba7782e73c43c9ef920c83e367eb16bf213ecb3518e97c6417a5f666a298deefd23f4260b52f2b

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

Filesize
2.4MB

MD5
8ffc3bdf4a1903d9e28b99d1643fc9c7

SHA1
919ba8594db0ae245a8abd80f9f3698826fc6fe5

SHA256
8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6

SHA512
0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE

Filesize
224KB

MD5
c5314e2203e2df4d55fdfd3597037b80

SHA1
5e9c85842ef294fa11b9c4aa344d2254df8c988e

SHA256
ffd5616e1a20cdd213a7a2b7161ab9db344987e8e1d6bc22bb08e48788d72561

SHA512
a2159beb4e3183f9b433dc75edf0f345aa6e163b7219db3a5cb3135ec7ff1b6bbe7fc3b68882e9355aca26e41e4e750b0474ede0aa484001646604d4c0a47641

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

Filesize
172KB

MD5
27b1756da81600a64f94b12ddd8e5b42

SHA1
7343ea8a7f464b9c20c07f87be345ab0032542dc

SHA256
1ebaea12083682e6c11457346ee6529f062d14f0834ec30851cc7f63a938e6f7

SHA512
76cba9c0f12da71674694966d9aeb8f65db4d76521c6a8798fb89fb7ca7399a91ceebca5fb22acbf7bfe78121eadee78bc768099eb087a85072229ae51ac32dd

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE

Filesize
294KB

MD5
150d53e0406669e12459116db2c39d69

SHA1
c13c8c5ba5b5c8d3ac2667bd40130fd08681a0fa

SHA256
6d0c9a9d56f98c614de49d5f4ebd6939eced776c479d28aa6e0617162425bf76

SHA512
abfff01b989144cac02100a5bb7b2ea20079bdf3478f75af8ffe2ad978cc13e0d4f10268ef0c4e27d3568e9a357bc7f8fb8be0a7a6804eca1e612346042ce3eb

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE

Filesize
386KB

MD5
8c753d6448183dea5269445738486e01

SHA1
ebbbdc0022ca7487cd6294714cd3fbcb70923af9

SHA256
473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997

SHA512
4f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE

Filesize
133KB

MD5
611971ddcbb204ce06d328a94bc5d0e5

SHA1
99fb2ea3b36b6c4bf0e68a7b1350f44ea43143ae

SHA256
4ad81331f62b2f75fc929191ef5af184555bf20df9bfdbd1b57a2b12e32bab5e

SHA512
65ac3f309b18ca65c5a6f13453dfaa44811278f7684aecf94c3f436de00151b39e62d201f1bd745ff0ea94718dea13adf07281960856e4f13facf38932b2f3c0

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe

Filesize
125KB

MD5
cce8964848413b49f18a44da9cb0a79b

SHA1
0b7452100d400acebb1c1887542f322a92cbd7ae

SHA256
fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5

SHA512
bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE

Filesize
142KB

MD5
92dc0a5b61c98ac6ca3c9e09711e0a5d

SHA1
f809f50cfdfbc469561bced921d0bad343a0d7b4

SHA256
3e9da97a7106122245e77f13f3f3cc96c055d732ab841eb848d03ac25401c1bc

SHA512
d9eefb19f82e0786d9be0dbe5e339d25473fb3a09682f40c6d190d4c320cca5556abb72b5d97c6b0da4f8faefdc6d39ac9d0415fdf94ebcc90ecdf2e513c6a31

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

Filesize
318KB

MD5
230641822cdf136b04aa8fd87e734a03

SHA1
fddf6494d528f0dd3ce6257b975af5b6f9052e45

SHA256
6f667523102014abeb612bfc2f2f8a2752fad63f92d1eaaba62e56d52f152c33

SHA512
707b96abe770d05ed6ddf4ec7c38e10abb8475b4161cfa8325e4b67a938d0bc292bdbf75a6b24ce699f5941fcb43f8afa6a82b5abf7e3dafdf97214feba87ca8

