Malware Analysis Report

2025-03-15 03:51

Sample ID 230908-132hcafg23
Target 0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a
SHA256 0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a
Tags
vmprotect fatalrat evasion infostealer persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a

Threat Level: Known bad

The file 0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a was found to be: Known bad.

Malicious Activity Summary

vmprotect fatalrat evasion infostealer persistence rat

FatalRat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Fatal Rat payload

Downloads MZ/PE file

Loads dropped DLL

VMProtect packed file

Executes dropped EXE

Identifies Wine through registry keys

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-08 22:11

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-08 22:11

Reported

2023-09-08 22:13

Platform

win7-20230831-en

Max time kernel

120s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe"

Signatures

FatalRat

infostealer rat fatalrat

Fatal Rat payload

rat infostealer
Description Indicator Process Target
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Public\Documents\123\PTvrst.exe N/A

Downloads MZ/PE file

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Wine C:\Users\Public\Documents\123\PTvrst.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ϵͳ×é¼þ = "C:\\Users\\Public\\Documents\\123\\PTvrst.exe" C:\Windows\DNomb\spolsvt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ϵͳ×é¼þ = "C:\\Users\\Public\\Documents\\123\\PTvrst.exe" C:\Windows\DNomb\spolsvt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Therecontinuous = "C:\\WINDOWS\\DNomb\\PTvrst.exe" C:\Users\Public\Documents\123\PTvrst.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Public\Documents\123\PTvrst.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Public\Documents\t\spolsvt.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Public\Documents\t\spolsvt.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Public\Documents\t\spolsvt.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Public\Documents\t\spolsvt.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Public\Documents\t\spolsvt.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Public\Documents\t\spolsvt.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Windows\DNomb\spolsvt.exe N/A
N/A N/A C:\Windows\DNomb\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Documents\t\spolsvt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 2220 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 2220 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 2220 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 2220 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 2220 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 2220 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 2220 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 2220 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 2220 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 2220 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 2220 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 2220 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 2220 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 2220 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 2220 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 2848 wrote to memory of 2280 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2848 wrote to memory of 2280 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2848 wrote to memory of 2280 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2848 wrote to memory of 2280 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2220 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 2848 wrote to memory of 2280 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2848 wrote to memory of 2280 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2220 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 2848 wrote to memory of 2280 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2220 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 2848 wrote to memory of 2280 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2220 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 2848 wrote to memory of 2280 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2552 wrote to memory of 112 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2552 wrote to memory of 112 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2552 wrote to memory of 112 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2552 wrote to memory of 112 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2552 wrote to memory of 112 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2552 wrote to memory of 112 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2552 wrote to memory of 112 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2552 wrote to memory of 112 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2552 wrote to memory of 112 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2220 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 2220 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 2220 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 2220 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 2220 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 2220 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 2220 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 2220 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 2220 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 2220 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 584 wrote to memory of 1348 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 584 wrote to memory of 1348 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 584 wrote to memory of 1348 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 584 wrote to memory of 1348 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 584 wrote to memory of 1348 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 584 wrote to memory of 1348 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 584 wrote to memory of 1348 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 584 wrote to memory of 1348 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 584 wrote to memory of 1348 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe

"C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe"

C:\Windows\DNomb\spolsvt.exe

C:\Windows\DNomb\spolsvt.exe

C:\Windows\DNomb\spolsvt.exe

C:\Windows\DNomb\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

C:\Windows\DNomb\spolsvt.exe

C:\Windows\DNomb\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

C:\Users\Public\Documents\123\PTvrst.exe

"C:\Users\Public\Documents\123\PTvrst.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 testvvv123.oss-cn-hongkong.aliyuncs.com udp
HK 47.75.18.48:443 testvvv123.oss-cn-hongkong.aliyuncs.com tcp
US 8.8.8.8:53 sdg.wccabc.com udp
HK 27.124.41.180:3927 sdg.wccabc.com tcp
US 8.8.8.8:53 king.wccabc.com udp
HK 8.217.146.205:3927 king.wccabc.com tcp
US 8.8.8.8:53 nba.wccabc.com udp
HK 8.217.146.205:3927 nba.wccabc.com tcp

