Troj/Xrat-R exhibits the following characteristics: File Information Size 1.1M SHA-1 5c533a9f95f69c98f5926810f0cf78fa7a6cf447 MD5 c6e081d416d2bde4d450f7dc34c1351c CRC-32 f70ab7ef File type Windows executable First seen 2016-12-11 Runtime Analysis Registry Keys Created HKCU\Software\zUB8dknwC InstalledServer c:\Documents and Settings\test user\Application Data\f6hjg\28dpo.exe HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce GWlgQh C:\GWlgQhGWlgQh\GWlgQh.vbs Processes Created c:\Documents and Settings\test user\application data\f6hjg\28dpo.exe c:\windows\microsoft.net\framework\v2.0.50727\csc.exe 2017-02-18 07:24:47.085846 IP 192.168.1.102.55839 > 108.179.232.87.80: Flags [P.], seq 0:317, ack 1, win 256, length 317: HTTP: GET /Off1c3v4l1dK3y2017s.exe HTTP/1.1 E..e..@….y…fl..W…P….e.Q.P…….GET /Off1c3v4l1dK3y2017s.exe HTTP/1.1 Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Accept-Encoding: gzip, deflate Host: dryversdocumentsandcustomer.com Connection: Keep-Alive 2017-02-18 07:26:16.924122 IP 192.168.1.102.62494 > 75.75.75.75.53: 42747+ A? […]