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe

Filesize
1.2MB

MD5
8e42f3a4a399d84e67ed633ba23863cb

SHA1
02ebfa5274214dcc48acfd24b8da3fb5cb93f6c6

SHA256
42716ea8beca9e555cef3b78a2fbf836c9da034318d625262810290309d955db

SHA512
0f6af721a89c2cf7249ecb1cc0a263c6252f8762b7381b35ccff6347d7d069799d2f0561bec0a651d690fbf29c98050bf15b604d3cca668b7437503ba102492f

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE

Filesize
121KB

MD5
cbd96ba6abe7564cb5980502eec0b5f6

SHA1
74e1fe1429cec3e91f55364e5cb8385a64bb0006

SHA256
405b8bd647fa703e233b8b609a18999abe465a8458168f1daf23197bd2ea36aa

SHA512
a551001853f6b93dfbc6cf6a681820af31330a19d5411076ff3dbce90937b3d92173085a15f29ebf56f2ef12a4e86860ac6723ebc89c98ea31ea7a6c7e3d7cdc

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe

Filesize
366KB

MD5
814434ae16b63ef396afefd41b22206a

SHA1
7aa89a223d9ed97136077aff6d4a08fa80328f3b

SHA256
92b21fd8f563efb9f693defce3107fe3e55e462561a852a5409aadcca703e9f1

SHA512
b35afc631fdf31e6e81d85c028e19af6b39bf88a908eb5e2d511900b4a303e4c6d4eab99793b3549d3bc70aaadf0da0926f55e35f0a3bd466b871ca61d8847ca

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe

Filesize
546KB

MD5
64c5c00694478ff090e483eebcd3d7a1

SHA1
af47eaff535970e6178c1bc29a6eb68b874dcfe8

SHA256
a9884e9141ca6f3d5f9a4fe781b104064f3b801d81263058f23b079c945a12f3

SHA512
4df0b6e2f215ef1dd206e9c14eb233e6896ad9b846290edb344947db8f9bcaec5c39777c9dac33aee85433ed3178188c7622ba8ff0b4d2462a80820f338ca495

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe

Filesize
366KB

MD5
b0152d6bc8f286f34e23849c85c04840

SHA1
f97b4f87b1a7bc33abd3bf9fcad4e65d8b703f32

SHA256
22057bedcf7f73b29bfc113e16f8798adce3ac88462e96174c03af175f832ab5

SHA512
98bc6189752af61f887e50f8bd86719d109a5e08b333472692c610779fc808d71c2188b4c952310f82b0e7adbd1ab4ed3a98902815070b2c7b741a422d9227ba

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE

Filesize
146KB

MD5
cdc455fa95578320bd27e0d89a7c9108

SHA1
60cde78a74e4943f349f1999be3b6fc3c19ab268

SHA256
d7f214dc55857c3576675279261a0ee1881f7ddee4755bb0b9e7566fc0f425a9

SHA512
35f3741538bd59f6c744bcad6f348f4eb6ea1ee542f9780daa29de5dbb2d772b01fe4774fb1c2c7199a349488be309ceedd562ceb5f1bdcdd563036b301dcd9f

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE

Filesize
221KB

MD5
87bb2253f977fc3576a01e5cbb61f423

SHA1
5129844b3d8af03e8570a3afcdc5816964ed8ba4

SHA256
3fc32edf3f9ab889c2cdf225a446da1e12a7168a7a56165efe5e9744d172d604

SHA512
7cfd38ceb52b986054a68a781e01c3f99e92227f884a4401eb9fbc72f4c140fd32a552b4a102bedf9576e6a0da216bc10ce29241f1418acb39aeb2503cb8d703

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE

Filesize
146KB

MD5
d9a290f7aec8aff3591c189b3cf8610a

SHA1
7558d29fb32018897c25e0ac1c86084116f1956c

SHA256
41bed95cb1101181a97460e2395efebb0594849e6f48b80a2b7c376ddf5ce0ea

SHA512
b55ab687a75c11ba99c64be42ad8471576aa2df10ce1bb61e902e98827e3a38cd922e365751bd485cac089c2bd8bccf939a578da7238506b77fe02a3eb7994c6