Files

memory/2220-0-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2220-1-0x0000000000400000-0x00000000004B2000-memory.dmp

\Windows\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

\Windows\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

C:\Windows\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

memory/2848-25-0x0000000000400000-0x0000000000516000-memory.dmp

memory/2848-27-0x0000000000400000-0x0000000000516000-memory.dmp

memory/2848-29-0x0000000000400000-0x0000000000516000-memory.dmp

memory/2848-32-0x0000000000400000-0x0000000000516000-memory.dmp

memory/2848-35-0x0000000000400000-0x0000000000516000-memory.dmp

memory/2848-37-0x0000000000400000-0x0000000000516000-memory.dmp

memory/2848-38-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Windows\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

memory/2848-43-0x0000000000400000-0x0000000000516000-memory.dmp

\Windows\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

memory/2552-49-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2552-51-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2552-53-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

memory/2280-64-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2552-66-0x0000000000400000-0x0000000000445000-memory.dmp

\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

memory/2280-67-0x0000000000400000-0x0000000000430000-memory.dmp

\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

memory/2552-72-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2280-71-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2552-78-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2280-77-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2552-89-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Windows\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

memory/2280-85-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2280-83-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Public\Documents\t\yh.png

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

memory/2280-94-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2280-95-0x0000000010000000-0x000000001002A000-memory.dmp

\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

\Windows\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

C:\Windows\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

C:\Users\Public\Documents\t\yh.png

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Public\Documents\t\yh.png

MD5 028ba62daac2bc62ae678c2a3fa7b88d
SHA1 97cdc3f57b10d10c1c986defbbd008880e9ee2b3
SHA256 ca0a6f830f8b727785a0a303b242cdc89687be3424f29bf2fa49a95d182f6104
SHA512 2094813617caf57e0f6ff7379ce6eb2a752d1150d44bcbf6ce224d4dfa53307fab50adb7a3d4d9cea2fd0cca2d55290e890cf498d9fc95dcf39a480dfa3c78f7

\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

memory/2220-178-0x0000000000400000-0x00000000004B2000-memory.dmp

C:\Users\Public\Documents\123\PTvrst.exe

MD5 d22cfb5bfaeb1503b12b07e53ef0a149
SHA1 8ea2c85e363f551a159fabd65377affed4e417a1
SHA256 260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360
SHA512 151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45

C:\Users\Public\Documents\123\PTvrst.exe

MD5 d22cfb5bfaeb1503b12b07e53ef0a149
SHA1 8ea2c85e363f551a159fabd65377affed4e417a1
SHA256 260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360
SHA512 151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45

memory/2328-183-0x0000000000400000-0x00000000006A2000-memory.dmp

memory/2220-184-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2328-185-0x0000000077A40000-0x0000000077A42000-memory.dmp

