metasploit | bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f

Analysis

max time kernel
132s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe
Size

5.2MB
MD5

386d04e063ab5bb7eb21863ab6ce6d8a
SHA1

58e1ce124c0a38f900d703cb786869f05924ef02
SHA256

bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f
SHA512

a47ac301a0e4fc403a4855f5ee5c6f89a11e1a71e697e2dd2741f0006ceda0821adea721e36cbd6d9df4cb7772d25e35497c28a35b208e2a01076d3f3294cd31
SSDEEP

98304:P1hAmoqJW0jB4vmdRQcYduvjhK4OQyyuz/21wH8LHd/F902scBcwucGeR7E:NemFM0jB4v+zfjhFO+mH8L9/F7fbucA

Score

10^/10

metasploit neshta backdoor discovery persistence spyware stealer trojan upx vmprotect

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Signatures

Detect Neshta payload 37 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c77-26.dat	family_neshta
behavioral2/files/0x0007000000023c78-34.dat	family_neshta
behavioral2/files/0x0008000000023c74-52.dat	family_neshta
behavioral2/files/0x0006000000020216-63.dat	family_neshta
behavioral2/files/0x0004000000020336-71.dat	family_neshta
behavioral2/files/0x00010000000214da-100.dat	family_neshta
behavioral2/files/0x00010000000214d9-98.dat	family_neshta
behavioral2/files/0x00010000000214d8-97.dat	family_neshta
behavioral2/files/0x0001000000022f69-113.dat	family_neshta
behavioral2/files/0x0001000000022f67-115.dat	family_neshta
behavioral2/files/0x000200000001dc0c-135.dat	family_neshta
behavioral2/files/0x000100000001691f-154.dat	family_neshta
behavioral2/files/0x0001000000022739-181.dat	family_neshta
behavioral2/files/0x0001000000022730-180.dat	family_neshta
behavioral2/files/0x00010000000228e1-183.dat	family_neshta
behavioral2/files/0x00020000000215d1-188.dat	family_neshta
behavioral2/files/0x000200000000072d-187.dat	family_neshta
behavioral2/files/0x000300000001e877-190.dat	family_neshta
behavioral2/files/0x000500000001e8c1-196.dat	family_neshta
behavioral2/files/0x000e00000001f3ba-194.dat	family_neshta
behavioral2/files/0x000b00000001edfb-199.dat	family_neshta
behavioral2/files/0x000400000001e6a0-193.dat	family_neshta
behavioral2/files/0x000500000001e0b3-192.dat	family_neshta
behavioral2/files/0x000c00000001e5cc-195.dat	family_neshta
behavioral2/files/0x000a00000001e809-200.dat	family_neshta
behavioral2/files/0x000300000001e8c8-191.dat	family_neshta
behavioral2/memory/3784-217-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/440-218-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2396-219-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3644-221-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/440-223-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3784-222-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3784-225-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/440-226-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2396-228-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/440-232-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3784-233-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	FatRat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe

Executes dropped EXE 7 IoCs

pid	Process
3380	Server.exe
3784	2.exe
440	FatRat.exe
2396	svchost.com
1380	FatRat.exe
3644	svchost.com
1412	WIDGET~1.EXE

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	2.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/2872-10-0x0000000000400000-0x0000000000CA4000-memory.dmp	vmprotect
behavioral2/memory/2872-7-0x0000000000400000-0x0000000000CA4000-memory.dmp	vmprotect
behavioral2/memory/2872-41-0x0000000000400000-0x0000000000CA4000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2872	bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023c7a-38.dat	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	FatRat.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	FatRat.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	2.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	2.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	FatRat.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	2.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	FatRat.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	2.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	FatRat.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	2.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	2.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	FatRat.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	2.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	FatRat.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	FatRat.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	FatRat.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	FatRat.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	FatRat.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	FatRat.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	2.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	2.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	2.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	FatRat.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	FatRat.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	FatRat.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	2.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	2.exe
File opened for modification	C:\Windows\svchost.com	FatRat.exe
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FatRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FatRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WIDGET~1.EXE

