Analysis Overview
SHA256
f4f6a32020ff04813c5268f622d3541dd8c4c635d81ad891094e3dd4ea77dafa
Threat Level: Known bad
The file robot.7z was found to be: Known bad.
Malicious Activity Summary
FatalRat
Fatal Rat payload
Loads dropped DLL
Executes dropped EXE
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-07-28 09:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-28 09:48
Reported
2023-07-28 09:54
Platform
win10v2004-20230703-en
Max time kernel
173s
Max time network
302s
Command Line
Signatures
FatalRat
Fatal Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\robot\elf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\robot\spolsvt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\robot\spolsvt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\robot\elf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\robot\elf.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\t\spolsvt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\robot\elf.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\t\spolsvt.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\robot\elf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\robot\elf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\robot\elf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\robot\elf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\robot\elf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\robot\elf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\robot\elf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\robot\elf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\robot\elf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\robot\elf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\robot\elf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\robot\elf.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\robot\elf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\robot\elf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\robot\elf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\robot\elf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\robot\elf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\robot\elf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\robot\elf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\robot\elf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3256 set thread context of 1964 | N/A | C:\Users\Admin\AppData\Local\Temp\robot\elf.exe | C:\Users\Admin\AppData\Local\Temp\robot\elf.exe |
| PID 1964 set thread context of 4664 | N/A | C:\Users\Admin\AppData\Local\Temp\robot\elf.exe | C:\Users\Public\Documents\t\spolsvt.exe |
| PID 2280 set thread context of 3944 | N/A | C:\Users\Admin\AppData\Local\Temp\robot\elf.exe | C:\Users\Admin\AppData\Local\Temp\robot\elf.exe |
| PID 3944 set thread context of 4132 | N/A | C:\Users\Admin\AppData\Local\Temp\robot\elf.exe | C:\Users\Public\Documents\t\spolsvt.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Public\Documents\t\spolsvt.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Public\Documents\t\spolsvt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Public\Documents\t\spolsvt.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Public\Documents\t\spolsvt.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\Documents\t\spolsvt.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\Documents\t\spolsvt.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\robot.7z