memory/2328-186-0x0000000004330000-0x0000000004331000-memory.dmp

memory/2328-187-0x0000000004200000-0x0000000004201000-memory.dmp

memory/2328-188-0x0000000004260000-0x0000000004261000-memory.dmp

memory/2328-197-0x0000000004340000-0x0000000004341000-memory.dmp

memory/2328-198-0x0000000004380000-0x0000000004381000-memory.dmp

memory/2328-196-0x00000000042E0000-0x00000000042E1000-memory.dmp

memory/2328-195-0x0000000004290000-0x0000000004291000-memory.dmp

memory/2328-194-0x00000000041F0000-0x00000000041F1000-memory.dmp

memory/2328-193-0x0000000004220000-0x0000000004221000-memory.dmp

memory/2328-192-0x0000000004300000-0x0000000004302000-memory.dmp

memory/2328-191-0x0000000004230000-0x0000000004231000-memory.dmp

memory/2328-190-0x0000000004310000-0x0000000004311000-memory.dmp

memory/2328-189-0x0000000004320000-0x0000000004321000-memory.dmp

memory/2328-199-0x0000000004080000-0x0000000004081000-memory.dmp

memory/2328-200-0x0000000004270000-0x0000000004271000-memory.dmp

memory/2328-201-0x00000000042D0000-0x00000000042D1000-memory.dmp

memory/2328-202-0x0000000004370000-0x0000000004371000-memory.dmp

memory/2328-203-0x0000000000400000-0x00000000006A2000-memory.dmp

memory/2328-204-0x00000000042B0000-0x00000000042B1000-memory.dmp

memory/2328-206-0x00000000042A0000-0x00000000042A1000-memory.dmp

memory/2328-207-0x0000000004390000-0x0000000004391000-memory.dmp

memory/2328-208-0x0000000004090000-0x0000000004091000-memory.dmp

C:\WINDOWS\DNomb\Mpec.mbt

MD5 26ce1c3bf6c4b4e1a2b9731d07a9057b
SHA1 493a39b7b39e151e17cef87a29bdc267f37fad3e
SHA256 a62009226fa461552a9c715b7ca7f3c44d85755ab4843b5284f5c9ef25475f1f
SHA512 3fe5a4b300b1f149ef559b80585109d87ebc036849eaca3884a81d99a45312c2f7bf21d92f1ed08efb51ec3ca5de32d14433b3a095704420285a95ec2eccb38d

memory/2328-210-0x0000000000400000-0x00000000006A2000-memory.dmp

memory/2328-212-0x0000000000400000-0x00000000006A2000-memory.dmp

memory/2328-213-0x0000000004350000-0x0000000004351000-memory.dmp

memory/2328-211-0x00000000042C0000-0x00000000042C1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-08 22:11

Reported

2023-09-08 22:13

Platform

win10v2004-20230831-en

Max time kernel

124s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe"

Signatures

FatalRat

infostealer rat fatalrat

Fatal Rat payload

rat infostealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Public\Documents\123\PTvrst.exe N/A

Downloads MZ/PE file

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Wine C:\Users\Public\Documents\123\PTvrst.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ϵͳ×é¼þ = "C:\\Users\\Public\\Documents\\123\\PTvrst.exe" C:\Windows\DNomb\spolsvt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Therecontinuous = "C:\\WINDOWS\\DNomb\\PTvrst.exe" C:\Users\Public\Documents\123\PTvrst.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ϵͳ×é¼þ = "C:\\Users\\Public\\Documents\\123\\PTvrst.exe" C:\Windows\DNomb\spolsvt.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Public\Documents\123\PTvrst.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Public\Documents\t\spolsvt.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Public\Documents\t\spolsvt.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Public\Documents\t\spolsvt.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Public\Documents\t\spolsvt.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Public\Documents\t\spolsvt.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Public\Documents\t\spolsvt.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Documents\t\spolsvt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4700 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 4700 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 4700 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 4700 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 4700 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 4700 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 4700 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 4700 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 4700 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 4700 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 4700 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 4700 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 4700 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 4700 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 4700 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 4700 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 4700 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 4700 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 4744 wrote to memory of 5044 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4744 wrote to memory of 5044 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4744 wrote to memory of 5044 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4744 wrote to memory of 5044 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4744 wrote to memory of 5044 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4744 wrote to memory of 5044 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4744 wrote to memory of 5044 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4744 wrote to memory of 5044 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4408 wrote to memory of 560 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4408 wrote to memory of 560 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4408 wrote to memory of 560 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4408 wrote to memory of 560 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4408 wrote to memory of 560 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4408 wrote to memory of 560 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4408 wrote to memory of 560 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4408 wrote to memory of 560 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4700 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 4700 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 4700 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 4700 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 4700 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 4700 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 4700 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 4700 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 4700 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe C:\Windows\DNomb\spolsvt.exe
PID 2204 wrote to memory of 2808 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2204 wrote to memory of 2808 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2204 wrote to memory of 2808 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2204 wrote to memory of 2808 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2204 wrote to memory of 2808 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2204 wrote to memory of 2808 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2204 wrote to memory of 2808 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2204 wrote to memory of 2808 N/A C:\Windows\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe

