Malware Analysis Report

2025-03-15 03:55

Sample ID 230728-ls436acg76
Target robot.7z
SHA256 f4f6a32020ff04813c5268f622d3541dd8c4c635d81ad891094e3dd4ea77dafa
Tags
fatalrat infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f4f6a32020ff04813c5268f622d3541dd8c4c635d81ad891094e3dd4ea77dafa

Threat Level: Known bad

The file robot.7z was found to be: Known bad.

Malicious Activity Summary

fatalrat infostealer rat

FatalRat

Fatal Rat payload

Loads dropped DLL

Executes dropped EXE

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-28 09:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-28 09:48

Reported

2023-07-28 09:54

Platform

win10v2004-20230703-en

Max time kernel

173s

Max time network

302s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\robot.7z

Signatures

FatalRat

infostealer rat fatalrat

Fatal Rat payload

rat infostealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Public\Documents\t\spolsvt.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Public\Documents\t\spolsvt.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Public\Documents\t\spolsvt.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Public\Documents\t\spolsvt.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Documents\t\spolsvt.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\robot\elf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\robot\elf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\robot\elf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\robot\elf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\robot\elf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\robot\elf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3256 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\robot\elf.exe C:\Users\Admin\AppData\Local\Temp\robot\elf.exe
PID 3256 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\robot\elf.exe C:\Users\Admin\AppData\Local\Temp\robot\elf.exe
PID 3256 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\robot\elf.exe C:\Users\Admin\AppData\Local\Temp\robot\elf.exe
PID 3256 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\robot\elf.exe C:\Users\Admin\AppData\Local\Temp\robot\elf.exe
PID 3256 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\robot\elf.exe C:\Users\Admin\AppData\Local\Temp\robot\elf.exe
PID 1964 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\robot\elf.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 1964 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\robot\elf.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 1964 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\robot\elf.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 1964 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\robot\elf.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 1964 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\robot\elf.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 1964 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\robot\elf.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 1964 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\robot\elf.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 1964 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\robot\elf.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2280 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\robot\elf.exe C:\Users\Admin\AppData\Local\Temp\robot\elf.exe
PID 2280 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\robot\elf.exe C:\Users\Admin\AppData\Local\Temp\robot\elf.exe
PID 2280 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\robot\elf.exe C:\Users\Admin\AppData\Local\Temp\robot\elf.exe
PID 2280 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\robot\elf.exe C:\Users\Admin\AppData\Local\Temp\robot\elf.exe
PID 2280 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\robot\elf.exe C:\Users\Admin\AppData\Local\Temp\robot\elf.exe
PID 3944 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\robot\elf.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 3944 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\robot\elf.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 3944 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\robot\elf.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 3944 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\robot\elf.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 3944 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\robot\elf.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 3944 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\robot\elf.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 3944 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\robot\elf.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 3944 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\robot\elf.exe C:\Users\Public\Documents\t\spolsvt.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\robot.7z

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\robot\" -spe -an -ai#7zMap26776:88:7zEvent7395

C:\Users\Admin\AppData\Local\Temp\robot\elf.exe

"C:\Users\Admin\AppData\Local\Temp\robot\elf.exe"

C:\Users\Admin\AppData\Local\Temp\robot\spolsvt.exe

"C:\Users\Admin\AppData\Local\Temp\robot\spolsvt.exe"

C:\Users\Admin\AppData\Local\Temp\robot\spolsvt.exe

"C:\Users\Admin\AppData\Local\Temp\robot\spolsvt.exe"

C:\Users\Admin\AppData\Local\Temp\robot\elf.exe

C:\Users\Admin\AppData\Local\Temp\robot\elf.exe

C:\Users\Admin\AppData\Local\Temp\robot\elf.exe

"C:\Users\Admin\AppData\Local\Temp\robot\elf.exe"

C:\Users\Public\Documents\t\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

C:\Users\Admin\AppData\Local\Temp\robot\elf.exe

C:\Users\Admin\AppData\Local\Temp\robot\elf.exe

C:\Users\Public\Documents\t\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 assets.msn.com udp
NL 2.19.194.32:443 assets.msn.com tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 32.194.19.2.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 c3.wccabc.com udp
HK 206.238.115.150:3927 c3.wccabc.com tcp
US 8.8.8.8:53 150.115.238.206.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
HK 206.238.115.150:3927 c3.wccabc.com tcp
US 8.8.8.8:53 51.15.97.104.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\robot\elf.exe

MD5 d8cec8c6175c36aa412096745fa4f402
SHA1 934c5ef76e290cbf4f53aec136e7af5c5927a8ec
SHA256 01ef0d37701f46f5d788a07dfd8323f4a675e15711582655cab2130c7006ec04
SHA512 8081e88d16f12ca5596e8158972f58239b5e98de4895738dfb4240500c17a692dc82e6080fc121bd150af87a90f298d06732d21bd280e6e0753dee2006853d6b