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\robot\" -spe -an -ai#7zMap26776:88:7zEvent7395
C:\Users\Admin\AppData\Local\Temp\robot\elf.exe
"C:\Users\Admin\AppData\Local\Temp\robot\elf.exe"
C:\Users\Admin\AppData\Local\Temp\robot\spolsvt.exe
"C:\Users\Admin\AppData\Local\Temp\robot\spolsvt.exe"
C:\Users\Admin\AppData\Local\Temp\robot\spolsvt.exe
"C:\Users\Admin\AppData\Local\Temp\robot\spolsvt.exe"
C:\Users\Admin\AppData\Local\Temp\robot\elf.exe
C:\Users\Admin\AppData\Local\Temp\robot\elf.exe
C:\Users\Admin\AppData\Local\Temp\robot\elf.exe
"C:\Users\Admin\AppData\Local\Temp\robot\elf.exe"
C:\Users\Public\Documents\t\spolsvt.exe
C:\Users\Public\Documents\t\spolsvt.exe
C:\Users\Admin\AppData\Local\Temp\robot\elf.exe
C:\Users\Admin\AppData\Local\Temp\robot\elf.exe
C:\Users\Public\Documents\t\spolsvt.exe
C:\Users\Public\Documents\t\spolsvt.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | assets.msn.com | udp |
| NL | 2.19.194.32:443 | assets.msn.com | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.194.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c3.wccabc.com | udp |
| HK | 206.238.115.150:3927 | c3.wccabc.com | tcp |
| US | 8.8.8.8:53 | 150.115.238.206.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.77.109.52.in-addr.arpa | udp |
| HK | 206.238.115.150:3927 | c3.wccabc.com | tcp |
| US | 8.8.8.8:53 | 51.15.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\robot\elf.exe
| MD5 | d8cec8c6175c36aa412096745fa4f402 |
| SHA1 | 934c5ef76e290cbf4f53aec136e7af5c5927a8ec |
| SHA256 | 01ef0d37701f46f5d788a07dfd8323f4a675e15711582655cab2130c7006ec04 |
| SHA512 | 8081e88d16f12ca5596e8158972f58239b5e98de4895738dfb4240500c17a692dc82e6080fc121bd150af87a90f298d06732d21bd280e6e0753dee2006853d6b |
C:\Users\Admin\AppData\Local\Temp\robot\elf.exe
| MD5 | d8cec8c6175c36aa412096745fa4f402 |
| SHA1 | 934c5ef76e290cbf4f53aec136e7af5c5927a8ec |
| SHA256 | 01ef0d37701f46f5d788a07dfd8323f4a675e15711582655cab2130c7006ec04 |
| SHA512 | 8081e88d16f12ca5596e8158972f58239b5e98de4895738dfb4240500c17a692dc82e6080fc121bd150af87a90f298d06732d21bd280e6e0753dee2006853d6b |
C:\Users\Admin\AppData\Local\Temp\robot\UdpReport.dll
| MD5 | 7fb6175a75f0417856bc402b56403412 |
| SHA1 | 24ac53971b6b00e27716c334e0356f4e1dacfe67 |
| SHA256 | 0933264a13c1643e176019a6df7465700cb810abb9ad3dbe426b93f2b536c105 |
| SHA512 | f8dd03a9b13738704c8d4fd6d0967e472100256376e2207a813147e8f26708ea14ce95e8c224bbe6c3fd16cd93607a01486ab180a09361bb987d099f7541a404 |
C:\Users\Admin\AppData\Local\Temp\robot\DockHelp.dll
| MD5 | 025523492a698abe3eaed965fad9514a |
| SHA1 | 79993dd2521b50cdbd68a115517ab0a1c918b23f |
| SHA256 | 02c1f0772fd921a158925c6f727d812a243197c12d7d3d010f22d801ba84acf9 |
| SHA512 | 7390b92438a3e2a4de2555ce930e44a8266b5400d3536a1b29c64d9aea50a3882955f6a27a6bb7072dd72ace508eb66c354c8f645b7dfa8f19ef0371ad463719 |
C:\Users\Admin\AppData\Local\Temp\robot\DockHelp.dll
| MD5 | 025523492a698abe3eaed965fad9514a |
| SHA1 | 79993dd2521b50cdbd68a115517ab0a1c918b23f |
| SHA256 | 02c1f0772fd921a158925c6f727d812a243197c12d7d3d010f22d801ba84acf9 |
| SHA512 | 7390b92438a3e2a4de2555ce930e44a8266b5400d3536a1b29c64d9aea50a3882955f6a27a6bb7072dd72ace508eb66c354c8f645b7dfa8f19ef0371ad463719 |
C:\Users\Admin\AppData\Local\Temp\robot\ResLoader.dll
| MD5 | db52f54569ecd8ce96a1526ccc674af1 |
| SHA1 | dc70830081e256fa0459097f2cf8077094d631fa |