"C:\Users\Admin\AppData\Local\Temp\0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe"

C:\Windows\DNomb\spolsvt.exe

C:\Windows\DNomb\spolsvt.exe

C:\Windows\DNomb\spolsvt.exe

C:\Windows\DNomb\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

C:\Windows\DNomb\spolsvt.exe

C:\Windows\DNomb\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Public\Documents\123\PTvrst.exe

"C:\Users\Public\Documents\123\PTvrst.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 testvvv123.oss-cn-hongkong.aliyuncs.com udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
HK 47.75.18.48:443 testvvv123.oss-cn-hongkong.aliyuncs.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 48.18.75.47.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 sdg.wccabc.com udp
HK 27.124.41.180:3927 sdg.wccabc.com tcp
US 8.8.8.8:53 king.wccabc.com udp
HK 8.217.146.205:3927 king.wccabc.com tcp
US 8.8.8.8:53 180.41.124.27.in-addr.arpa udp
US 8.8.8.8:53 205.146.217.8.in-addr.arpa udp
US 8.8.8.8:53 nba.wccabc.com udp
HK 8.217.146.205:3927 nba.wccabc.com tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

memory/4700-0-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/4700-1-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/4744-11-0x0000000000400000-0x0000000000516000-memory.dmp

memory/4744-12-0x0000000000400000-0x0000000000516000-memory.dmp

memory/4744-13-0x0000000000400000-0x0000000000516000-memory.dmp

memory/4744-14-0x0000000000400000-0x0000000000516000-memory.dmp

C:\Windows\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

C:\Windows\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

memory/4744-19-0x0000000000400000-0x0000000000516000-memory.dmp

memory/4744-20-0x0000000000400000-0x0000000000516000-memory.dmp

memory/4408-22-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4408-24-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4408-23-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4408-25-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Windows\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

memory/4408-29-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

C:\Users\Public\Documents\t\yh.png

MD5 d61a243c846531f4fc4b7b7836727d79
SHA1 ea474cc015b27411848954c81079945770b3a788
SHA256 e310c2534eeee2da2707781fedba50e16473fd4527fd9c7c96ef50912c43e2ea
SHA512 046851794024ee055a01c51c19693e07bbc1cf7983c40e084ffe84c7cbe48b3fe92cb86d1da36310d714ae58eb0bd2d24d6fe76cb7e8f3d750b2806597acccdf

memory/5044-37-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5044-39-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5044-38-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

memory/5044-43-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

memory/5044-44-0x0000000010000000-0x000000001002A000-memory.dmp

C:\Users\Public\Documents\t\yh.png

MD5 7000c805eab8b2dcef78b3fdc4838f38
SHA1 b555942b0680c303c7fe9200eb11056f9ee1cede
SHA256 03be67f3f3a5d19d834cb7441e823d904893af0397e9eb0bc3b01e5de976f25a
SHA512 233757e82399df2f5fc5f21262d21b26c6aeda3485be84b7b92907341d5891cdfe897833b95dcc3f1b03131e99e2bc84a508ffdf7bcf525ed3b3fd89168a0019

