Malware Analysis Report

2025-03-15 03:55

Sample ID 230906-zzlr2sbh7y
Target 4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe
SHA256 4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe
Tags
fatalrat aspackv2 evasion infostealer persistence rat upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe

Threat Level: Known bad

The file 4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe was found to be: Known bad.

Malicious Activity Summary

fatalrat aspackv2 evasion infostealer persistence rat upx

FatalRat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Fatal Rat payload

Downloads MZ/PE file

ASPack v2.12-2.42

Loads dropped DLL

Identifies Wine through registry keys

Executes dropped EXE

UPX packed file

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-06 21:09

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-06 21:09

Reported

2023-09-06 21:12

Platform

win7-20230831-en

Max time kernel

121s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe"

Signatures

FatalRat

infostealer rat fatalrat

Fatal Rat payload

rat infostealer
Description Indicator Process Target
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Public\Documents\123\PTvrst.exe N/A

Downloads MZ/PE file

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Wine C:\Users\Public\Documents\123\PTvrst.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ϵͳ×é¼þ = "C:\\Users\\Public\\Documents\\123\\PTvrst.exe" C:\Windows\DNomb\spolsvt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Therecontinuous = "C:\\WINDOWS\\DNomb\\PTvrst.exe" C:\Users\Public\Documents\123\PTvrst.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ϵͳ×é¼þ = "C:\\Users\\Public\\Documents\\123\\PTvrst.exe" C:\WINDOWS\DNomb\spolsvt.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Public\Documents\123\PTvrst.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2768 set thread context of 2868 N/A C:\Program Files (x86)\w8.exe C:\Windows\DNomb\spolsvt.exe
PID 2868 set thread context of 560 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 1184 set thread context of 2384 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 2384 set thread context of 1600 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.dll C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\PDFFile_8.ico C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\XDPFile_8.ico C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\APIFile_8.ico C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\w8.exe C:\Users\Admin\AppData\Local\Temp\~6401147081516292479~\sg.tmp N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXE8SharedExpat.dll C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Onix32.dll C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeUpdater.dll C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\icudt36.dll C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\DNomb\spolsvt.exe C:\Program Files (x86)\w8.exe N/A
File created C:\Windows\DNomb\Mpec.mbt C:\Program Files (x86)\w8.exe N/A
File created C:\Windows\DNomb\PTvrst.exe C:\Program Files (x86)\w8.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Public\Documents\t\spolsvt.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Public\Documents\t\spolsvt.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Public\Documents\t\spolsvt.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Public\Documents\t\spolsvt.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\w8.exe N/A
N/A N/A C:\Program Files (x86)\w8.exe N/A
N/A N/A C:\Program Files (x86)\w8.exe N/A
N/A N/A C:\Program Files (x86)\w8.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Windows\DNomb\spolsvt.exe N/A
N/A N/A C:\Windows\DNomb\spolsvt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
N/A N/A C:\Users\Public\Documents\123\PTvrst.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\~6401147081516292479~\sg.tmp N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\~6401147081516292479~\sg.tmp N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~6401147081516292479~\sg.tmp N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~6401147081516292479~\sg.tmp N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2436 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe C:\Windows\system32\cmd.exe
PID 2436 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe C:\Windows\system32\cmd.exe
PID 2436 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe C:\Windows\system32\cmd.exe
PID 2436 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe C:\Windows\system32\cmd.exe
PID 2436 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe C:\Users\Admin\AppData\Local\Temp\~6401147081516292479~\sg.tmp
PID 2436 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe C:\Users\Admin\AppData\Local\Temp\~6401147081516292479~\sg.tmp
PID 2436 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe C:\Users\Admin\AppData\Local\Temp\~6401147081516292479~\sg.tmp
PID 2436 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe C:\Users\Admin\AppData\Local\Temp\~6401147081516292479~\sg.tmp
PID 2436 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe C:\Program Files (x86)\w8.exe
PID 2436 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe C:\Program Files (x86)\w8.exe