C:\Users\Admin\AppData\Local\Temp\robot\elf.exe

MD5 d8cec8c6175c36aa412096745fa4f402
SHA1 934c5ef76e290cbf4f53aec136e7af5c5927a8ec
SHA256 01ef0d37701f46f5d788a07dfd8323f4a675e15711582655cab2130c7006ec04
SHA512 8081e88d16f12ca5596e8158972f58239b5e98de4895738dfb4240500c17a692dc82e6080fc121bd150af87a90f298d06732d21bd280e6e0753dee2006853d6b

C:\Users\Admin\AppData\Local\Temp\robot\UdpReport.dll

MD5 7fb6175a75f0417856bc402b56403412
SHA1 24ac53971b6b00e27716c334e0356f4e1dacfe67
SHA256 0933264a13c1643e176019a6df7465700cb810abb9ad3dbe426b93f2b536c105
SHA512 f8dd03a9b13738704c8d4fd6d0967e472100256376e2207a813147e8f26708ea14ce95e8c224bbe6c3fd16cd93607a01486ab180a09361bb987d099f7541a404

C:\Users\Admin\AppData\Local\Temp\robot\DockHelp.dll

MD5 025523492a698abe3eaed965fad9514a
SHA1 79993dd2521b50cdbd68a115517ab0a1c918b23f
SHA256 02c1f0772fd921a158925c6f727d812a243197c12d7d3d010f22d801ba84acf9
SHA512 7390b92438a3e2a4de2555ce930e44a8266b5400d3536a1b29c64d9aea50a3882955f6a27a6bb7072dd72ace508eb66c354c8f645b7dfa8f19ef0371ad463719

C:\Users\Admin\AppData\Local\Temp\robot\DockHelp.dll

MD5 025523492a698abe3eaed965fad9514a
SHA1 79993dd2521b50cdbd68a115517ab0a1c918b23f
SHA256 02c1f0772fd921a158925c6f727d812a243197c12d7d3d010f22d801ba84acf9
SHA512 7390b92438a3e2a4de2555ce930e44a8266b5400d3536a1b29c64d9aea50a3882955f6a27a6bb7072dd72ace508eb66c354c8f645b7dfa8f19ef0371ad463719

C:\Users\Admin\AppData\Local\Temp\robot\ResLoader.dll

MD5 db52f54569ecd8ce96a1526ccc674af1
SHA1 dc70830081e256fa0459097f2cf8077094d631fa
SHA256 d1093a47a39980c8f826a0eca79e3bf4cf68e82d6ec37456c647367c70ee5aef
SHA512 20ea7a1afb4a5b2ff831a7e6be27f5e8d90e3ac832b5dacfb17a68d3039ef6ef8d03ff92caa40c596cc5deaa6eb7292d58137a465a3401c3a887e647c58d0feb

memory/3256-158-0x0000000000AB0000-0x0000000000AC5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\robot\UdpReport.dll

MD5 7fb6175a75f0417856bc402b56403412
SHA1 24ac53971b6b00e27716c334e0356f4e1dacfe67
SHA256 0933264a13c1643e176019a6df7465700cb810abb9ad3dbe426b93f2b536c105
SHA512 f8dd03a9b13738704c8d4fd6d0967e472100256376e2207a813147e8f26708ea14ce95e8c224bbe6c3fd16cd93607a01486ab180a09361bb987d099f7541a404

C:\Users\Admin\AppData\Local\Temp\robot\ResLoader.dll

MD5 db52f54569ecd8ce96a1526ccc674af1
SHA1 dc70830081e256fa0459097f2cf8077094d631fa
SHA256 d1093a47a39980c8f826a0eca79e3bf4cf68e82d6ec37456c647367c70ee5aef
SHA512 20ea7a1afb4a5b2ff831a7e6be27f5e8d90e3ac832b5dacfb17a68d3039ef6ef8d03ff92caa40c596cc5deaa6eb7292d58137a465a3401c3a887e647c58d0feb

C:\Users\Admin\AppData\Local\Temp\robot\UdpReport.dll

MD5 7fb6175a75f0417856bc402b56403412
SHA1 24ac53971b6b00e27716c334e0356f4e1dacfe67
SHA256 0933264a13c1643e176019a6df7465700cb810abb9ad3dbe426b93f2b536c105
SHA512 f8dd03a9b13738704c8d4fd6d0967e472100256376e2207a813147e8f26708ea14ce95e8c224bbe6c3fd16cd93607a01486ab180a09361bb987d099f7541a404

