fatalrat | 05f367011689dd5ca1be21e664d913dff20e0dbe00b641f1adbf7bcd587d3a6c

Analysis

max time kernel
241s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10-08-2023 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TGx-64.msi
Size

62.7MB
MD5

fedb9eec7ef2182d987e50e0cdb3f151
SHA1

91b8664b7085e2b60940c6bc5ae5630bfbf6e3aa
SHA256

05f367011689dd5ca1be21e664d913dff20e0dbe00b641f1adbf7bcd587d3a6c
SHA512

1c4cb11d9b36856acf712320aa7fcb1901df1eb7d744d955d9e8e1e076d8d97c7305ab52bb8e3f325effe711e90567e9ab8a5442f2ad48027ef05b2f5403175f
SSDEEP

1572864:SoIyrnjPdtftg59WqNxg+8HTe4VEsUVt99Yxuh2tVqh5/CMFz:qunbbtg59WnxHBgV/96uhKI/pFz

Score

10^/10

fatalrat infostealer persistence rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

Processes:

resource	yara_rule
behavioral3/memory/3432-364-0x0000000010000000-0x000000001002A000-memory.dmp	fatalrat

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

usb.exePTvrst.exespolsvt.exespolsvt.exe

pid process

4664 usb.exe
3416 PTvrst.exe
436 spolsvt.exe
3432 spolsvt.exe

pid	process
4664	usb.exe
3416	PTvrst.exe
436	spolsvt.exe
3432	spolsvt.exe

Loads dropped DLL 19 IoCs

Processes:

MsiExec.exeMsiExec.exe

pid	process
2848	MsiExec.exe
2848	MsiExec.exe
2848	MsiExec.exe
2848	MsiExec.exe
2848	MsiExec.exe
2848	MsiExec.exe
2848	MsiExec.exe
2848	MsiExec.exe
2848	MsiExec.exe
2848	MsiExec.exe
2848	MsiExec.exe
2848	MsiExec.exe
3368	MsiExec.exe
3368	MsiExec.exe
3368	MsiExec.exe
3368	MsiExec.exe
2848	MsiExec.exe
2848	MsiExec.exe
2848	MsiExec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

spolsvt.exePTvrst.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ÏµÍ³×é¼þ = "C:\\Users\\Public\\Documents\\123\\PTvrst.exe"	spolsvt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Therecontinuous = "C:\\WINDOWS\\DNomb\\PTvrst.exe"	PTvrst.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

usb.exePTvrst.exe

pid process

4664 usb.exe
3416 PTvrst.exe

pid	process
4664	usb.exe
3416	PTvrst.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

PTvrst.exespolsvt.exe

description	pid	process	target process
PID 3416 set thread context of 436	3416	PTvrst.exe	spolsvt.exe
PID 436 set thread context of 3432	436	spolsvt.exe	spolsvt.exe