PID 2436 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe C:\Program Files (x86)\w8.exe
PID 2436 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe C:\Program Files (x86)\w8.exe
PID 2768 wrote to memory of 2868 N/A C:\Program Files (x86)\w8.exe C:\Windows\DNomb\spolsvt.exe
PID 2768 wrote to memory of 2868 N/A C:\Program Files (x86)\w8.exe C:\Windows\DNomb\spolsvt.exe
PID 2768 wrote to memory of 2868 N/A C:\Program Files (x86)\w8.exe C:\Windows\DNomb\spolsvt.exe
PID 2768 wrote to memory of 2868 N/A C:\Program Files (x86)\w8.exe C:\Windows\DNomb\spolsvt.exe
PID 2768 wrote to memory of 2868 N/A C:\Program Files (x86)\w8.exe C:\Windows\DNomb\spolsvt.exe
PID 2768 wrote to memory of 2868 N/A C:\Program Files (x86)\w8.exe C:\Windows\DNomb\spolsvt.exe
PID 2768 wrote to memory of 2868 N/A C:\Program Files (x86)\w8.exe C:\Windows\DNomb\spolsvt.exe
PID 2768 wrote to memory of 2868 N/A C:\Program Files (x86)\w8.exe C:\Windows\DNomb\spolsvt.exe
PID 2768 wrote to memory of 2868 N/A C:\Program Files (x86)\w8.exe C:\Windows\DNomb\spolsvt.exe
PID 2768 wrote to memory of 2868 N/A C:\Program Files (x86)\w8.exe C:\Windows\DNomb\spolsvt.exe
PID 2868 wrote to memory of 560 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2868 wrote to memory of 560 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2868 wrote to memory of 560 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2868 wrote to memory of 560 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2868 wrote to memory of 560 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2868 wrote to memory of 560 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2868 wrote to memory of 560 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2868 wrote to memory of 560 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2868 wrote to memory of 560 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 1184 wrote to memory of 2384 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1184 wrote to memory of 2384 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1184 wrote to memory of 2384 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1184 wrote to memory of 2384 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1184 wrote to memory of 2384 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1184 wrote to memory of 2384 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1184 wrote to memory of 2384 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1184 wrote to memory of 2384 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1184 wrote to memory of 2384 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1184 wrote to memory of 2384 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1184 wrote to memory of 2384 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1184 wrote to memory of 2384 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1184 wrote to memory of 2384 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 2384 wrote to memory of 1600 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2384 wrote to memory of 1600 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2384 wrote to memory of 1600 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2384 wrote to memory of 1600 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2384 wrote to memory of 1600 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2384 wrote to memory of 1600 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2384 wrote to memory of 1600 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2384 wrote to memory of 1600 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2384 wrote to memory of 1600 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2384 wrote to memory of 1600 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2384 wrote to memory of 1600 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2384 wrote to memory of 1600 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2436 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
PID 2436 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
PID 2436 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
PID 2436 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe
PID 2616 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe C:\Windows\system32\cmd.exe
PID 2616 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe C:\Windows\system32\cmd.exe
PID 2616 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe C:\Windows\system32\cmd.exe
PID 2616 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe

"C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe"

C:\Windows\system32\cmd.exe

cmd.exe /c set

C:\Users\Admin\AppData\Local\Temp\~6401147081516292479~\sg.tmp

7zG_exe x "C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe" -y -aoa -o"C:\Program Files (x86)\"

C:\Program Files (x86)\w8.exe

"C:\Program Files (x86)\\w8.exe"

C:\Windows\DNomb\spolsvt.exe

C:\Windows\DNomb\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

C:\Users\Public\Documents\123\PTvrst.exe

"C:\Users\Public\Documents\123\PTvrst.exe"

C:\WINDOWS\DNomb\spolsvt.exe

C:\WINDOWS\DNomb\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe

PECMD**pecmd-cmd* EXEC -wd:C: -hide cmd /c "C:\Users\Admin\AppData\Local\Temp\~1542991401538432736.cmd"