memory/560-54-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

memory/560-57-0x0000000000400000-0x0000000000430000-memory.dmp

memory/560-58-0x0000000010000000-0x000000001002A000-memory.dmp

memory/2204-63-0x0000000000400000-0x0000000000516000-memory.dmp

memory/2204-64-0x0000000000400000-0x0000000000516000-memory.dmp

memory/2204-65-0x0000000000400000-0x0000000000516000-memory.dmp

memory/2204-66-0x0000000000400000-0x0000000000516000-memory.dmp

C:\Windows\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

memory/2204-70-0x0000000000400000-0x0000000000516000-memory.dmp

C:\Users\Public\Documents\t\yh.png

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Public\Documents\t\yh.png

MD5 028ba62daac2bc62ae678c2a3fa7b88d
SHA1 97cdc3f57b10d10c1c986defbbd008880e9ee2b3
SHA256 ca0a6f830f8b727785a0a303b242cdc89687be3424f29bf2fa49a95d182f6104
SHA512 2094813617caf57e0f6ff7379ce6eb2a752d1150d44bcbf6ce224d4dfa53307fab50adb7a3d4d9cea2fd0cca2d55290e890cf498d9fc95dcf39a480dfa3c78f7

memory/2808-78-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

memory/2808-82-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4700-92-0x0000000000400000-0x00000000004B2000-memory.dmp

C:\Users\Public\Documents\123\PTvrst.exe

MD5 d22cfb5bfaeb1503b12b07e53ef0a149
SHA1 8ea2c85e363f551a159fabd65377affed4e417a1
SHA256 260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360
SHA512 151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45

C:\Users\Public\Documents\123\PTvrst.exe

MD5 d22cfb5bfaeb1503b12b07e53ef0a149
SHA1 8ea2c85e363f551a159fabd65377affed4e417a1
SHA256 260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360
SHA512 151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45

memory/4100-96-0x0000000000400000-0x00000000006A2000-memory.dmp

memory/4700-95-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/4100-97-0x0000000077154000-0x0000000077156000-memory.dmp

memory/4100-98-0x00000000047F0000-0x00000000047F1000-memory.dmp

memory/4100-99-0x0000000004750000-0x0000000004751000-memory.dmp

memory/4100-100-0x00000000047B0000-0x00000000047B1000-memory.dmp

memory/4100-102-0x0000000004770000-0x0000000004771000-memory.dmp

memory/4100-101-0x0000000004780000-0x0000000004781000-memory.dmp

memory/4100-103-0x00000000047E0000-0x00000000047E2000-memory.dmp

memory/4100-105-0x0000000004800000-0x0000000004801000-memory.dmp

memory/4100-104-0x0000000004760000-0x0000000004761000-memory.dmp

memory/4100-107-0x00000000047D0000-0x00000000047D1000-memory.dmp

memory/4100-106-0x00000000047A0000-0x00000000047A1000-memory.dmp

memory/4100-108-0x00000000047C0000-0x00000000047C1000-memory.dmp

memory/4100-109-0x00000000048F0000-0x00000000048F1000-memory.dmp

memory/4100-111-0x0000000004790000-0x0000000004791000-memory.dmp

memory/4100-110-0x0000000004870000-0x0000000004871000-memory.dmp

memory/4100-112-0x0000000004840000-0x0000000004841000-memory.dmp

memory/4100-113-0x0000000000400000-0x00000000006A2000-memory.dmp

memory/4100-114-0x0000000004820000-0x0000000004821000-memory.dmp

memory/4100-115-0x0000000004880000-0x0000000004881000-memory.dmp

C:\WINDOWS\DNomb\Mpec.mbt

MD5 384f8e7beec8670f7f483720422afa46
SHA1 90ff02ed84b01a140453a8b09cf1b7ace2acd92a
SHA256 cf45dcc35a9c189779cf442196cf98e4ee7a5543c235f3df1cadf427d268f1ee
SHA512 c4a3f2de78bb5144e4bf7317877608610d1974a31c7aaeaaf20f12b56b076ee59832e9695e5c1971973671ae257f9fa200e1d86cfd1324d72a21058afb8952df

memory/4100-117-0x0000000004740000-0x0000000004741000-memory.dmp

memory/4100-119-0x0000000000400000-0x00000000006A2000-memory.dmp

memory/4100-118-0x0000000004830000-0x0000000004831000-memory.dmp