| SHA256 | d1093a47a39980c8f826a0eca79e3bf4cf68e82d6ec37456c647367c70ee5aef |
| SHA512 | 20ea7a1afb4a5b2ff831a7e6be27f5e8d90e3ac832b5dacfb17a68d3039ef6ef8d03ff92caa40c596cc5deaa6eb7292d58137a465a3401c3a887e647c58d0feb |
memory/3256-158-0x0000000000AB0000-0x0000000000AC5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\robot\UdpReport.dll
| MD5 | 7fb6175a75f0417856bc402b56403412 |
| SHA1 | 24ac53971b6b00e27716c334e0356f4e1dacfe67 |
| SHA256 | 0933264a13c1643e176019a6df7465700cb810abb9ad3dbe426b93f2b536c105 |
| SHA512 | f8dd03a9b13738704c8d4fd6d0967e472100256376e2207a813147e8f26708ea14ce95e8c224bbe6c3fd16cd93607a01486ab180a09361bb987d099f7541a404 |
C:\Users\Admin\AppData\Local\Temp\robot\ResLoader.dll
| MD5 | db52f54569ecd8ce96a1526ccc674af1 |
| SHA1 | dc70830081e256fa0459097f2cf8077094d631fa |
| SHA256 | d1093a47a39980c8f826a0eca79e3bf4cf68e82d6ec37456c647367c70ee5aef |
| SHA512 | 20ea7a1afb4a5b2ff831a7e6be27f5e8d90e3ac832b5dacfb17a68d3039ef6ef8d03ff92caa40c596cc5deaa6eb7292d58137a465a3401c3a887e647c58d0feb |
C:\Users\Admin\AppData\Local\Temp\robot\UdpReport.dll
| MD5 | 7fb6175a75f0417856bc402b56403412 |
| SHA1 | 24ac53971b6b00e27716c334e0356f4e1dacfe67 |
| SHA256 | 0933264a13c1643e176019a6df7465700cb810abb9ad3dbe426b93f2b536c105 |
| SHA512 | f8dd03a9b13738704c8d4fd6d0967e472100256376e2207a813147e8f26708ea14ce95e8c224bbe6c3fd16cd93607a01486ab180a09361bb987d099f7541a404 |
C:\Users\Admin\AppData\Local\Temp\robot\pcid.dll
| MD5 | 15c5f7afad07eb517de07e4bcb4cd4c4 |
| SHA1 | 5576d499084bab1cd9df895e498d8b9f4b3f34cf |
| SHA256 | 486ea8f6cba50d117e614d9852f1976f0a82e66002fdc42ba700177d28ae12d5 |
| SHA512 | e1e3b3ad12d2193c211fc0c16ff97a7e33660082c3584294e9f201811269169be58e787e1d49dd285dff7dbdc2f5a96b0011175702a8d3f0877af6cafa9c3847 |
memory/3256-161-0x0000000000AE0000-0x0000000000AF5000-memory.dmp
memory/3256-163-0x0000000074C30000-0x0000000074D51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\robot\DockHelp.dll
| MD5 | 025523492a698abe3eaed965fad9514a |
| SHA1 | 79993dd2521b50cdbd68a115517ab0a1c918b23f |
| SHA256 | 02c1f0772fd921a158925c6f727d812a243197c12d7d3d010f22d801ba84acf9 |
| SHA512 | 7390b92438a3e2a4de2555ce930e44a8266b5400d3536a1b29c64d9aea50a3882955f6a27a6bb7072dd72ace508eb66c354c8f645b7dfa8f19ef0371ad463719 |
C:\Users\Admin\AppData\Local\Temp\robot\pcid.dll
| MD5 | 15c5f7afad07eb517de07e4bcb4cd4c4 |
| SHA1 | 5576d499084bab1cd9df895e498d8b9f4b3f34cf |
| SHA256 | 486ea8f6cba50d117e614d9852f1976f0a82e66002fdc42ba700177d28ae12d5 |
| SHA512 | e1e3b3ad12d2193c211fc0c16ff97a7e33660082c3584294e9f201811269169be58e787e1d49dd285dff7dbdc2f5a96b0011175702a8d3f0877af6cafa9c3847 |
memory/3256-164-0x0000000077230000-0x0000000077445000-memory.dmp
memory/3256-4038-0x0000000076A80000-0x0000000076C20000-memory.dmp
memory/3256-6047-0x0000000077450000-0x00000000774CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\robot\spolsvt.exe
| MD5 | 523d5c39f9d8d2375c3df68251fa2249 |
| SHA1 | d4ed365c44bec9246fc1a65a32a7791792647a10 |
| SHA256 | 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78 |
| SHA512 | 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4 |
C:\Users\Admin\AppData\Local\Temp\robot\spolsvt.exe
| MD5 | 523d5c39f9d8d2375c3df68251fa2249 |
| SHA1 | d4ed365c44bec9246fc1a65a32a7791792647a10 |
| SHA256 | 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78 |
| SHA512 | 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4 |