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\~1542991401538432736.cmd"

Network

Country Destination Domain Proto
US 8.8.8.8:53 testvvv123.oss-cn-hongkong.aliyuncs.com udp
HK 47.75.18.48:443 testvvv123.oss-cn-hongkong.aliyuncs.com tcp
US 8.8.8.8:53 tt.wccabc.com udp
HK 202.79.174.244:3927 tt.wccabc.com tcp
HK 202.79.174.244:3927 tt.wccabc.com tcp

Files

memory/2436-0-0x0000000000400000-0x0000000000572000-memory.dmp

\Users\Admin\AppData\Local\Temp\~6401147081516292479~\sg.tmp

MD5 7c4718943bd3f66ebdb47ccca72c7b1e
SHA1 f9edfaa7adb8fa528b2e61b2b251f18da10a6969
SHA256 4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc
SHA512 e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

C:\Users\Admin\AppData\Local\Temp\~6401147081516292479~\sg.tmp

MD5 7c4718943bd3f66ebdb47ccca72c7b1e
SHA1 f9edfaa7adb8fa528b2e61b2b251f18da10a6969
SHA256 4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc
SHA512 e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

C:\Program Files (x86)\letsvpn-latest.exe

MD5 291be48f62359b80b3774eb4699e0e79
SHA1 09e1ba3935cb3950160859584242aa1919cfd73c
SHA256 7ccac89afb5c01a8b22e2d82cfe2293f169a2e963c2780e40008b588938975fa
SHA512 e7fabc74a164b315bd91f3d793023139da8b85bbf02b68214d21ddedcdd8f9a8180a4b0c9db9210dd8891d2cd13ce970530f869a750d5b1057c296c5dba3b1a4

C:\Program Files (x86)\w8.exe

MD5 07b63770097223abaa76c4c42a8b12ea
SHA1 a7dcff1a8ecfed52a61111734029f12fccacc91d
SHA256 ef664098b808bb6ec158ceedcf6144f438b0756199b0c86032934286082d1063
SHA512 da866c9c342acfb9f96dac182c42f50238b13df261fe65cf7d0eeac9b21497784c9392e14e8c54d21364baed19452817647b769ec3df4e3207d4a295691ec585

memory/2436-18-0x0000000002DA0000-0x0000000002EFB000-memory.dmp

\Program Files (x86)\w8.exe

MD5 07b63770097223abaa76c4c42a8b12ea
SHA1 a7dcff1a8ecfed52a61111734029f12fccacc91d
SHA256 ef664098b808bb6ec158ceedcf6144f438b0756199b0c86032934286082d1063
SHA512 da866c9c342acfb9f96dac182c42f50238b13df261fe65cf7d0eeac9b21497784c9392e14e8c54d21364baed19452817647b769ec3df4e3207d4a295691ec585

C:\Program Files (x86)\w8.exe

MD5 07b63770097223abaa76c4c42a8b12ea
SHA1 a7dcff1a8ecfed52a61111734029f12fccacc91d
SHA256 ef664098b808bb6ec158ceedcf6144f438b0756199b0c86032934286082d1063
SHA512 da866c9c342acfb9f96dac182c42f50238b13df261fe65cf7d0eeac9b21497784c9392e14e8c54d21364baed19452817647b769ec3df4e3207d4a295691ec585

memory/2768-20-0x00000000012F0000-0x000000000144B000-memory.dmp

memory/2768-21-0x00000000012F0000-0x000000000144B000-memory.dmp

memory/2768-22-0x00000000012F0000-0x000000000144B000-memory.dmp

\Windows\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

memory/2868-45-0x0000000000400000-0x0000000000516000-memory.dmp

\Windows\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

memory/2868-47-0x0000000000400000-0x0000000000516000-memory.dmp

C:\Windows\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

memory/2868-49-0x0000000000400000-0x0000000000516000-memory.dmp

memory/2868-51-0x0000000000400000-0x0000000000516000-memory.dmp

memory/2868-53-0x0000000000400000-0x0000000000516000-memory.dmp

memory/2868-55-0x0000000000400000-0x0000000000516000-memory.dmp

memory/2868-56-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Windows\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