C:\Users\Admin\AppData\Local\Temp\robot\pcid.dll

MD5 15c5f7afad07eb517de07e4bcb4cd4c4
SHA1 5576d499084bab1cd9df895e498d8b9f4b3f34cf
SHA256 486ea8f6cba50d117e614d9852f1976f0a82e66002fdc42ba700177d28ae12d5
SHA512 e1e3b3ad12d2193c211fc0c16ff97a7e33660082c3584294e9f201811269169be58e787e1d49dd285dff7dbdc2f5a96b0011175702a8d3f0877af6cafa9c3847

memory/3256-161-0x0000000000AE0000-0x0000000000AF5000-memory.dmp

memory/3256-163-0x0000000074C30000-0x0000000074D51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\robot\DockHelp.dll

MD5 025523492a698abe3eaed965fad9514a
SHA1 79993dd2521b50cdbd68a115517ab0a1c918b23f
SHA256 02c1f0772fd921a158925c6f727d812a243197c12d7d3d010f22d801ba84acf9
SHA512 7390b92438a3e2a4de2555ce930e44a8266b5400d3536a1b29c64d9aea50a3882955f6a27a6bb7072dd72ace508eb66c354c8f645b7dfa8f19ef0371ad463719

C:\Users\Admin\AppData\Local\Temp\robot\pcid.dll

MD5 15c5f7afad07eb517de07e4bcb4cd4c4
SHA1 5576d499084bab1cd9df895e498d8b9f4b3f34cf
SHA256 486ea8f6cba50d117e614d9852f1976f0a82e66002fdc42ba700177d28ae12d5
SHA512 e1e3b3ad12d2193c211fc0c16ff97a7e33660082c3584294e9f201811269169be58e787e1d49dd285dff7dbdc2f5a96b0011175702a8d3f0877af6cafa9c3847

memory/3256-164-0x0000000077230000-0x0000000077445000-memory.dmp

memory/3256-4038-0x0000000076A80000-0x0000000076C20000-memory.dmp

memory/3256-6047-0x0000000077450000-0x00000000774CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\robot\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

C:\Users\Admin\AppData\Local\Temp\robot\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

C:\Users\Admin\AppData\Local\Temp\robot\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

C:\Users\Admin\AppData\Local\Temp\robot\UdpRepot.xml

MD5 8154e8df2cd90047adbe81ba95ae0f08
SHA1 67b3da71d17bfe911dff4783c9df30e7c3b30faf
SHA256 e2a5ea5cce5c28d9ebf6f1aa179bf46b552e2c4b9bc6a7fb4694e032880a4bf4
SHA512 b9c1e3684e5f880ef20cbde8cf64b0739186c475ca0b654ddb56e22beaa34fee53db9690b5490058abca9f130f4c71b846d26f5bc9b9a41c982e3dd3e2567973

memory/1964-13236-0x0000000000400000-0x0000000000532000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\robot\elf.exe

MD5 d8cec8c6175c36aa412096745fa4f402
SHA1 934c5ef76e290cbf4f53aec136e7af5c5927a8ec
SHA256 01ef0d37701f46f5d788a07dfd8323f4a675e15711582655cab2130c7006ec04
SHA512 8081e88d16f12ca5596e8158972f58239b5e98de4895738dfb4240500c17a692dc82e6080fc121bd150af87a90f298d06732d21bd280e6e0753dee2006853d6b

memory/3256-13239-0x0000000074C30000-0x0000000074D51000-memory.dmp

memory/1964-13240-0x0000000000400000-0x0000000000531200-memory.dmp

memory/1964-13241-0x0000000000400000-0x0000000000532000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\robot\elf.exe

MD5 d8cec8c6175c36aa412096745fa4f402
SHA1 934c5ef76e290cbf4f53aec136e7af5c5927a8ec
SHA256 01ef0d37701f46f5d788a07dfd8323f4a675e15711582655cab2130c7006ec04
SHA512 8081e88d16f12ca5596e8158972f58239b5e98de4895738dfb4240500c17a692dc82e6080fc121bd150af87a90f298d06732d21bd280e6e0753dee2006853d6b

memory/1964-13245-0x0000000000400000-0x0000000000532000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\robot\DockHelp.dll

MD5 025523492a698abe3eaed965fad9514a
SHA1 79993dd2521b50cdbd68a115517ab0a1c918b23f
SHA256 02c1f0772fd921a158925c6f727d812a243197c12d7d3d010f22d801ba84acf9
SHA512 7390b92438a3e2a4de2555ce930e44a8266b5400d3536a1b29c64d9aea50a3882955f6a27a6bb7072dd72ace508eb66c354c8f645b7dfa8f19ef0371ad463719

memory/2280-13252-0x00000000009A0000-0x00000000009B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\robot\pcid.dll

