fatalrat | 4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe

Analysis

max time kernel
121s
max time network
152s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
06-09-2023 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
Size

15.4MB
MD5

e70b3364e3116ab6b74b3469f92b7d4b
SHA1

ad5500681da9b21288e75e2d5fffeca8b4209145
SHA256

4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe
SHA512

d1db8b03568e1b5a0318c4744a070740d62f8849b756c81a8ed33d5511e57a40f76dfb3ab9065a681fe659fcf9406ea6e012eb03003ce5dc5e9cbc0f82469c96
SSDEEP

393216:K8Z5ubaquU3Ie1no4aHLup8f7A2yefA4KaxEUtN:K8ZIbMU3Z1J7ODR1fzKaXtN

Score

10^/10

fatalrat aspackv2 evasion infostealer persistence rat upx

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/560-87-0x0000000010000000-0x000000001002A000-memory.dmp	fatalrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	PTvrst.exe

Downloads MZ/PE file

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x003100000001868f-17.dat	aspack_v212_v242
behavioral1/files/0x003100000001868f-16.dat	aspack_v212_v242
behavioral1/files/0x003100000001868f-19.dat	aspack_v212_v242

Executes dropped EXE 7 IoCs

pid	Process
620	sg.tmp
2768	w8.exe
2868	spolsvt.exe
560	spolsvt.exe
1184	PTvrst.exe
2384	spolsvt.exe
1600	spolsvt.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Wine	PTvrst.exe

Loads dropped DLL 8 IoCs

pid	Process
2436	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
2436	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
2768	w8.exe
2768	w8.exe
2868	spolsvt.exe
2868	spolsvt.exe
1184	PTvrst.exe
2384	spolsvt.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2436-0-0x0000000000400000-0x0000000000572000-memory.dmp	upx
behavioral1/memory/2436-92-0x0000000000400000-0x0000000000572000-memory.dmp	upx
behavioral1/memory/2616-200-0x0000000000400000-0x0000000000572000-memory.dmp	upx
behavioral1/memory/2436-203-0x0000000000400000-0x0000000000572000-memory.dmp	upx
behavioral1/memory/2616-204-0x0000000000400000-0x0000000000572000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ÏµÍ³×é¼þ = "C:\\Users\\Public\\Documents\\123\\PTvrst.exe"	spolsvt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Therecontinuous = "C:\\WINDOWS\\DNomb\\PTvrst.exe"	PTvrst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ÏµÍ³×é¼þ = "C:\\Users\\Public\\Documents\\123\\PTvrst.exe"	spolsvt.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1184	PTvrst.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2768 set thread context of 2868	2768	w8.exe	35
PID 2868 set thread context of 560	2868	spolsvt.exe	36
PID 1184 set thread context of 2384	1184	PTvrst.exe	39
PID 2384 set thread context of 1600	2384	spolsvt.exe	40