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	2.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	FatRat.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	Server.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2872	bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe
2872	bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe
2872	bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe
2872	bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 3380	2872	bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe	83
PID 2872 wrote to memory of 3380	2872	bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe	83
PID 2872 wrote to memory of 3380	2872	bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe	83
PID 2872 wrote to memory of 3784	2872	bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe	84
PID 2872 wrote to memory of 3784	2872	bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe	84
PID 2872 wrote to memory of 3784	2872	bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe	84
PID 2872 wrote to memory of 440	2872	bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe	85
PID 2872 wrote to memory of 440	2872	bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe	85
PID 2872 wrote to memory of 440	2872	bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe	85
PID 440 wrote to memory of 2396	440	FatRat.exe	86
PID 440 wrote to memory of 2396	440	FatRat.exe	86
PID 440 wrote to memory of 2396	440	FatRat.exe	86
PID 2396 wrote to memory of 1380	2396	svchost.com	87
PID 2396 wrote to memory of 1380	2396	svchost.com	87
PID 2396 wrote to memory of 1380	2396	svchost.com	87
PID 3380 wrote to memory of 3644	3380	Server.exe	88
PID 3380 wrote to memory of 3644	3380	Server.exe	88
PID 3380 wrote to memory of 3644	3380	Server.exe	88
PID 3644 wrote to memory of 1412	3644	svchost.com	89
PID 3644 wrote to memory of 1412	3644	svchost.com	89
PID 3644 wrote to memory of 1412	3644	svchost.com	89

C:\Users\Admin\AppData\Local\Temp\bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe
"C:\Users\Admin\AppData\Local\Temp\bf864296d632a4f80ad03f65a0c5908d964bb3519d18e2444df296deb1a8b24f.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3380
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\WIDGET~1.EXE"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3644
  - - C:\Users\Admin\AppData\Roaming\WIDGET~1.EXE
      C:\Users\Admin\AppData\Roaming\WIDGET~1.EXE
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1412
- C:\Users\Admin\AppData\Local\Temp\2.exe
  "C:\Users\Admin\AppData\Local\Temp\2.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:3784
- C:\Users\Admin\AppData\Local\Temp\FatRat.exe
  "C:\Users\Admin\AppData\Local\Temp\FatRat.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:440
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FatRat.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\FatRat.exe
      C:\Users\Admin\AppData\Local\Temp\3582-490\FatRat.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

Filesize
2.4MB

MD5
8ffc3bdf4a1903d9e28b99d1643fc9c7

SHA1
919ba8594db0ae245a8abd80f9f3698826fc6fe5

SHA256
8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6

SHA512
0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

Filesize
131KB

MD5
5791075058b526842f4601c46abd59f5

SHA1
b2748f7542e2eebcd0353c3720d92bbffad8678f

SHA256
5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394

SHA512
83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe

Filesize
325KB

MD5
9a8d683f9f884ddd9160a5912ca06995

SHA1
98dc8682a0c44727ee039298665f5d95b057c854

SHA256
5e2e22ead49ce9cc11141dbeebbe5b93a530c966695d8efc2083f00e6be53423

SHA512
6aecf8c5cb5796d6879f8643e20c653f58bad70820896b0019c39623604d5b3c8a4420562ab051c6685edce60aa068d9c2dbb4413a7b16c6d01a9ac10dc22c12

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe

Filesize
325KB

MD5
892cf4fc5398e07bf652c50ef2aa3b88

SHA1
c399e55756b23938057a0ecae597bd9dbe481866

SHA256
e2262c798729169f697e6c30e5211cde604fd8b14769311ff4ea81abba8c2781

SHA512
f16a9e4b1150098c5936ec6107c36d47246dafd5a43e9f4ad9a31ecab69cc789c768691fa23a1440fae7f6e93e8e62566b5c86f7ed6bb4cfe26368149ea8c167

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe

Filesize
546KB

MD5
10748253009c18f4695b7043dcf36fdc

SHA1
22d24c7b4cd0b280f09a76534545cfdc1d66a256

SHA256
3bee29dd355e50cdf24736a2a53d8fffd9cd93e702109f20d65a7e2e2fcfd9f1

SHA512
477462d114a9aac7aead3483a5a038f1fc4484514c2aa0a4c6d6aab30075056ad439592b1f9a72cf4c4499eefa8aeb744e0c2dad439ef8efae795611df352080

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE

Filesize
146KB

MD5
d9a290f7aec8aff3591c189b3cf8610a

SHA1
7558d29fb32018897c25e0ac1c86084116f1956c

SHA256
41bed95cb1101181a97460e2395efebb0594849e6f48b80a2b7c376ddf5ce0ea

SHA512
b55ab687a75c11ba99c64be42ad8471576aa2df10ce1bb61e902e98827e3a38cd922e365751bd485cac089c2bd8bccf939a578da7238506b77fe02a3eb7994c6

Download Submit
C:\PROGRA~2\Google\Update\DISABL~1.EXE

Filesize
239KB

MD5
59d97c95789bbf991bdb6be3e491489c

SHA1
49db7e471189cb4bf5edb9d1a43e0ebb5dc4564a

SHA256
9057a9634aed0357e1be7efea49ca6de6a19e830d999b3a126345e27db1a822b

SHA512
45ff0099ca64199f35e4a85d6806733c4f89c37f00ddceb2a772481c7b402937ef2e36fb7591d806ee909c84dd946a7134cfae135db9c56db4acdb7bf183e760