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE

Filesize
258KB

MD5
d9186b6dd347f1cf59349b6fc87f0a98

SHA1
6700d12be4bd504c4c2a67e17eea8568416edf93

SHA256
a892284c97c8888a589ea84f88852238b8cd97cc1f4af85b93b5c5264f5c40d4

SHA512
a29cc26028a68b0145cb20ec353a4406ec86962ff8c3630c96e0627639cf76e0ea1723b7b44592ea4f126c4a48d85d92f930294ae97f72ecc95e3a752a475087

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE

Filesize
335KB

MD5
e4351f1658eab89bbd70beb15598cf1c

SHA1
e18fbfaee18211fd9e58461145306f9bc4f459ea

SHA256
4c783822b873188a9ced8bd4888e1736e3d4f51f6b3b7a62675b0dc85277e0eb

SHA512
57dbc6418011bcac298e122990b14ed1461c53b5f41cb4986d1d3bbbb516c764a7c205fc4da3722399fdb9122f28e4ec98f39d2af80d4b6a64d7bd7944d1c218

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE

Filesize
433KB

MD5
674eddc440664b8b854bc397e67ee338

SHA1
af9d74243ee3ea5f88638172f592ed89bbbd7e0d

SHA256
20bbf92426732ff7269b4f2f89d404d5fee0fa6a20944004d2eeb3cc2d1fa457

SHA512
5aced0e2235f113e323d6b28be74da5e4da4dc881629461df4644a52bccd717dc6d2632c40ed8190b3ad060b8b62c347757a0bbe82680d892114c1f0529146b7

Download Submit
C:\PROGRA~2\Google\Update\DISABL~1.EXE

Filesize
198KB

MD5
7429ce42ac211cd3aa986faad186cedd

SHA1
b61a57f0f99cfd702be0fbafcb77e9f911223fac

SHA256
d608c05409ac4bd05d8e0702fcf66dfae5f4f38cbae13406842fa5504f4d616f

SHA512
ee4456877d6d881d9904013aabecb9f2daf6fc0ec7a7c9251e77396b66a7f5a577fe8544e64e2bb7464db429db56a3fe47c183a81d40cc869d01be573ab5e4c1

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE

Filesize
1.7MB

MD5
4754ef85cf5992c484e75c0859cd0c12

SHA1
199b550e52f74d5a9932b1210979bc79a9b8f6fd

SHA256
da6de758d909ff5b7fb150a4a6a6b9774951aa2bd7c93966ea8951647386c330

SHA512
22c557807b81aac91c65643abb73f212d13f7c4504b6bb14e82bd9cf91319f2daadafa67425d91fa95f1d39c3700684f928e7d68468cb192c4c0be71b9f9b5ab

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE

Filesize
244KB

MD5
da18586b25e72ff40c0f24da690a2edc

SHA1
27a388f3cdcfa7357f971b5c4411ea5aa1b9e5f5

SHA256
67f6e8f14bcf0e6d570c1f4ac5a1bb80a4e1470b5bad5a7ee85689c476597d8e

SHA512
3512820a9d37b61f77a79b2d4d3f6aec9ef53dbf81071bee16f5dcc8173393a1cd1bffe9f7f39467b72f9c9271a78e42078e68598934188d9df0b887f2edc5ab

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe

Filesize
290KB

MD5
23b1708cd5e7409832fe36f125844e7a

SHA1
39ec7d4322cf4ccea82ee65343d05459c5eb3f3e

SHA256
03e0297166fcd0b5a439d974080fbd5efbb48dfe3b019ab11faa89ecc372765f

SHA512
d6291f0a98f1dfedd81589f07d219df23a9e734680975d5e2d91553767927bd2b7ed915e6f5974767277fb813e14f8549caf57f96912ea3cebe28b73ca3ec62e

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE

Filesize
509KB

MD5
7c73e01bd682dc67ef2fbb679be99866

SHA1
ad3834bd9f95f8bf64eb5be0a610427940407117

SHA256
da333c92fdfd2e8092f5b56686b94f713f8fa27ef8f333e7222259ad1eb08f5d

SHA512
b2f3398e486cde482cb6bea18f4e5312fa2db7382ca25cea17bcba5ab1ff0e891d59328bc567641a9da05caca4d7c61dc102289d46e7135f947ce6155e295711