memory/2868-61-0x0000000000400000-0x0000000000516000-memory.dmp

\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

memory/560-71-0x0000000000400000-0x0000000000430000-memory.dmp

\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

memory/560-75-0x0000000000400000-0x0000000000430000-memory.dmp

memory/560-73-0x0000000000400000-0x0000000000430000-memory.dmp

memory/560-78-0x0000000000400000-0x0000000000430000-memory.dmp

memory/560-81-0x0000000000400000-0x0000000000430000-memory.dmp

memory/560-82-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/560-86-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

memory/560-87-0x0000000010000000-0x000000001002A000-memory.dmp

memory/2436-92-0x0000000000400000-0x0000000000572000-memory.dmp

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

memory/2768-96-0x00000000012F0000-0x000000000144B000-memory.dmp

C:\Users\Public\Documents\123\PTvrst.exe

MD5 d22cfb5bfaeb1503b12b07e53ef0a149
SHA1 8ea2c85e363f551a159fabd65377affed4e417a1
SHA256 260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360
SHA512 151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45

C:\Users\Public\Documents\123\PTvrst.exe

MD5 d22cfb5bfaeb1503b12b07e53ef0a149
SHA1 8ea2c85e363f551a159fabd65377affed4e417a1
SHA256 260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360
SHA512 151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45

memory/1184-100-0x0000000000400000-0x00000000006A2000-memory.dmp

memory/2768-101-0x00000000012F0000-0x000000000144B000-memory.dmp

memory/1184-102-0x0000000076EB0000-0x0000000076EB2000-memory.dmp

memory/1184-103-0x00000000042E0000-0x00000000042E1000-memory.dmp

memory/1184-104-0x0000000000400000-0x00000000006A2000-memory.dmp

memory/1184-105-0x0000000004200000-0x0000000004201000-memory.dmp

memory/1184-111-0x00000000042D0000-0x00000000042D1000-memory.dmp

C:\WINDOWS\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

\Windows\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

memory/1184-107-0x0000000004250000-0x0000000004252000-memory.dmp

memory/1184-106-0x0000000004280000-0x0000000004281000-memory.dmp

memory/1184-127-0x00000000043B0000-0x00000000043B1000-memory.dmp

memory/1184-138-0x0000000004350000-0x0000000004351000-memory.dmp

memory/1184-140-0x0000000004340000-0x0000000004341000-memory.dmp

memory/1184-142-0x00000000041A0000-0x00000000041A1000-memory.dmp

memory/2384-143-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1184-137-0x0000000004320000-0x0000000004321000-memory.dmp

C:\Windows\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

memory/2384-147-0x0000000000400000-0x0000000000516000-memory.dmp

memory/1184-136-0x00000000042A0000-0x00000000042A1000-memory.dmp

memory/1184-135-0x0000000004190000-0x0000000004191000-memory.dmp

memory/1184-128-0x0000000004270000-0x0000000004271000-memory.dmp

memory/1184-126-0x0000000004300000-0x0000000004301000-memory.dmp

memory/1184-125-0x0000000004290000-0x0000000004291000-memory.dmp

memory/1184-124-0x00000000042B0000-0x00000000042B1000-memory.dmp

memory/1184-123-0x0000000004260000-0x0000000004261000-memory.dmp

memory/1184-122-0x00000000041F0000-0x00000000041F1000-memory.dmp

memory/1184-121-0x00000000042F0000-0x00000000042F1000-memory.dmp

memory/1184-120-0x0000000004220000-0x0000000004221000-memory.dmp

memory/1184-119-0x00000000042C0000-0x00000000042C2000-memory.dmp

memory/1184-118-0x0000000004230000-0x0000000004231000-memory.dmp

C:\WINDOWS\DNomb\Mpec.mbt

MD5 429d8041db189592a97242a2010a5aeb
SHA1 b07df03752608c60224fe9d9a332df760f289f8f
SHA256 04a427c4d47dd8ca055ba01ff01b93a5decdf1105432164542d03c4c391adf8c
SHA512 f4aecee6b79c0c9c73225ca126da7b72c701f90fb0b23fe97c31fe806eb739ffab75ee83b6ad57fc1d0ea9902126d176d3844c9c03107162efa8327a5ef8af22