Drops file in Program Files directory 36 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_1	msiexec.exe
File created	C:\Program Files (x86)\Telegram中文版\tdata\emoji\spoiler\text	msiexec.exe
File created	C:\Program Files (x86)\Telegram中文版\tdata\467D828013FC9E09s	msiexec.exe
File created	C:\Program Files (x86)\Telegram中文版\tdata\key_datas	msiexec.exe
File created	C:\Program Files (x86)\Telegram中文版\tdata\user_data\cache\version	msiexec.exe
File created	C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_5	msiexec.exe
File created	C:\Program Files (x86)\Telegram中文版\Telegram.exe	msiexec.exe
File created	C:\Program Files (x86)\Telegram中文版\log.txt	msiexec.exe
File created	C:\Program Files (x86)\Telegram中文版\tdata\D877F783D5D3EF8Cs	msiexec.exe
File created	C:\Program Files (x86)\Telegram中文版\tdata\DB65164DA6E632FFs	msiexec.exe
File created	C:\Program Files (x86)\Telegram中文版\Updater.exe	msiexec.exe
File created	C:\Program Files (x86)\Telegram\Telegram中文版\Telegram.exe	msiexec.exe
File created	C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_0	msiexec.exe
File created	C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_2	msiexec.exe
File created	C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_4	msiexec.exe
File created	C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_6	msiexec.exe
File created	C:\Program Files (x86)\Telegram中文版\tdata\shortcuts-default.json	msiexec.exe
File created	C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_0	msiexec.exe
File created	C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_4	msiexec.exe
File created	C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_6	msiexec.exe
File created	C:\Program Files (x86)\Telegram中文版\tdata\user_data\media_cache\version	msiexec.exe
File created	C:\Program Files (x86)\Telegram中文版\unins000.dat	msiexec.exe
File created	C:\Program Files (x86)\Telegram中文版\tdata\384D52C44F53623Ds	msiexec.exe
File created	C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_1	msiexec.exe
File created	C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_3	msiexec.exe
File created	C:\Program Files (x86)\Telegram中文版\tdata\prefix	msiexec.exe
File created	C:\Program Files (x86)\Telegram中文版\tdata\settingss	msiexec.exe
File created	C:\Program Files (x86)\Telegram中文版\tdata\shortcuts-custom.json	msiexec.exe
File created	C:\Program Files (x86)\Telegram中文版\unins000.exe	msiexec.exe
File created	C:\Program Files (x86)\Telegram中文版\tdata\D877F783D5D3EF8C\configs	msiexec.exe
File created	C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_2	msiexec.exe
File created	C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_3	msiexec.exe
File created	C:\Program Files (x86)\Telegram中文版\tdata\usertag	msiexec.exe
File created	C:\Program Files (x86)\Telegram中文版\tdata\countries	msiexec.exe
File created	C:\Program Files (x86)\Telegram中文版\tdata\D877F783D5D3EF8C\maps	msiexec.exe
File created	C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_5	msiexec.exe

Drops file in Windows directory 14 IoCs

Processes:

msiexec.exeusb.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI5772.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI584D.tmp	msiexec.exe
File created	C:\Windows\DNomb\Mpec.mbt	usb.exe
File opened for modification	C:\Windows\Installer\MSI5F36.tmp	msiexec.exe
File created	C:\Windows\DNomb\spolsvt.exe	usb.exe
File opened for modification	C:\Windows\Installer\MSI588D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{7F1B75D6-84D3-4544-83F1-D38737C3C8F4}	msiexec.exe
File opened for modification	C:\Windows\Installer\e585668.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\DNomb\PTvrst.exe	usb.exe
File created	C:\Windows\Installer\e585668.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5978.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe

Modifies registry class 1 IoCs

Processes:

usb.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings usb.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	usb.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exeusb.exePTvrst.exespolsvt.exe