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE

Filesize
138KB

MD5
5e08d87c074f0f8e3a8e8c76c5bf92ee

SHA1
f52a554a5029fb4749842b2213d4196c95d48561

SHA256
5d548c2cc25d542f2061ed9c8e38bd5ca72bddb37dd17654346cae8a19645714

SHA512
dd98d6fa7d943604914b2e3b27e1f21a95f1fe1feb942dd6956e864da658f4fbd9d1d0cf775e79ceaae6a025aafd4e633763389c37034134bd5245969bec383e

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE

Filesize
1.6MB

MD5
41b1e87b538616c6020369134cbce857

SHA1
a255c7fef7ba2fc1a7c45d992270d5af023c5f67

SHA256
08465cc139ee50a7497f8c842f74730d3a8f1a73c0b7caca95e9e6d37d3beed3

SHA512
3a354d3577b45f6736203d5a35a2d1d543da2d1e268cefeffe6bdb723ff63c720ceb2838701144f5fec611470d77649846e0fb4770d6439f321f6b819f03e4db

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE

Filesize
1.1MB

MD5
301d7f5daa3b48c83df5f6b35de99982

SHA1
17e68d91f3ec1eabde1451351cc690a1978d2cd4

SHA256
abe398284d90be5e5e78f98654b88664e2e14478f7eb3f55c5fd1c1bcf1bebee

SHA512
4a72a24dec461d116fe8324c651913273ccaa50cb036ccdacb3ae300e417cf4a64aa458869b8d2f3b4c298c59977437d11b241d08b391a481c3226954bba22e4

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe

Filesize
3.6MB

MD5
6ce350ad38c8f7cbe5dd8fda30d11fa1

SHA1
4f232b8cccd031c25378b4770f85e8038e8655d8

SHA256
06a3bb0bdd2da870bc8dc2c6b760855cea7821273ce59fc0be158149e52915ba

SHA512
4c18a112fec391f443a4ae217ac6d1850e0cfdad4b2d2cbe3f61cb01c0a1400ea6bd5c3ffe0a9978ead50e7f6cfab96ae5090bb9a611f988f1a86ccaa5d4cd4f

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE

Filesize
2.8MB

MD5
eb008f1890fed6dc7d13a25ff9c35724

SHA1
751d3b944f160b1f77c1c8852af25b65ae9d649c

SHA256
a9b7b9155af49d651b092bb1665447059f7a1d0061f88fa320d4f956b9723090

SHA512
9cfe3480f24bf8970ad5773cb9df51d132ee90ada35cbf8ec1222e09a60ae46b2ff4b96862fea19085b1c32f93c47c69f604589fa3f4af17e5d67bef893b6bf1

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE

Filesize
1.3MB

MD5
27543bab17420af611ccc3029db9465a

SHA1
f0f96fd53f9695737a3fa6145bc5a6ce58227966

SHA256
75530dc732f35cc796d19edd11ae6d6f6ef6499ddcf2e57307582b1c5299554c

SHA512
a62c2dd60e1df309ec1bb48ea85184914962ba83766f29d878569549ca20fca68f304f4494702d9e5f09adedc2166e48ee0bc1f4a5d9e245c5490daf15036bea

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe

Filesize
3.2MB

MD5
5119e350591269f44f732b470024bb7c

SHA1
4ccd48e4c6ba6e162d1520760ee3063e93e2c014

SHA256
2b3aa9642b291932ba7f9f3d85221402a9d27078f56ef0e9c6bca633616e3873

SHA512
599b4ec673169d42a348d1117737b4ad4d7539574153df5a5c7689130c9ac5ff5cd00f3c8ec39adf32ff2b56be074081efcabb6456272c649703c3ea6cdaded4