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.dll	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\PDFFile_8.ico	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\XDPFile_8.ico	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\APIFile_8.ico	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\w8.exe	sg.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXE8SharedExpat.dll	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Onix32.dll	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeUpdater.dll	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\icudt36.dll	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\DNomb\spolsvt.exe	w8.exe
File created	C:\Windows\DNomb\Mpec.mbt	w8.exe
File created	C:\Windows\DNomb\PTvrst.exe	w8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	spolsvt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	spolsvt.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	spolsvt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	spolsvt.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2768	w8.exe
2768	w8.exe
2768	w8.exe
2768	w8.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
560	spolsvt.exe
2868	spolsvt.exe
2868	spolsvt.exe
2436	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
1184	PTvrst.exe
1600	spolsvt.exe
1600	spolsvt.exe
1600	spolsvt.exe
1600	spolsvt.exe
1600	spolsvt.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeBackupPrivilege	2436	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
Token: SeRestorePrivilege	2436	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
Token: 33	2436	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
Token: SeIncBasePriorityPrivilege	2436	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
Token: SeCreateGlobalPrivilege	2436	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
Token: 33	2436	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
Token: SeIncBasePriorityPrivilege	2436	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
Token: 33	2436	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
Token: SeIncBasePriorityPrivilege	2436	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
Token: SeRestorePrivilege	620	sg.tmp
Token: 35	620	sg.tmp
Token: SeSecurityPrivilege	620	sg.tmp
Token: SeSecurityPrivilege	620	sg.tmp
Token: 33	2436	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
Token: SeIncBasePriorityPrivilege	2436	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
Token: SeDebugPrivilege	560	spolsvt.exe
Token: SeDebugPrivilege	2436	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
Token: SeDebugPrivilege	1600	spolsvt.exe
Token: 33	2436	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
Token: SeIncBasePriorityPrivilege	2436	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
Token: SeBackupPrivilege	2616	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
Token: SeRestorePrivilege	2616	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
Token: 33	2616	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
Token: SeIncBasePriorityPrivilege	2616	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2768	w8.exe
2768	w8.exe
2868	spolsvt.exe
2868	spolsvt.exe
1184	PTvrst.exe
1184	PTvrst.exe
2384	spolsvt.exe
2384	spolsvt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 836	2436	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe	28
PID 2436 wrote to memory of 836	2436	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe	28
PID 2436 wrote to memory of 836	2436	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe	28
PID 2436 wrote to memory of 836	2436	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe	28
PID 2436 wrote to memory of 620	2436	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe	30
PID 2436 wrote to memory of 620	2436	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe	30
PID 2436 wrote to memory of 620	2436	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe	30
PID 2436 wrote to memory of 620	2436	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe	30
PID 2436 wrote to memory of 2768	2436	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe	32
PID 2436 wrote to memory of 2768	2436	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe	32
PID 2436 wrote to memory of 2768	2436	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe	32
PID 2436 wrote to memory of 2768	2436	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe	32
PID 2768 wrote to memory of 2868	2768	w8.exe	35
PID 2768 wrote to memory of 2868	2768	w8.exe	35
PID 2768 wrote to memory of 2868	2768	w8.exe	35
PID 2768 wrote to memory of 2868	2768	w8.exe	35
PID 2768 wrote to memory of 2868	2768	w8.exe	35
PID 2768 wrote to memory of 2868	2768	w8.exe	35
PID 2768 wrote to memory of 2868	2768	w8.exe	35
PID 2768 wrote to memory of 2868	2768	w8.exe	35
PID 2768 wrote to memory of 2868	2768	w8.exe	35
PID 2768 wrote to memory of 2868	2768	w8.exe	35
PID 2868 wrote to memory of 560	2868	spolsvt.exe	36
PID 2868 wrote to memory of 560	2868	spolsvt.exe	36
PID 2868 wrote to memory of 560	2868	spolsvt.exe	36
PID 2868 wrote to memory of 560	2868	spolsvt.exe	36
PID 2868 wrote to memory of 560	2868	spolsvt.exe	36
PID 2868 wrote to memory of 560	2868	spolsvt.exe	36
PID 2868 wrote to memory of 560	2868	spolsvt.exe	36
PID 2868 wrote to memory of 560	2868	spolsvt.exe	36
PID 2868 wrote to memory of 560	2868	spolsvt.exe	36
PID 1184 wrote to memory of 2384	1184	PTvrst.exe	39
PID 1184 wrote to memory of 2384	1184	PTvrst.exe	39
PID 1184 wrote to memory of 2384	1184	PTvrst.exe	39
PID 1184 wrote to memory of 2384	1184	PTvrst.exe	39
PID 1184 wrote to memory of 2384	1184	PTvrst.exe	39
PID 1184 wrote to memory of 2384	1184	PTvrst.exe	39
PID 1184 wrote to memory of 2384	1184	PTvrst.exe	39
PID 1184 wrote to memory of 2384	1184	PTvrst.exe	39
PID 1184 wrote to memory of 2384	1184	PTvrst.exe	39
PID 1184 wrote to memory of 2384	1184	PTvrst.exe	39
PID 1184 wrote to memory of 2384	1184	PTvrst.exe	39
PID 1184 wrote to memory of 2384	1184	PTvrst.exe	39
PID 1184 wrote to memory of 2384	1184	PTvrst.exe	39
PID 2384 wrote to memory of 1600	2384	spolsvt.exe	40
PID 2384 wrote to memory of 1600	2384	spolsvt.exe	40
PID 2384 wrote to memory of 1600	2384	spolsvt.exe	40
PID 2384 wrote to memory of 1600	2384	spolsvt.exe	40
PID 2384 wrote to memory of 1600	2384	spolsvt.exe	40
PID 2384 wrote to memory of 1600	2384	spolsvt.exe	40
PID 2384 wrote to memory of 1600	2384	spolsvt.exe	40
PID 2384 wrote to memory of 1600	2384	spolsvt.exe	40
PID 2384 wrote to memory of 1600	2384	spolsvt.exe	40
PID 2384 wrote to memory of 1600	2384	spolsvt.exe	40
PID 2384 wrote to memory of 1600	2384	spolsvt.exe	40
PID 2384 wrote to memory of 1600	2384	spolsvt.exe	40
PID 2436 wrote to memory of 2616	2436	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe	43
PID 2436 wrote to memory of 2616	2436	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe	43
PID 2436 wrote to memory of 2616	2436	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe	43
PID 2436 wrote to memory of 2616	2436	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe	43
PID 2616 wrote to memory of 1132	2616	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe	44
PID 2616 wrote to memory of 1132	2616	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe	44
PID 2616 wrote to memory of 1132	2616	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe	44
PID 2616 wrote to memory of 1132	2616	4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe	44