pid	process
2892	msiexec.exe
2892	msiexec.exe
4664	usb.exe
4664	usb.exe
4664	usb.exe
4664	usb.exe
4664	usb.exe
4664	usb.exe
4664	usb.exe
4664	usb.exe
4664	usb.exe
4664	usb.exe
3416	PTvrst.exe
3416	PTvrst.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe
3432	spolsvt.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2100	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2100	msiexec.exe
Token: SeSecurityPrivilege	2892	msiexec.exe
Token: SeCreateTokenPrivilege	2100	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2100	msiexec.exe
Token: SeLockMemoryPrivilege	2100	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2100	msiexec.exe
Token: SeMachineAccountPrivilege	2100	msiexec.exe
Token: SeTcbPrivilege	2100	msiexec.exe
Token: SeSecurityPrivilege	2100	msiexec.exe
Token: SeTakeOwnershipPrivilege	2100	msiexec.exe
Token: SeLoadDriverPrivilege	2100	msiexec.exe
Token: SeSystemProfilePrivilege	2100	msiexec.exe
Token: SeSystemtimePrivilege	2100	msiexec.exe
Token: SeProfSingleProcessPrivilege	2100	msiexec.exe
Token: SeIncBasePriorityPrivilege	2100	msiexec.exe
Token: SeCreatePagefilePrivilege	2100	msiexec.exe
Token: SeCreatePermanentPrivilege	2100	msiexec.exe
Token: SeBackupPrivilege	2100	msiexec.exe
Token: SeRestorePrivilege	2100	msiexec.exe
Token: SeShutdownPrivilege	2100	msiexec.exe
Token: SeDebugPrivilege	2100	msiexec.exe
Token: SeAuditPrivilege	2100	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2100	msiexec.exe
Token: SeChangeNotifyPrivilege	2100	msiexec.exe
Token: SeRemoteShutdownPrivilege	2100	msiexec.exe
Token: SeUndockPrivilege	2100	msiexec.exe
Token: SeSyncAgentPrivilege	2100	msiexec.exe
Token: SeEnableDelegationPrivilege	2100	msiexec.exe
Token: SeManageVolumePrivilege	2100	msiexec.exe
Token: SeImpersonatePrivilege	2100	msiexec.exe
Token: SeCreateGlobalPrivilege	2100	msiexec.exe
Token: SeCreateTokenPrivilege	2100	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2100	msiexec.exe
Token: SeLockMemoryPrivilege	2100	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2100	msiexec.exe
Token: SeMachineAccountPrivilege	2100	msiexec.exe
Token: SeTcbPrivilege	2100	msiexec.exe
Token: SeSecurityPrivilege	2100	msiexec.exe
Token: SeTakeOwnershipPrivilege	2100	msiexec.exe
Token: SeLoadDriverPrivilege	2100	msiexec.exe
Token: SeSystemProfilePrivilege	2100	msiexec.exe
Token: SeSystemtimePrivilege	2100	msiexec.exe
Token: SeProfSingleProcessPrivilege	2100	msiexec.exe
Token: SeIncBasePriorityPrivilege	2100	msiexec.exe
Token: SeCreatePagefilePrivilege	2100	msiexec.exe
Token: SeCreatePermanentPrivilege	2100	msiexec.exe
Token: SeBackupPrivilege	2100	msiexec.exe
Token: SeRestorePrivilege	2100	msiexec.exe
Token: SeShutdownPrivilege	2100	msiexec.exe
Token: SeDebugPrivilege	2100	msiexec.exe
Token: SeAuditPrivilege	2100	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2100	msiexec.exe
Token: SeChangeNotifyPrivilege	2100	msiexec.exe
Token: SeRemoteShutdownPrivilege	2100	msiexec.exe
Token: SeUndockPrivilege	2100	msiexec.exe
Token: SeSyncAgentPrivilege	2100	msiexec.exe
Token: SeEnableDelegationPrivilege	2100	msiexec.exe
Token: SeManageVolumePrivilege	2100	msiexec.exe
Token: SeImpersonatePrivilege	2100	msiexec.exe
Token: SeCreateGlobalPrivilege	2100	msiexec.exe
Token: SeCreateTokenPrivilege	2100	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2100	msiexec.exe
Token: SeLockMemoryPrivilege	2100	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2100 msiexec.exe
2100 msiexec.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

usb.exePTvrst.exespolsvt.exe

pid process

4664 usb.exe
4664 usb.exe
3416 PTvrst.exe
3416 PTvrst.exe
436 spolsvt.exe
436 spolsvt.exe

pid	process
2100	msiexec.exe
2100	msiexec.exe

pid	process
4664	usb.exe
4664	usb.exe
3416	PTvrst.exe
3416	PTvrst.exe
436	spolsvt.exe
436	spolsvt.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