C:\Users\Public\Documents\t\yh.png

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

memory/1184-175-0x0000000000400000-0x00000000006A2000-memory.dmp

memory/2436-183-0x0000000002DA0000-0x0000000002EFB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~1542991401538432736.cmd

MD5 42ff656bd4ee3e19a5828940041fdfdb
SHA1 2e3c7f0fd42dd48b014e82e9e5edf50664ae5698
SHA256 b326705c28abc9947182f84830e0e680d35551157b408a0f9cfd137279a02838
SHA512 4ba36b5e44c94df09b91b3557237dae6b74a9fe04da686f157938446cf635c464f616126e937400ee4d577708b3bdcb7f88cec8df23d344bfd7105b75f9ec7b0

memory/2436-199-0x0000000005E10000-0x0000000005F82000-memory.dmp

memory/2616-200-0x0000000000400000-0x0000000000572000-memory.dmp

memory/2436-203-0x0000000000400000-0x0000000000572000-memory.dmp

memory/2616-204-0x0000000000400000-0x0000000000572000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~1542991401538432736.cmd

MD5 42ff656bd4ee3e19a5828940041fdfdb
SHA1 2e3c7f0fd42dd48b014e82e9e5edf50664ae5698
SHA256 b326705c28abc9947182f84830e0e680d35551157b408a0f9cfd137279a02838
SHA512 4ba36b5e44c94df09b91b3557237dae6b74a9fe04da686f157938446cf635c464f616126e937400ee4d577708b3bdcb7f88cec8df23d344bfd7105b75f9ec7b0

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-06 21:09

Reported

2023-09-06 21:12

Platform

win10v2004-20230831-en

Max time kernel

151s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe"

Signatures

FatalRat

infostealer rat fatalrat

Fatal Rat payload

rat infostealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Public\Documents\123\PTvrst.exe N/A