C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
"C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\system32\cmd.exe
  cmd.exe /c set
  2⤵
  PID:836
- C:\Users\Admin\AppData\Local\Temp\~6401147081516292479~\sg.tmp
  7zG_exe x "C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe" -y -aoa -o"C:\Program Files (x86)\"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:620
- C:\Program Files (x86)\w8.exe
  "C:\Program Files (x86)\\w8.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\DNomb\spolsvt.exe
    C:\Windows\DNomb\spolsvt.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Users\Public\Documents\t\spolsvt.exe
      C:\Users\Public\Documents\t\spolsvt.exe
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:560
- C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
  PECMD**pecmd-cmd* EXEC -wd:C: -hide cmd /c "C:\Users\Admin\AppData\Local\Temp\~1542991401538432736.cmd"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\~1542991401538432736.cmd"
    3⤵
    PID:1132

C:\Users\Public\Documents\123\PTvrst.exe
"C:\Users\Public\Documents\123\PTvrst.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1184
- C:\WINDOWS\DNomb\spolsvt.exe
  C:\WINDOWS\DNomb\spolsvt.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Users\Public\Documents\t\spolsvt.exe
    C:\Users\Public\Documents\t\spolsvt.exe
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\letsvpn-latest.exe

Filesize
14.3MB

MD5
291be48f62359b80b3774eb4699e0e79

SHA1
09e1ba3935cb3950160859584242aa1919cfd73c

SHA256
7ccac89afb5c01a8b22e2d82cfe2293f169a2e963c2780e40008b588938975fa

SHA512
e7fabc74a164b315bd91f3d793023139da8b85bbf02b68214d21ddedcdd8f9a8180a4b0c9db9210dd8891d2cd13ce970530f869a750d5b1057c296c5dba3b1a4

Download Submit
C:\Program Files (x86)\w8.exe

Filesize
474KB

MD5
07b63770097223abaa76c4c42a8b12ea

SHA1
a7dcff1a8ecfed52a61111734029f12fccacc91d

SHA256
ef664098b808bb6ec158ceedcf6144f438b0756199b0c86032934286082d1063

SHA512
da866c9c342acfb9f96dac182c42f50238b13df261fe65cf7d0eeac9b21497784c9392e14e8c54d21364baed19452817647b769ec3df4e3207d4a295691ec585