C:\Users\Admin\AppData\Local\Temp\robot\spolsvt.exe
| MD5 | 523d5c39f9d8d2375c3df68251fa2249 |
| SHA1 | d4ed365c44bec9246fc1a65a32a7791792647a10 |
| SHA256 | 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78 |
| SHA512 | 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4 |
C:\Users\Admin\AppData\Local\Temp\robot\UdpRepot.xml
| MD5 | 8154e8df2cd90047adbe81ba95ae0f08 |
| SHA1 | 67b3da71d17bfe911dff4783c9df30e7c3b30faf |
| SHA256 | e2a5ea5cce5c28d9ebf6f1aa179bf46b552e2c4b9bc6a7fb4694e032880a4bf4 |
| SHA512 | b9c1e3684e5f880ef20cbde8cf64b0739186c475ca0b654ddb56e22beaa34fee53db9690b5490058abca9f130f4c71b846d26f5bc9b9a41c982e3dd3e2567973 |
memory/1964-13236-0x0000000000400000-0x0000000000532000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\robot\elf.exe
| MD5 | d8cec8c6175c36aa412096745fa4f402 |
| SHA1 | 934c5ef76e290cbf4f53aec136e7af5c5927a8ec |
| SHA256 | 01ef0d37701f46f5d788a07dfd8323f4a675e15711582655cab2130c7006ec04 |
| SHA512 | 8081e88d16f12ca5596e8158972f58239b5e98de4895738dfb4240500c17a692dc82e6080fc121bd150af87a90f298d06732d21bd280e6e0753dee2006853d6b |
memory/3256-13239-0x0000000074C30000-0x0000000074D51000-memory.dmp
memory/1964-13240-0x0000000000400000-0x0000000000531200-memory.dmp
memory/1964-13241-0x0000000000400000-0x0000000000532000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\robot\elf.exe
| MD5 | d8cec8c6175c36aa412096745fa4f402 |
| SHA1 | 934c5ef76e290cbf4f53aec136e7af5c5927a8ec |
| SHA256 | 01ef0d37701f46f5d788a07dfd8323f4a675e15711582655cab2130c7006ec04 |
| SHA512 | 8081e88d16f12ca5596e8158972f58239b5e98de4895738dfb4240500c17a692dc82e6080fc121bd150af87a90f298d06732d21bd280e6e0753dee2006853d6b |
memory/1964-13245-0x0000000000400000-0x0000000000532000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\robot\DockHelp.dll
| MD5 | 025523492a698abe3eaed965fad9514a |
| SHA1 | 79993dd2521b50cdbd68a115517ab0a1c918b23f |
| SHA256 | 02c1f0772fd921a158925c6f727d812a243197c12d7d3d010f22d801ba84acf9 |
| SHA512 | 7390b92438a3e2a4de2555ce930e44a8266b5400d3536a1b29c64d9aea50a3882955f6a27a6bb7072dd72ace508eb66c354c8f645b7dfa8f19ef0371ad463719 |
memory/2280-13252-0x00000000009A0000-0x00000000009B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\robot\pcid.dll
| MD5 | 15c5f7afad07eb517de07e4bcb4cd4c4 |
| SHA1 | 5576d499084bab1cd9df895e498d8b9f4b3f34cf |
| SHA256 | 486ea8f6cba50d117e614d9852f1976f0a82e66002fdc42ba700177d28ae12d5 |
| SHA512 | e1e3b3ad12d2193c211fc0c16ff97a7e33660082c3584294e9f201811269169be58e787e1d49dd285dff7dbdc2f5a96b0011175702a8d3f0877af6cafa9c3847 |
memory/2280-13255-0x0000000074BA0000-0x0000000074CC1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\robot\DockHelp.dll
| MD5 | 025523492a698abe3eaed965fad9514a |
| SHA1 | 79993dd2521b50cdbd68a115517ab0a1c918b23f |
| SHA256 | 02c1f0772fd921a158925c6f727d812a243197c12d7d3d010f22d801ba84acf9 |
| SHA512 | 7390b92438a3e2a4de2555ce930e44a8266b5400d3536a1b29c64d9aea50a3882955f6a27a6bb7072dd72ace508eb66c354c8f645b7dfa8f19ef0371ad463719 |
memory/2280-13250-0x0000000000980000-0x0000000000995000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\robot\UdpReport.dll
| MD5 | 7fb6175a75f0417856bc402b56403412 |
| SHA1 | 24ac53971b6b00e27716c334e0356f4e1dacfe67 |
| SHA256 | 0933264a13c1643e176019a6df7465700cb810abb9ad3dbe426b93f2b536c105 |
| SHA512 | f8dd03a9b13738704c8d4fd6d0967e472100256376e2207a813147e8f26708ea14ce95e8c224bbe6c3fd16cd93607a01486ab180a09361bb987d099f7541a404 |