Downloads MZ/PE file

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\Software\Wine C:\Users\Public\Documents\123\PTvrst.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ϵͳ×é¼þ = "C:\\Users\\Public\\Documents\\123\\PTvrst.exe" C:\Windows\DNomb\spolsvt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Therecontinuous = "C:\\WINDOWS\\DNomb\\PTvrst.exe" C:\Users\Public\Documents\123\PTvrst.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ϵͳ×é¼þ = "C:\\Users\\Public\\Documents\\123\\PTvrst.exe" C:\WINDOWS\DNomb\spolsvt.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Public\Documents\123\PTvrst.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3692 set thread context of 3976 N/A C:\Program Files (x86)\w8.exe C:\Windows\DNomb\spolsvt.exe
PID 3976 set thread context of 1948 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 5080 set thread context of 4176 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 4176 set thread context of 4704 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\letsvpn-latest.exe C:\Users\Admin\AppData\Local\Temp\~6839522196131104433~\sg.tmp N/A
File opened for modification C:\Program Files (x86)\letsvpn-latest.exe C:\Users\Admin\AppData\Local\Temp\~6839522196131104433~\sg.tmp N/A
File created C:\Program Files (x86)\w8.exe C:\Users\Admin\AppData\Local\Temp\~6839522196131104433~\sg.tmp N/A
File opened for modification C:\Program Files (x86)\w8.exe C:\Users\Admin\AppData\Local\Temp\~6839522196131104433~\sg.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\DNomb\PTvrst.exe C:\Program Files (x86)\w8.exe N/A
File created C:\Windows\DNomb\spolsvt.exe C:\Program Files (x86)\w8.exe N/A
File created C:\Windows\DNomb\Mpec.mbt C:\Program Files (x86)\w8.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Public\Documents\t\spolsvt.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Public\Documents\t\spolsvt.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Public\Documents\t\spolsvt.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Public\Documents\t\spolsvt.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000_Classes\Local Settings C:\Program Files (x86)\w8.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\w8.exe N/A
N/A N/A C:\Program Files (x86)\w8.exe N/A
N/A N/A C:\Program Files (x86)\w8.exe N/A
N/A N/A C:\Program Files (x86)\w8.exe N/A
N/A N/A C:\Program Files (x86)\w8.exe N/A
N/A N/A C:\Program Files (x86)\w8.exe N/A
N/A N/A C:\Program Files (x86)\w8.exe N/A
N/A N/A C:\Program Files (x86)\w8.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\~6839522196131104433~\sg.tmp N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\~6839522196131104433~\sg.tmp N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~6839522196131104433~\sg.tmp N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~6839522196131104433~\sg.tmp N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Documents\t\spolsvt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1824 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe C:\Windows\SYSTEM32\cmd.exe
PID 1824 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe C:\Windows\SYSTEM32\cmd.exe
PID 1824 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe C:\Users\Admin\AppData\Local\Temp\~6839522196131104433~\sg.tmp
PID 1824 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe C:\Users\Admin\AppData\Local\Temp\~6839522196131104433~\sg.tmp
PID 1824 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe C:\Users\Admin\AppData\Local\Temp\~6839522196131104433~\sg.tmp
PID 1824 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe C:\Program Files (x86)\w8.exe
PID 1824 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe C:\Program Files (x86)\w8.exe
PID 1824 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe C:\Program Files (x86)\w8.exe
PID 3692 wrote to memory of 3976 N/A C:\Program Files (x86)\w8.exe C:\Windows\DNomb\spolsvt.exe
PID 3692 wrote to memory of 3976 N/A C:\Program Files (x86)\w8.exe C:\Windows\DNomb\spolsvt.exe
PID 3692 wrote to memory of 3976 N/A C:\Program Files (x86)\w8.exe C:\Windows\DNomb\spolsvt.exe
PID 3692 wrote to memory of 3976 N/A C:\Program Files (x86)\w8.exe C:\Windows\DNomb\spolsvt.exe
PID 3692 wrote to memory of 3976 N/A C:\Program Files (x86)\w8.exe C:\Windows\DNomb\spolsvt.exe
PID 3692 wrote to memory of 3976 N/A C:\Program Files (x86)\w8.exe C:\Windows\DNomb\spolsvt.exe
PID 3692 wrote to memory of 3976 N/A C:\Program Files (x86)\w8.exe C:\Windows\DNomb\spolsvt.exe
PID 3692 wrote to memory of 3976 N/A C:\Program Files (x86)\w8.exe C:\Windows\DNomb\spolsvt.exe
PID 3692 wrote to memory of 3976 N/A C:\Program Files (x86)\w8.exe C:\Windows\DNomb\spolsvt.exe
PID 3976 wrote to memory of 1948 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 3976 wrote to memory of 1948 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 3976 wrote to memory of 1948 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 3976 wrote to memory of 1948 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 3976 wrote to memory of 1948 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 3976 wrote to memory of 1948 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 3976 wrote to memory of 1948 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 3976 wrote to memory of 1948 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 5080 wrote to memory of 4176 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 5080 wrote to memory of 4176 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 5080 wrote to memory of 4176 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 5080 wrote to memory of 4176 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 5080 wrote to memory of 4176 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 5080 wrote to memory of 4176 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 5080 wrote to memory of 4176 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 5080 wrote to memory of 4176 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 5080 wrote to memory of 4176 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 4176 wrote to memory of 4704 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4176 wrote to memory of 4704 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4176 wrote to memory of 4704 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4176 wrote to memory of 4704 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4176 wrote to memory of 4704 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4176 wrote to memory of 4704 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4176 wrote to memory of 4704 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4176 wrote to memory of 4704 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe

"C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c set

C:\Users\Admin\AppData\Local\Temp\~6839522196131104433~\sg.tmp

7zG_exe x "C:\Users\Admin\AppData\Local\Temp\4f46c5da50a2ceb8c78f0fc2739439d5c544fe6d0924d6f61ecd7c2453565efe.exe" -y -aoa -o"C:\Program Files (x86)\"

C:\Program Files (x86)\w8.exe

"C:\Program Files (x86)\\w8.exe"

C:\Windows\DNomb\spolsvt.exe

C:\Windows\DNomb\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Public\Documents\123\PTvrst.exe

"C:\Users\Public\Documents\123\PTvrst.exe"

C:\WINDOWS\DNomb\spolsvt.exe

C:\WINDOWS\DNomb\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 126.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 testvvv123.oss-cn-hongkong.aliyuncs.com udp
HK 47.75.18.48:443 testvvv123.oss-cn-hongkong.aliyuncs.com tcp
US 8.8.8.8:53 48.18.75.47.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 tt.wccabc.com udp
HK 202.79.174.244:3927 tt.wccabc.com tcp
US 8.8.8.8:53 244.174.79.202.in-addr.arpa udp
HK 202.79.174.244:3927 tt.wccabc.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.98.74.40.in-addr.arpa udp

Files

memory/1824-0-0x0000000000400000-0x0000000000572000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~6839522196131104433~\sg.tmp

MD5 7c4718943bd3f66ebdb47ccca72c7b1e
SHA1 f9edfaa7adb8fa528b2e61b2b251f18da10a6969
SHA256 4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc
SHA512 e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

C:\Program Files (x86)\letsvpn-latest.exe

MD5 291be48f62359b80b3774eb4699e0e79
SHA1 09e1ba3935cb3950160859584242aa1919cfd73c
SHA256 7ccac89afb5c01a8b22e2d82cfe2293f169a2e963c2780e40008b588938975fa
SHA512 e7fabc74a164b315bd91f3d793023139da8b85bbf02b68214d21ddedcdd8f9a8180a4b0c9db9210dd8891d2cd13ce970530f869a750d5b1057c296c5dba3b1a4

C:\Program Files (x86)\w8.exe

MD5 07b63770097223abaa76c4c42a8b12ea
SHA1 a7dcff1a8ecfed52a61111734029f12fccacc91d
SHA256 ef664098b808bb6ec158ceedcf6144f438b0756199b0c86032934286082d1063
SHA512 da866c9c342acfb9f96dac182c42f50238b13df261fe65cf7d0eeac9b21497784c9392e14e8c54d21364baed19452817647b769ec3df4e3207d4a295691ec585

memory/3692-17-0x0000000000130000-0x000000000028B000-memory.dmp

C:\Program Files (x86)\w8.exe

MD5 07b63770097223abaa76c4c42a8b12ea
SHA1 a7dcff1a8ecfed52a61111734029f12fccacc91d
SHA256 ef664098b808bb6ec158ceedcf6144f438b0756199b0c86032934286082d1063
SHA512 da866c9c342acfb9f96dac182c42f50238b13df261fe65cf7d0eeac9b21497784c9392e14e8c54d21364baed19452817647b769ec3df4e3207d4a295691ec585

memory/3692-18-0x0000000000130000-0x000000000028B000-memory.dmp

memory/3692-19-0x0000000000130000-0x000000000028B000-memory.dmp

memory/3692-20-0x0000000000130000-0x000000000028B000-memory.dmp

memory/1824-28-0x0000000000400000-0x0000000000572000-memory.dmp

memory/3976-30-0x0000000000400000-0x0000000000516000-memory.dmp

memory/3976-31-0x0000000000400000-0x0000000000516000-memory.dmp

memory/3976-32-0x0000000000400000-0x0000000000516000-memory.dmp

memory/3976-33-0x0000000000400000-0x0000000000516000-memory.dmp

C:\Windows\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

C:\Windows\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

memory/3976-38-0x0000000000400000-0x0000000000516000-memory.dmp

memory/3976-39-0x0000000000400000-0x0000000000516000-memory.dmp

memory/3692-41-0x0000000000130000-0x000000000028B000-memory.dmp

memory/1948-45-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1948-46-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1948-47-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

memory/1948-51-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1948-52-0x0000000010000000-0x000000001002A000-memory.dmp