msiexec.exeMsiExec.exePTvrst.exespolsvt.exe

description	pid	process	target process
PID 2892 wrote to memory of 2848	2892	msiexec.exe	MsiExec.exe
PID 2892 wrote to memory of 2848	2892	msiexec.exe	MsiExec.exe
PID 2892 wrote to memory of 2848	2892	msiexec.exe	MsiExec.exe
PID 2892 wrote to memory of 3124	2892	msiexec.exe	srtasks.exe
PID 2892 wrote to memory of 3124	2892	msiexec.exe	srtasks.exe
PID 2892 wrote to memory of 3368	2892	msiexec.exe	MsiExec.exe
PID 2892 wrote to memory of 3368	2892	msiexec.exe	MsiExec.exe
PID 2892 wrote to memory of 3368	2892	msiexec.exe	MsiExec.exe
PID 2848 wrote to memory of 4664	2848	MsiExec.exe	usb.exe
PID 2848 wrote to memory of 4664	2848	MsiExec.exe	usb.exe
PID 2848 wrote to memory of 4664	2848	MsiExec.exe	usb.exe
PID 3416 wrote to memory of 436	3416	PTvrst.exe	spolsvt.exe
PID 3416 wrote to memory of 436	3416	PTvrst.exe	spolsvt.exe
PID 3416 wrote to memory of 436	3416	PTvrst.exe	spolsvt.exe
PID 3416 wrote to memory of 436	3416	PTvrst.exe	spolsvt.exe
PID 3416 wrote to memory of 436	3416	PTvrst.exe	spolsvt.exe
PID 3416 wrote to memory of 436	3416	PTvrst.exe	spolsvt.exe
PID 3416 wrote to memory of 436	3416	PTvrst.exe	spolsvt.exe
PID 3416 wrote to memory of 436	3416	PTvrst.exe	spolsvt.exe
PID 3416 wrote to memory of 436	3416	PTvrst.exe	spolsvt.exe
PID 436 wrote to memory of 3432	436	spolsvt.exe	spolsvt.exe
PID 436 wrote to memory of 3432	436	spolsvt.exe	spolsvt.exe
PID 436 wrote to memory of 3432	436	spolsvt.exe	spolsvt.exe
PID 436 wrote to memory of 3432	436	spolsvt.exe	spolsvt.exe
PID 436 wrote to memory of 3432	436	spolsvt.exe	spolsvt.exe
PID 436 wrote to memory of 3432	436	spolsvt.exe	spolsvt.exe
PID 436 wrote to memory of 3432	436	spolsvt.exe	spolsvt.exe
PID 436 wrote to memory of 3432	436	spolsvt.exe	spolsvt.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\TGx-64.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2100

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F3076147733809E97405BE188D0C9A00 C
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848

C:\Users\Public\haixia\usb.exe
"C:\Users\Public\haixia\usb.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4664

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:3124

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 8F5B6A448A178484B44149242E8585D2
2⤵
- Loads dropped DLL
PID:3368

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4404

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2168

C:\Users\Public\Documents\123\PTvrst.exe
"C:\Users\Public\Documents\123\PTvrst.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3416

C:\WINDOWS\DNomb\spolsvt.exe
C:\WINDOWS\DNomb\spolsvt.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:436

C:\Users\Public\Documents\t\spolsvt.exe
C:\Users\Public\Documents\t\spolsvt.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e585669.rbs

Filesize
7KB

MD5
843ead28eb5297b2af08b906c8322783

SHA1
b5dc5fb6f615f029c802f7647ed238abca68056f

SHA256
66b78385a9e61f587e9053d818c49abb71ad8b58c1a5396c5cc68fef46de18fe

SHA512
3eebd52093808c6ef4039e43ccde7e02b76b31376e9e42a0d73365cf248ca434e350e3e79d00adae0d09d427b36b9f1264b3c92bfbccdb1094f4d0cb19d613f8

Download Submit
C:\Program Files (x86)\Telegram中文版\Telegram.exe

Filesize
129.5MB

MD5
dffd0738bc474639bed3a895498e4a71

SHA1
7025e03fd682fb74bccb0911fd1de6a35383b129

SHA256
090e1109df7fa7fce8b76d34028111b2a62ef48170d9b214191023de2d441f46

SHA512
588e3972d6f9816b6022c496eaf3d246badb39380ce6e0703ab43cd7e9210ce036e524c8b7d82016a2dff4ae94e18b9a5d8ba25174c134919c6205b30f85ba5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6EDE.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6EDE.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI96B2.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI96B2.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9EF0.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9EF0.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9FAD.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9FAD.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9FAD.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA02B.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA02B.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA05B.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA05B.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA29E.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA29E.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA2ED.tmp