Download Submit
C:\Program Files (x86)\w8.exe

Filesize
474KB

MD5
07b63770097223abaa76c4c42a8b12ea

SHA1
a7dcff1a8ecfed52a61111734029f12fccacc91d

SHA256
ef664098b808bb6ec158ceedcf6144f438b0756199b0c86032934286082d1063

SHA512
da866c9c342acfb9f96dac182c42f50238b13df261fe65cf7d0eeac9b21497784c9392e14e8c54d21364baed19452817647b769ec3df4e3207d4a295691ec585

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1542991401538432736.cmd

Filesize
280B

MD5
42ff656bd4ee3e19a5828940041fdfdb

SHA1
2e3c7f0fd42dd48b014e82e9e5edf50664ae5698

SHA256
b326705c28abc9947182f84830e0e680d35551157b408a0f9cfd137279a02838

SHA512
4ba36b5e44c94df09b91b3557237dae6b74a9fe04da686f157938446cf635c464f616126e937400ee4d577708b3bdcb7f88cec8df23d344bfd7105b75f9ec7b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1542991401538432736.cmd

Filesize
280B

MD5
42ff656bd4ee3e19a5828940041fdfdb

SHA1
2e3c7f0fd42dd48b014e82e9e5edf50664ae5698

SHA256
b326705c28abc9947182f84830e0e680d35551157b408a0f9cfd137279a02838

SHA512
4ba36b5e44c94df09b91b3557237dae6b74a9fe04da686f157938446cf635c464f616126e937400ee4d577708b3bdcb7f88cec8df23d344bfd7105b75f9ec7b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6401147081516292479~\sg.tmp

Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
C:\Users\Public\Documents\123\PTvrst.exe

Filesize
1.2MB

MD5
d22cfb5bfaeb1503b12b07e53ef0a149

SHA1
8ea2c85e363f551a159fabd65377affed4e417a1

SHA256
260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360

SHA512
151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45

Download Submit
C:\Users\Public\Documents\123\PTvrst.exe

Filesize
1.2MB

MD5
d22cfb5bfaeb1503b12b07e53ef0a149

SHA1
8ea2c85e363f551a159fabd65377affed4e417a1

SHA256
260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360

SHA512
151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45

Download Submit
C:\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
C:\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
C:\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
C:\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
C:\WINDOWS\DNomb\Mpec.mbt

Filesize
488KB

MD5
429d8041db189592a97242a2010a5aeb

SHA1
b07df03752608c60224fe9d9a332df760f289f8f

SHA256
04a427c4d47dd8ca055ba01ff01b93a5decdf1105432164542d03c4c391adf8c

SHA512
f4aecee6b79c0c9c73225ca126da7b72c701f90fb0b23fe97c31fe806eb739ffab75ee83b6ad57fc1d0ea9902126d176d3844c9c03107162efa8327a5ef8af22

Download Submit
C:\WINDOWS\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
C:\Windows\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
C:\Windows\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
C:\Windows\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
\Program Files (x86)\w8.exe

Filesize
474KB

MD5
07b63770097223abaa76c4c42a8b12ea

SHA1
a7dcff1a8ecfed52a61111734029f12fccacc91d

SHA256
ef664098b808bb6ec158ceedcf6144f438b0756199b0c86032934286082d1063

SHA512
da866c9c342acfb9f96dac182c42f50238b13df261fe65cf7d0eeac9b21497784c9392e14e8c54d21364baed19452817647b769ec3df4e3207d4a295691ec585

Download Submit
\Users\Admin\AppData\Local\Temp\~6401147081516292479~\sg.tmp

Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
\Windows\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
\Windows\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
\Windows\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
memory/560-87-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/560-75-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/560-73-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/560-78-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/560-81-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/560-82-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/560-86-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/560-71-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1184-135-0x0000000004190000-0x0000000004191000-memory.dmp