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe

Filesize
250KB

MD5
5d656c152b22ddd4f875306ca928243a

SHA1
177ff847aa898afa1b786077ae87b5ae0c7687c7

SHA256
4d87b0eb331443b473c90650d31b893d00373ff88dcbcb3747f494407799af69

SHA512
d5e50ee909ea06e69fc0d9999c6d142f9154e6f63462312b4e950cf6e26a7d395dbb50c8e2a8c4f4e1cfb7b2c6ae8ad19e3b7c204c20e7557daa1a0deb454160

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe

Filesize
3.2MB

MD5
e307ea0d25ec974a8b6c7b97dd1f7d67

SHA1
751afacb926bf565cc172457df1dd60a5aed062c

SHA256
2cbf96f5ce2c21b11119f28ea50efeedb8000dbc7e3f48d3fe5f7a0d04a0ea24

SHA512
e0981fbb200dbfea669aa8d4f6cec365d5af2608b8daed36c840cfc9d8bfc499ed641ca5370917627da6a6e235e044f7f3d998fb80399d5711aa3d6cc4c3b4de

Download Submit
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe

Filesize
494KB

MD5
05bdfd8a3128ab14d96818f43ebe9c0e

SHA1
495cbbd020391e05d11c52aa23bdae7b89532eb7

SHA256
7b945c7e6b8bfbb489f003ecd1d0dcd4803042003de4646d4206114361a0fbbb

SHA512
8d9b9fc407986bd53fe3b56c96b7371cc782b4bac705253bfb0a2b0b1e6883fdb022f1ac87b8bfd7005291991b6a3dfbaceab54f5d494e0af70f0435a0b8b0da

Download Submit
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE

Filesize
6.7MB

MD5
62cee57f68ee7e0e3ef51ef37792ac37

SHA1
d21783c2e444c89467ed578f7fa735a3203316ee

SHA256
72dd833db5bbb2796fe1e339656393cbabb171b114d6183da2e89940c39b9b4b

SHA512
edf2bede3c6ba44eec65460fe39de612dcd3e43da555b3fec644eff66e6db581b98ee676c7924e11ef4b448a8cb037e74dfb5e2fa2347c50ae553d5d33e511eb

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE

Filesize
526KB

MD5
cc5020b193486a88f373bedca78e24c8

SHA1
61744a1675ce10ddd196129b49331d517d7da884

SHA256
e87936bb1f0794b7622f8ce5b88e4b57b2358c4e0d0fd87c5cd9fa03b8429e2a

SHA512
bc2c77a25ad9f25ac19d8216dafc5417513cb57b9984237a5589a0bb684fdac4540695fcfb0df150556823b191014c96b002e4234a779bd064d36166afeb09d2

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

Filesize
674KB

MD5
97510a7d9bf0811a6ea89fad85a9f3f3

SHA1
2ac0c49b66a92789be65580a38ae9798237711db

SHA256
c48abbc29405559e68cc9f8fc6d218aa317a9d0023839c7846ca509c1f563fea

SHA512
2a93e2a3bd187fdde160f87ef777ccd1d1c398d547b7c869e6b64469b9418ad04d887cdfe94af7407476377bf2d009f576de3935c025b7aefbab26fbcd8f90fb

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE

Filesize
674KB

MD5
9c10a5ec52c145d340df7eafdb69c478

SHA1
57f3d99e41d123ad5f185fc21454367a7285db42

SHA256
ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36

SHA512
2704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE

Filesize
495KB

MD5
9597098cfbc45fae685d9480d135ed13

SHA1
84401f03a7942a7e4fcd26e4414b227edd9b0f09

SHA256
45966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c

SHA512
16afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{63880~1\WINDOW~1.EXE

Filesize
691KB

MD5
e962d2392b90300472c4dddf0e3c97e9

SHA1
8dc56c1d4f5b19c8123c21ecdb9350a3fdaca694

SHA256
a877577dfedf71057c1d8839e294650dcd29ea72a6b41af05569f6c00e86b096

SHA512
62b5bdc8284007f4584cca332720feeb69b78c8362615b36ee4d8021b47767e8bf0db0f67e88cc0d8e56b9e6e70344c9d3746d897b536e5c9b20245fd577a01f