Filesize
1.1MB

MD5
48c25fba873a341b914652763cbc4f7b

SHA1
98b51420e26829bb96a963e4fb897db733c76fc0

SHA256
4595c98e419d911b31eedfc342384e78024f5e23ccfdcfde4d2d304241e7c6cd

SHA512
c8931846db2b75860104d0dbf1cac5220fc2f3464cc83536b189c9bb8ccd4b1ddc490a7e7cf2f711bea086c29bf3948bd96ba81def63b752688277f0e96dbf68

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA2ED.tmp

Filesize
1.1MB

MD5
48c25fba873a341b914652763cbc4f7b

SHA1
98b51420e26829bb96a963e4fb897db733c76fc0

SHA256
4595c98e419d911b31eedfc342384e78024f5e23ccfdcfde4d2d304241e7c6cd

SHA512
c8931846db2b75860104d0dbf1cac5220fc2f3464cc83536b189c9bb8ccd4b1ddc490a7e7cf2f711bea086c29bf3948bd96ba81def63b752688277f0e96dbf68

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA32C.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA32C.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA36C.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA36C.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB3A8.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB3A8.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDC9E.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDC9E.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDD3B.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDD3B.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDD3B.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDE36.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDE36.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF68E.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF68E.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Public\Documents\123\PTvrst.exe

Filesize
1.2MB

MD5
d22cfb5bfaeb1503b12b07e53ef0a149

SHA1
8ea2c85e363f551a159fabd65377affed4e417a1

SHA256
260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360

SHA512
151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45

Download Submit
C:\Users\Public\Documents\123\PTvrst.exe

Filesize
1.2MB

MD5
d22cfb5bfaeb1503b12b07e53ef0a149

SHA1
8ea2c85e363f551a159fabd65377affed4e417a1

SHA256
260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360

SHA512
151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45

Download Submit
C:\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
C:\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
C:\Users\Public\haixia\usb.exe

Filesize
2.9MB

MD5
c0b89095eac7d60bd1d2018dc6000550

SHA1
9a56f862f787d4b8a7bd0ca248ae029f07a0988a

SHA256
f9b4a0e6e51e6857ee34657a722f38feb7ede30fbf9418f92da23c083952b5b2

SHA512
8e71204234e0e0186120e8f5b1ffc9ca4a531802b2f1f414def4339551dccea9755c7438d036f7020ee464bdcd25602a2938a9e4fd406df438b7369c95afec2d

Download Submit
C:\Users\Public\haixia\usb.exe

Filesize
2.9MB

MD5
c0b89095eac7d60bd1d2018dc6000550

SHA1
9a56f862f787d4b8a7bd0ca248ae029f07a0988a

SHA256
f9b4a0e6e51e6857ee34657a722f38feb7ede30fbf9418f92da23c083952b5b2

SHA512
8e71204234e0e0186120e8f5b1ffc9ca4a531802b2f1f414def4339551dccea9755c7438d036f7020ee464bdcd25602a2938a9e4fd406df438b7369c95afec2d

Download Submit
C:\Users\Public\haixia\usb.exe

Filesize
2.9MB

MD5
c0b89095eac7d60bd1d2018dc6000550

SHA1
9a56f862f787d4b8a7bd0ca248ae029f07a0988a

SHA256
f9b4a0e6e51e6857ee34657a722f38feb7ede30fbf9418f92da23c083952b5b2

SHA512
8e71204234e0e0186120e8f5b1ffc9ca4a531802b2f1f414def4339551dccea9755c7438d036f7020ee464bdcd25602a2938a9e4fd406df438b7369c95afec2d

Download Submit
C:\WINDOWS\DNomb\Mpec.mbt

Filesize
488KB

MD5
1d294165b61163c73a5379ca4f388d67

SHA1
10ff3c414046c66243b27c4842498f9b44ca1549

SHA256
d31736379a57748afdac7c17437f8506068c9f19e0952ce0421eeb88ad4c2a44

SHA512
d16f086ef3bab1c33529d6c7322159c84db2852288bbfd33f650aa632b6b43ede15e041be100c163a42e18e7ef759e52558b373cee5222cc5b2d3f04a456d3ee