C:\Users\Public\Documents\123\PTvrst.exe

MD5 d22cfb5bfaeb1503b12b07e53ef0a149
SHA1 8ea2c85e363f551a159fabd65377affed4e417a1
SHA256 260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360
SHA512 151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45

memory/5080-61-0x0000000000400000-0x00000000006A2000-memory.dmp

C:\Users\Public\Documents\123\PTvrst.exe

MD5 d22cfb5bfaeb1503b12b07e53ef0a149
SHA1 8ea2c85e363f551a159fabd65377affed4e417a1
SHA256 260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360
SHA512 151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45

memory/3692-62-0x0000000000130000-0x000000000028B000-memory.dmp

memory/5080-64-0x00000000774A4000-0x00000000774A6000-memory.dmp

memory/5080-65-0x00000000047F0000-0x00000000047F1000-memory.dmp

memory/5080-66-0x0000000000400000-0x00000000006A2000-memory.dmp

memory/5080-67-0x0000000004750000-0x0000000004751000-memory.dmp

memory/5080-68-0x00000000047B0000-0x00000000047B1000-memory.dmp

memory/5080-69-0x0000000004780000-0x0000000004781000-memory.dmp

memory/5080-70-0x00000000047E0000-0x00000000047E2000-memory.dmp

memory/5080-72-0x0000000004770000-0x0000000004771000-memory.dmp

C:\WINDOWS\DNomb\Mpec.mbt

MD5 429d8041db189592a97242a2010a5aeb
SHA1 b07df03752608c60224fe9d9a332df760f289f8f
SHA256 04a427c4d47dd8ca055ba01ff01b93a5decdf1105432164542d03c4c391adf8c
SHA512 f4aecee6b79c0c9c73225ca126da7b72c701f90fb0b23fe97c31fe806eb739ffab75ee83b6ad57fc1d0ea9902126d176d3844c9c03107162efa8327a5ef8af22

memory/5080-76-0x0000000004800000-0x0000000004801000-memory.dmp

memory/5080-74-0x0000000004760000-0x0000000004761000-memory.dmp

memory/5080-78-0x00000000047A0000-0x00000000047A1000-memory.dmp

memory/5080-82-0x00000000047C0000-0x00000000047C1000-memory.dmp

memory/5080-83-0x0000000004810000-0x0000000004811000-memory.dmp

memory/5080-80-0x00000000047D0000-0x00000000047D1000-memory.dmp

C:\Windows\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

memory/5080-87-0x0000000004860000-0x0000000004861000-memory.dmp

memory/4176-88-0x0000000000400000-0x0000000000516000-memory.dmp

memory/5080-86-0x00000000048D0000-0x00000000048D2000-memory.dmp

memory/4176-85-0x0000000000400000-0x0000000000516000-memory.dmp

memory/5080-89-0x00000000048F0000-0x00000000048F1000-memory.dmp

memory/5080-90-0x0000000004740000-0x0000000004741000-memory.dmp

C:\Users\Public\Documents\t\yh.png

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/5080-93-0x0000000004790000-0x0000000004791000-memory.dmp

memory/5080-95-0x0000000004870000-0x0000000004871000-memory.dmp

memory/5080-94-0x0000000004840000-0x0000000004842000-memory.dmp

memory/5080-92-0x0000000004900000-0x0000000004901000-memory.dmp

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

memory/4704-104-0x0000000010000000-0x000000001002A000-memory.dmp

memory/5080-109-0x0000000000400000-0x00000000006A2000-memory.dmp

memory/1824-110-0x0000000000400000-0x0000000000572000-memory.dmp

memory/1824-119-0x0000000074820000-0x0000000074A4B000-memory.dmp