C:\Users\Admin\AppData\Local\Temp\robot\UdpReport.dll
| MD5 | 7fb6175a75f0417856bc402b56403412 |
| SHA1 | 24ac53971b6b00e27716c334e0356f4e1dacfe67 |
| SHA256 | 0933264a13c1643e176019a6df7465700cb810abb9ad3dbe426b93f2b536c105 |
| SHA512 | f8dd03a9b13738704c8d4fd6d0967e472100256376e2207a813147e8f26708ea14ce95e8c224bbe6c3fd16cd93607a01486ab180a09361bb987d099f7541a404 |
C:\Users\Admin\AppData\Local\Temp\robot\ResLoader.dll
| MD5 | db52f54569ecd8ce96a1526ccc674af1 |
| SHA1 | dc70830081e256fa0459097f2cf8077094d631fa |
| SHA256 | d1093a47a39980c8f826a0eca79e3bf4cf68e82d6ec37456c647367c70ee5aef |
| SHA512 | 20ea7a1afb4a5b2ff831a7e6be27f5e8d90e3ac832b5dacfb17a68d3039ef6ef8d03ff92caa40c596cc5deaa6eb7292d58137a465a3401c3a887e647c58d0feb |
memory/1964-13243-0x0000000000400000-0x0000000000532000-memory.dmp
memory/4664-13259-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4664-13260-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4664-13261-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2280-13263-0x0000000077230000-0x0000000077445000-memory.dmp
C:\Users\Public\Documents\t\spolsvt.exe
| MD5 | cdce4713e784ae069d73723034a957ff |
| SHA1 | 9a393a6bab6568f1a774fb753353223f11367e09 |
| SHA256 | b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8 |
| SHA512 | 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f |
memory/4664-13266-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Public\Documents\t\spolsvt.exe
| MD5 | cdce4713e784ae069d73723034a957ff |
| SHA1 | 9a393a6bab6568f1a774fb753353223f11367e09 |
| SHA256 | b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8 |
| SHA512 | 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f |
memory/4664-13271-0x0000000010000000-0x000000001002A000-memory.dmp
memory/1964-13414-0x0000000000400000-0x0000000000532000-memory.dmp
memory/1964-13416-0x0000000000400000-0x0000000000531200-memory.dmp
memory/2280-17147-0x0000000076A80000-0x0000000076C20000-memory.dmp
memory/2280-19156-0x0000000077450000-0x00000000774CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\robot\elf.exe
| MD5 | d8cec8c6175c36aa412096745fa4f402 |
| SHA1 | 934c5ef76e290cbf4f53aec136e7af5c5927a8ec |
| SHA256 | 01ef0d37701f46f5d788a07dfd8323f4a675e15711582655cab2130c7006ec04 |
| SHA512 | 8081e88d16f12ca5596e8158972f58239b5e98de4895738dfb4240500c17a692dc82e6080fc121bd150af87a90f298d06732d21bd280e6e0753dee2006853d6b |
memory/2280-26344-0x0000000074BA0000-0x0000000074CC1000-memory.dmp
memory/3944-26346-0x0000000000400000-0x0000000000532000-memory.dmp
C:\Users\Public\Documents\t\yh.png
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Public\Documents\t\yh.png
| MD5 | 7d61b43ef5b62e90e6eeaa73516e16f4 |
| SHA1 | c7bfe0e34eb51341b56b9699429e573c5785360d |
| SHA256 | d0e03a95581389d176389690c9be8b567f61f8bbe2d430258e5621d3e0d0ec80 |
| SHA512 | df0f84db069fa80ea1e7ba91a185762eaf732140cd3dfeedfc431fd141673f01f1dc2963f41701b3deb5977de308849b510748b97b2833ab22a750237e2ca325 |
C:\Users\Public\Documents\t\spolsvt.exe
| MD5 | cdce4713e784ae069d73723034a957ff |
| SHA1 | 9a393a6bab6568f1a774fb753353223f11367e09 |
| SHA256 | b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8 |
| SHA512 | 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f |
memory/4132-26356-0x0000000010000000-0x000000001002A000-memory.dmp
memory/3944-26361-0x0000000000400000-0x0000000000532000-memory.dmp
memory/3944-26362-0x0000000000400000-0x0000000000531200-memory.dmp