Download Submit
C:\WINDOWS\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
C:\Windows\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
C:\Windows\Installer\MSI5772.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Windows\Installer\MSI5772.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Windows\Installer\MSI584D.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Windows\Installer\MSI584D.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Windows\Installer\MSI588D.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Windows\Installer\MSI588D.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Windows\Installer\MSI5978.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Windows\Installer\MSI5978.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
7a58c348535284373981b47ff7f5b100

SHA1
71c71e541aff847e5bc4b8829e7b2735860e1203

SHA256
3d40d318db56bfd362e9b0a9458d69f351ed8884525f9f8d3c279d6151320f59

SHA512
7dad8d2f6d872df59cd7f1a74359db4889db4f9868e83839776851cf54562a86b7b87d00a366c79a82f4c0ed4fddee59a507baac741ee2c12623d6f48d7797a6

Download Submit
\??\Volume{8edfd87d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{55422517-9fd5-4848-95ee-c588d1921afb}_OnDiskSnapshotProp

Filesize
5KB

MD5
4b4e91c80adfe4772ef62d374be9a35c

SHA1
cead53f71befd8a0bc7be09de3d01a84eebf0e41

SHA256
502828ea8673447972657dee4c27761087684350d98628cbb4bd75230916035d

SHA512
a2b27e679130314fd2ad220bcc3f5e313150c17aff49ff76833dd95c48a286a63017745e42094e609300d356fb9127ae19d9483a32c060e6307e03fc0cbfd161

Download Submit
memory/436-344-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/436-351-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/436-352-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/436-347-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/436-346-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/436-345-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/3416-333-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/3416-341-0x0000000004880000-0x0000000004881000-memory.dmp

Filesize
4KB

Download
memory/3416-336-0x0000000004870000-0x0000000004871000-memory.dmp

Filesize
4KB

Download
memory/3416-369-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/3416-332-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/3416-338-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/3416-335-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/3416-331-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download
memory/3416-330-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/3416-329-0x00000000047E0000-0x00000000047E2000-memory.dmp

Filesize
8KB

Download
memory/3416-340-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/3416-328-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download
memory/3416-320-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/3416-339-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/3416-337-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download
memory/3416-325-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/3416-326-0x0000000004750000-0x0000000004751000-memory.dmp

Filesize
4KB

Download
memory/3416-327-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/3416-334-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/3432-357-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3432-358-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3432-359-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3432-363-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3432-364-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/4664-313-0x0000000000400000-0x0000000000A5C000-memory.dmp

Filesize
6.4MB

Download
memory/4664-281-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/4664-277-0x0000000077044000-0x0000000077046000-memory.dmp

Filesize
8KB

Download
memory/4664-282-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/4664-285-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/4664-287-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/4664-319-0x0000000000400000-0x0000000000A5C000-memory.dmp

Filesize
6.4MB

Download
memory/4664-318-0x0000000000400000-0x0000000000A5C000-memory.dmp

Filesize
6.4MB

Download
memory/4664-286-0x0000000004B50000-0x0000000004B52000-memory.dmp

Filesize
8KB

Download
memory/4664-307-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/4664-306-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/4664-304-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/4664-305-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/4664-302-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/4664-280-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/4664-303-0x0000000004E20000-0x0000000004E22000-memory.dmp

Filesize
8KB

Download
memory/4664-301-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/4664-288-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/4664-289-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/4664-315-0x0000000000400000-0x0000000000A5C000-memory.dmp

Filesize
6.4MB

Download
memory/4664-279-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/4664-278-0x0000000000400000-0x0000000000A5C000-memory.dmp

Filesize
6.4MB

Download
memory/4664-310-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/4664-311-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/4664-309-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/4664-308-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/4664-276-0x0000000000400000-0x0000000000A5C000-memory.dmp

Filesize
6.4MB

Download