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE

Filesize
525KB

MD5
f6636e7fd493f59a5511f08894bba153

SHA1
3618061817fdf1155acc0c99b7639b30e3b6936c

SHA256
61720d294189141b74631299911d91874aa02e67096a47cfaf56ef03f568bd33

SHA512
bd2ae751a37b4c065f0d7f7f7ec19785c1552dfaa4818fdb213fffcf90b7951886131a2b5d7aad843f714be418383fcf09ba1d9548bdbf38fa3d304a092a33d1

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{D87AE~1\WINDOW~1.EXE

Filesize
691KB

MD5
ce87c8a7b58a3cc12bb7a05782249dfa

SHA1
a87d91e70a998737e19f5666417e0d5f8b857754

SHA256
257b43ec42a4ff904cd18f48e74bef64cbe80dda79947252c31d0ef70a656e07

SHA512
8f0b5cf2f8a615f21693df2a4581b20290a00cf88cc28280fd97f447cab6a147a96ab485ddc7cbfd4d180d0dc8b14053329bce3a49c4c2da4844aa56810d0c90

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF5AF~1\WINDOW~1.EXE

Filesize
691KB

MD5
0a95f10b9844e1232d124ad02c29f847

SHA1
3379e8af13238397a096c2a840592c23eb3a2ffc

SHA256
a33fe9874b5f7c03f49b8b881046f131ff6a1fdf1f4386508bf679649d12d713

SHA512
38f280a010ad11da57b940e1a2808be944f202f585243f8e897685f8a19cdcb6477feb3516133ffd5f92841c51f89fb0cd9046eb55780385f51e36d9a565a968

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

Filesize
536KB

MD5
3e8de969e12cd5e6292489a12a9834b6

SHA1
285b89585a09ead4affa32ecaaa842bc51d53ad5

SHA256
7a25fc3b1ce0f1d06a84dd344c8f5a6c4604732f7d13a8aaad504c4376b305cf

SHA512
b14a5936181a1d8c0f966d969a049254238bf1eacdb1da952c2dc084d5d6dcd5d611d2d058d4c00d6384c20046deef5e74ea865c0062bb0761a391a1eaf1640e

Download Submit
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\181510~1.001\FILECO~1.EXE

Filesize
499KB

MD5
346d2ff654d6257364a7c32b1ec53c09

SHA1
224301c0f56a870f20383c45801ec16d01dc48d1

SHA256
a811042693bc2b31be7e3f454b12312f67bc97f2b15335a97e8d8f2ba0a6b255

SHA512
223545e3fc9f3cd66c5cbcb50dd7103743788f03a9db398da6dd2744ccaeee291f385ce4f2758d4504fc0f6b968fabbfe16ba03b5f546b743c51dacad7a049c3

Download Submit
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\181510~1.001\FILESY~1.EXE

Filesize
293KB

MD5
f3228c24035b3f54f78bb4fd11c36aeb

SHA1
2fe73d1f64575bc4abf1d47a9dddfe7e2d9c9cbb

SHA256
d2767c9c52835f19f6695c604081bf03cdd772a3731cd2e320d9db5e477d8af7

SHA512
b526c63338d9167060bc40ffa1d13a8c2e871f46680cd4a0efc2333d9f15bf21ae75af45f8932de857678c5bf785011a28862ce7879f4bffdb9753c8bc2c19b5

Download Submit
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\OneDrive.exe

Filesize
1.7MB

MD5
e25ffbddf046809226ea738583fd29f9

SHA1
ebda60d1f49cd1c2559d6c0f0a760dac7f38ce98

SHA256
91630469f3d18ebf1be43522b6dcb6547c3b67ab7a17a246e1b2122628dfcd80

SHA512
4417cba81c77c2a60e448b69dc615574ed4862fd97af014ebdf3ffbdde8a6c9bc32aca4881f59037f908a67b674d9e49b817fc1e6865e8f08e374f36baade101

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
86KB

MD5
d59c194ab2b0248d61ab9c659eba0fcb

SHA1
8bcad802416804c1c6d960904537cf8e58201b82

SHA256
f3ba3930941393350117de1fb68425db11ef4462a256ad5dbc8aae44b48fb8fd

SHA512
04d5955f101763576a930378682ba5ab1fef0c5a3bac3d8baac848544e2469dd6af6a81508d58beb0cb8ad6a0e8eaea740410f6534b26b46423e26bd79695f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\2.exe

Filesize
45KB

MD5
ddb085c51c1d739d35e6cfb3f647b6a7

SHA1
309b857dc06c0e458a5b2207157f97bdbe033bbe

SHA256
f6ecd05109a7894fd71e26efb6a9c7f211682b026d28508af792abecce2322b5

SHA512
04f6b7ca78d4c2bb9270e07c774077d79e64b6703919bfa3215f27c022993ae7b110e1ea47fb9bf06e1d7b30e1626f0b4c476d2624cc2a657a073edf2865e121