Filesize
4KB

Download
memory/1184-123-0x0000000004260000-0x0000000004261000-memory.dmp

Filesize
4KB

Download
memory/1184-118-0x0000000004230000-0x0000000004231000-memory.dmp

Filesize
4KB

Download
memory/1184-119-0x00000000042C0000-0x00000000042C2000-memory.dmp

Filesize
8KB

Download
memory/1184-120-0x0000000004220000-0x0000000004221000-memory.dmp

Filesize
4KB

Download
memory/1184-121-0x00000000042F0000-0x00000000042F1000-memory.dmp

Filesize
4KB

Download
memory/1184-100-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/1184-122-0x00000000041F0000-0x00000000041F1000-memory.dmp

Filesize
4KB

Download
memory/1184-102-0x0000000076EB0000-0x0000000076EB2000-memory.dmp

Filesize
8KB

Download
memory/1184-103-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/1184-104-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/1184-105-0x0000000004200000-0x0000000004201000-memory.dmp

Filesize
4KB

Download
memory/1184-111-0x00000000042D0000-0x00000000042D1000-memory.dmp

Filesize
4KB

Download
memory/1184-175-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/1184-124-0x00000000042B0000-0x00000000042B1000-memory.dmp

Filesize
4KB

Download
memory/1184-107-0x0000000004250000-0x0000000004252000-memory.dmp

Filesize
8KB

Download
memory/1184-106-0x0000000004280000-0x0000000004281000-memory.dmp

Filesize
4KB

Download
memory/1184-127-0x00000000043B0000-0x00000000043B1000-memory.dmp

Filesize
4KB

Download
memory/1184-138-0x0000000004350000-0x0000000004351000-memory.dmp

Filesize
4KB

Download
memory/1184-140-0x0000000004340000-0x0000000004341000-memory.dmp

Filesize
4KB

Download
memory/1184-142-0x00000000041A0000-0x00000000041A1000-memory.dmp

Filesize
4KB

Download
memory/1184-125-0x0000000004290000-0x0000000004291000-memory.dmp

Filesize
4KB

Download
memory/1184-137-0x0000000004320000-0x0000000004321000-memory.dmp

Filesize
4KB

Download
memory/1184-126-0x0000000004300000-0x0000000004301000-memory.dmp

Filesize
4KB

Download
memory/1184-128-0x0000000004270000-0x0000000004271000-memory.dmp

Filesize
4KB

Download
memory/1184-136-0x00000000042A0000-0x00000000042A1000-memory.dmp

Filesize
4KB

Download
memory/2384-147-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2384-143-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2436-18-0x0000000002DA0000-0x0000000002EFB000-memory.dmp

Filesize
1.4MB

Download
memory/2436-199-0x0000000005E10000-0x0000000005F82000-memory.dmp

Filesize
1.4MB

Download
memory/2436-92-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/2436-0-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/2436-203-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/2436-183-0x0000000002DA0000-0x0000000002EFB000-memory.dmp

Filesize
1.4MB

Download
memory/2616-200-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/2616-204-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/2768-101-0x00000000012F0000-0x000000000144B000-memory.dmp

Filesize
1.4MB

Download
memory/2768-20-0x00000000012F0000-0x000000000144B000-memory.dmp

Filesize
1.4MB

Download
memory/2768-96-0x00000000012F0000-0x000000000144B000-memory.dmp

Filesize
1.4MB

Download
memory/2768-22-0x00000000012F0000-0x000000000144B000-memory.dmp

Filesize
1.4MB

Download
memory/2768-21-0x00000000012F0000-0x000000000144B000-memory.dmp

Filesize
1.4MB

Download
memory/2868-53-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2868-45-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2868-47-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2868-49-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2868-51-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2868-55-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2868-56-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2868-61-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download