Download Submit
C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

Filesize
674KB

MD5
97510a7d9bf0811a6ea89fad85a9f3f3

SHA1
2ac0c49b66a92789be65580a38ae9798237711db

SHA256
c48abbc29405559e68cc9f8fc6d218aa317a9d0023839c7846ca509c1f563fea

SHA512
2a93e2a3bd187fdde160f87ef777ccd1d1c398d547b7c869e6b64469b9418ad04d887cdfe94af7407476377bf2d009f576de3935c025b7aefbab26fbcd8f90fb

Download Submit
C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE

Filesize
495KB

MD5
9597098cfbc45fae685d9480d135ed13

SHA1
84401f03a7942a7e4fcd26e4414b227edd9b0f09

SHA256
45966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c

SHA512
16afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164

Download Submit
C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

Filesize
495KB

MD5
07e194ce831b1846111eb6c8b176c86e

SHA1
b9c83ec3b0949cb661878fb1a8b43a073e15baf1

SHA256
d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac

SHA512
55f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5

Download Submit
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe

Filesize
534KB

MD5
8a403bc371b84920c641afa3cf9fef2f

SHA1
d6c9d38f3e571b54132dd7ee31a169c683abfd63

SHA256
614a701b90739e7dbf66b14fbdb6854394290030cc87bbcb3f47e1c45d1f06c3

SHA512
b376ef1f49b793a8cd8b7af587f538cf87cb2fffa70fc144e1d1b7e2e8e365ba4ad0568321a0b1c04e69b4b8b694d77e812597a66be1c59eda626cbf132e2c72

Download Submit
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE

Filesize
6.7MB

MD5
63dc05e27a0b43bf25f151751b481b8c

SHA1
b20321483dac62bce0aa0cef1d193d247747e189

SHA256
7d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce

SHA512
374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE

Filesize
485KB

MD5
86749cd13537a694795be5d87ef7106d

SHA1
538030845680a8be8219618daee29e368dc1e06c

SHA256
8c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5

SHA512
7b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE

Filesize
674KB

MD5
9c10a5ec52c145d340df7eafdb69c478

SHA1
57f3d99e41d123ad5f185fc21454367a7285db42

SHA256
ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36

SHA512
2704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{63880~1\WINDOW~1.EXE

Filesize
650KB

MD5
558fdb0b9f097118b0c928bb6062370a

SHA1
ad971a9a4cac3112a494a167e1b7736dcd6718b3

SHA256
90cee4a89cc1401ac464818226b7df69aa930804cefce56758d4e2ea0009d924

SHA512
5d08d5428e82fb3dad55c19e2c029de8f16e121faac87575b97f468b0ec312b3e0696225546cba91addaaf8f2451d44ae6386b4e4f7f621ce45055f3be797d7c

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE

Filesize
485KB

MD5
87f15006aea3b4433e226882a56f188d

SHA1
e3ad6beb8229af62b0824151dbf546c0506d4f65

SHA256
8d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919

SHA512
b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{D87AE~1\WINDOW~1.EXE

Filesize
650KB

MD5
2f826daacb184077b67aad3fe30e3413

SHA1
981d415fe70414aaac3a11024e65ae2e949aced8

SHA256
a6180f0aa9c56c32e71fe8dc150131177e4036a5a2111d0f3ec3c341fd813222

SHA512
2a6d9bdf4b7be9b766008e522cbb2c21921ba55d84dfde653ca977f70639e342a9d5548768de29ae2a85031c11dac2ae4b3c76b9136c020a6e7c9a9a5879caeb

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF5AF~1\WINDOW~1.EXE

Filesize
650KB

MD5
72d0addae57f28c993b319bfafa190ac

SHA1
8082ad7a004a399f0edbf447425f6a0f6c772ff3

SHA256
671be498af4e13872784eeae4bae2e462dfac62d51d7057b2b3bebff511b7d18

SHA512
98bcde1133edbff713aa43b944dceb5dae20a9cbdf8009f5b758da20ccfbcdf6d617f609a7094aa52a514373f6695b0fd43c3d601538483816cd08832edd15ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
86KB