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\FatRat.exe

Filesize
72KB

MD5
ccf360d4e7bb60abcae997f1929c44dd

SHA1
207dc16a638fb40f9cad4b18dd0ef83aa3fd2def

SHA256
0530f03b56c5a156c5057ba986548ddf87c1df0b5c9912313989d85c9ac23276

SHA512
b53eaef698fae41c1ab9be84f1a59d8564145061e03834e598db947cebaee9b9715fff48a33c76479b1a521e73850c77b370f4e371f8f829a58f7c69c2c372a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\FatRat.exe

Filesize
112KB

MD5
618fba54db5ea661575520f4123e00d4

SHA1
ff2e63b913940ebf861ba675876d4f6ab5a3941d

SHA256
bfb6a2c92bf846643cb5964591cde4067d59ce0cb295bc7cfbdbabefad5ea2d5

SHA512
838773f4b14e9e91eef0e3af31d69e0ad727dd43745a5b7e54a8490f49af5fda58c347b371daca45398572a1d803ff03073fb906cfffa2091cb48573dd84040a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
37KB

MD5
01ce791be97aa5a1746af78c8fe7ccf5

SHA1
688b851e079fa103a652cd1ae5c84d31eb9d143d

SHA256
fd425b904cc91842cfebc84882bcb75e181f5d647176dfa7dbd8b56fd1976028

SHA512
6f2d785842415383e4e1cd87519313bd7cfdd9612175fe8fb82ab75952d14ce4a3aebeb94eadecad28b4487338439296da8b277b49e93601fe2c0b730b6cbbe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

Filesize
8B

MD5
b4403a102b1ceac299b98deb81274917

SHA1
c77e7024a2ba8b258bd1b30a1a90828a8ad88e49

SHA256
398033a5c536b92eff4d986e005f305a88f634dcdb0bb36e794cc66da760387d

SHA512
de746ccf095c377392549e068f4fa1c34ce46c93acb68497578832bd627caaba2429e562fbf6bf6f079ed2427e9e59bb1b9568e998e11ffb5e3f1a501d562346

Download Submit
C:\Windows\directx.sys

Filesize
45B

MD5
15db81b0c2dd1f0b88b93c2aebbbb392

SHA1
d9b43bd6e3c9c288ec4f9337e0e624b2186fd890

SHA256
00632b7a76b7174edb719f7c809f537eb36931a5d178b0bd5be538e111dcb500

SHA512
be595660289a2cec14772061b15bdc52a153a4ae7a76f9d7e841aad39c9133b4db2912aedecfc6b1a855b0cff05292134732243ff6ac4fde4762a40a3c9a01f9

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
memory/440-232-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/440-226-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/440-223-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/440-218-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2396-228-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2396-219-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2872-5-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/2872-1-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/2872-2-0x0000000001120000-0x0000000001121000-memory.dmp

Filesize
4KB

Download
memory/2872-10-0x0000000000400000-0x0000000000CA4000-memory.dmp

Filesize
8.6MB

Download
memory/2872-9-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/2872-0-0x0000000000408000-0x0000000000768000-memory.dmp

Filesize
3.4MB

Download
memory/2872-41-0x0000000000400000-0x0000000000CA4000-memory.dmp

Filesize
8.6MB

Download
memory/2872-6-0x0000000001190000-0x0000000001191000-memory.dmp

Filesize
4KB

Download
memory/2872-7-0x0000000000400000-0x0000000000CA4000-memory.dmp

Filesize
8.6MB

Download
memory/2872-3-0x0000000001150000-0x0000000001151000-memory.dmp

Filesize
4KB

Download
memory/2872-36-0x0000000000408000-0x0000000000768000-memory.dmp

Filesize
3.4MB

Download
memory/2872-8-0x00000000011A0000-0x00000000011A1000-memory.dmp

Filesize
4KB

Download
memory/2872-4-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/3380-35-0x0000000073A52000-0x0000000073A53000-memory.dmp

Filesize
4KB

Download
memory/3380-42-0x0000000073A50000-0x0000000074001000-memory.dmp

Filesize
5.7MB

Download
memory/3380-216-0x0000000073A50000-0x0000000074001000-memory.dmp

Filesize
5.7MB

Download
memory/3380-40-0x0000000073A50000-0x0000000074001000-memory.dmp

Filesize
5.7MB

Download
memory/3644-221-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3784-217-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3784-222-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3784-225-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3784-233-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download