MD5
d59c194ab2b0248d61ab9c659eba0fcb

SHA1
8bcad802416804c1c6d960904537cf8e58201b82

SHA256
f3ba3930941393350117de1fb68425db11ef4462a256ad5dbc8aae44b48fb8fd

SHA512
04d5955f101763576a930378682ba5ab1fef0c5a3bac3d8baac848544e2469dd6af6a81508d58beb0cb8ad6a0e8eaea740410f6534b26b46423e26bd79695f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\2.exe

Filesize
45KB

MD5
ddb085c51c1d739d35e6cfb3f647b6a7

SHA1
309b857dc06c0e458a5b2207157f97bdbe033bbe

SHA256
f6ecd05109a7894fd71e26efb6a9c7f211682b026d28508af792abecce2322b5

SHA512
04f6b7ca78d4c2bb9270e07c774077d79e64b6703919bfa3215f27c022993ae7b110e1ea47fb9bf06e1d7b30e1626f0b4c476d2624cc2a657a073edf2865e121

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\FatRat.exe

Filesize
72KB

MD5
ccf360d4e7bb60abcae997f1929c44dd

SHA1
207dc16a638fb40f9cad4b18dd0ef83aa3fd2def

SHA256
0530f03b56c5a156c5057ba986548ddf87c1df0b5c9912313989d85c9ac23276

SHA512
b53eaef698fae41c1ab9be84f1a59d8564145061e03834e598db947cebaee9b9715fff48a33c76479b1a521e73850c77b370f4e371f8f829a58f7c69c2c372a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\FatRat.exe

Filesize
112KB

MD5
618fba54db5ea661575520f4123e00d4

SHA1
ff2e63b913940ebf861ba675876d4f6ab5a3941d

SHA256
bfb6a2c92bf846643cb5964591cde4067d59ce0cb295bc7cfbdbabefad5ea2d5

SHA512
838773f4b14e9e91eef0e3af31d69e0ad727dd43745a5b7e54a8490f49af5fda58c347b371daca45398572a1d803ff03073fb906cfffa2091cb48573dd84040a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
37KB

MD5
01ce791be97aa5a1746af78c8fe7ccf5

SHA1
688b851e079fa103a652cd1ae5c84d31eb9d143d

SHA256
fd425b904cc91842cfebc84882bcb75e181f5d647176dfa7dbd8b56fd1976028

SHA512
6f2d785842415383e4e1cd87519313bd7cfdd9612175fe8fb82ab75952d14ce4a3aebeb94eadecad28b4487338439296da8b277b49e93601fe2c0b730b6cbbe6

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
memory/532-233-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/532-225-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/532-204-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/532-228-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/532-222-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1852-232-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1852-223-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1852-205-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1852-229-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1852-226-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3060-7-0x0000000000400000-0x0000000000CA4000-memory.dmp

Filesize
8.6MB

Download
memory/3060-12-0x0000000000400000-0x0000000000CA4000-memory.dmp

Filesize
8.6MB

Download
memory/3060-9-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/3060-2-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/3060-3-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/3060-4-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/3060-5-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/3060-8-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/3060-6-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/3060-1-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/3060-0-0x0000000000408000-0x0000000000768000-memory.dmp

Filesize
3.4MB

Download
memory/3060-10-0x0000000000400000-0x0000000000CA4000-memory.dmp

Filesize
8.6MB

Download
memory/3060-43-0x0000000000400000-0x0000000000CA4000-memory.dmp

Filesize
8.6MB

Download
memory/3060-40-0x0000000000408000-0x0000000000768000-memory.dmp

Filesize
3.4MB

Download
memory/3180-35-0x0000000074042000-0x0000000074043000-memory.dmp

Filesize
4KB

Download
memory/3180-41-0x0000000074040000-0x00000000745F1000-memory.dmp

Filesize
5.7MB

Download
memory/3180-202-0x0000000074040000-0x00000000745F1000-memory.dmp

Filesize
5.7MB

Download
memory/3180-42-0x0000000074040000-0x00000000745F1000-memory.dmp

Filesize
5.7MB

Download
memory/4976-224-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4976-227-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4976-221-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4976-234-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download