MD5 15c5f7afad07eb517de07e4bcb4cd4c4
SHA1 5576d499084bab1cd9df895e498d8b9f4b3f34cf
SHA256 486ea8f6cba50d117e614d9852f1976f0a82e66002fdc42ba700177d28ae12d5
SHA512 e1e3b3ad12d2193c211fc0c16ff97a7e33660082c3584294e9f201811269169be58e787e1d49dd285dff7dbdc2f5a96b0011175702a8d3f0877af6cafa9c3847

memory/2280-13255-0x0000000074BA0000-0x0000000074CC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\robot\DockHelp.dll

MD5 025523492a698abe3eaed965fad9514a
SHA1 79993dd2521b50cdbd68a115517ab0a1c918b23f
SHA256 02c1f0772fd921a158925c6f727d812a243197c12d7d3d010f22d801ba84acf9
SHA512 7390b92438a3e2a4de2555ce930e44a8266b5400d3536a1b29c64d9aea50a3882955f6a27a6bb7072dd72ace508eb66c354c8f645b7dfa8f19ef0371ad463719

memory/2280-13250-0x0000000000980000-0x0000000000995000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\robot\UdpReport.dll

MD5 7fb6175a75f0417856bc402b56403412
SHA1 24ac53971b6b00e27716c334e0356f4e1dacfe67
SHA256 0933264a13c1643e176019a6df7465700cb810abb9ad3dbe426b93f2b536c105
SHA512 f8dd03a9b13738704c8d4fd6d0967e472100256376e2207a813147e8f26708ea14ce95e8c224bbe6c3fd16cd93607a01486ab180a09361bb987d099f7541a404

C:\Users\Admin\AppData\Local\Temp\robot\UdpReport.dll

MD5 7fb6175a75f0417856bc402b56403412
SHA1 24ac53971b6b00e27716c334e0356f4e1dacfe67
SHA256 0933264a13c1643e176019a6df7465700cb810abb9ad3dbe426b93f2b536c105
SHA512 f8dd03a9b13738704c8d4fd6d0967e472100256376e2207a813147e8f26708ea14ce95e8c224bbe6c3fd16cd93607a01486ab180a09361bb987d099f7541a404

C:\Users\Admin\AppData\Local\Temp\robot\ResLoader.dll

MD5 db52f54569ecd8ce96a1526ccc674af1
SHA1 dc70830081e256fa0459097f2cf8077094d631fa
SHA256 d1093a47a39980c8f826a0eca79e3bf4cf68e82d6ec37456c647367c70ee5aef
SHA512 20ea7a1afb4a5b2ff831a7e6be27f5e8d90e3ac832b5dacfb17a68d3039ef6ef8d03ff92caa40c596cc5deaa6eb7292d58137a465a3401c3a887e647c58d0feb

memory/1964-13243-0x0000000000400000-0x0000000000532000-memory.dmp

memory/4664-13259-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4664-13260-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4664-13261-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2280-13263-0x0000000077230000-0x0000000077445000-memory.dmp

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

memory/4664-13266-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

memory/4664-13271-0x0000000010000000-0x000000001002A000-memory.dmp

memory/1964-13414-0x0000000000400000-0x0000000000532000-memory.dmp

memory/1964-13416-0x0000000000400000-0x0000000000531200-memory.dmp

memory/2280-17147-0x0000000076A80000-0x0000000076C20000-memory.dmp

memory/2280-19156-0x0000000077450000-0x00000000774CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\robot\elf.exe

MD5 d8cec8c6175c36aa412096745fa4f402
SHA1 934c5ef76e290cbf4f53aec136e7af5c5927a8ec
SHA256 01ef0d37701f46f5d788a07dfd8323f4a675e15711582655cab2130c7006ec04
SHA512 8081e88d16f12ca5596e8158972f58239b5e98de4895738dfb4240500c17a692dc82e6080fc121bd150af87a90f298d06732d21bd280e6e0753dee2006853d6b

memory/2280-26344-0x0000000074BA0000-0x0000000074CC1000-memory.dmp

memory/3944-26346-0x0000000000400000-0x0000000000532000-memory.dmp

C:\Users\Public\Documents\t\yh.png

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Public\Documents\t\yh.png

MD5 7d61b43ef5b62e90e6eeaa73516e16f4
SHA1 c7bfe0e34eb51341b56b9699429e573c5785360d
SHA256 d0e03a95581389d176389690c9be8b567f61f8bbe2d430258e5621d3e0d0ec80
SHA512 df0f84db069fa80ea1e7ba91a185762eaf732140cd3dfeedfc431fd141673f01f1dc2963f41701b3deb5977de308849b510748b97b2833ab22a750237e2ca325

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

memory/4132-26356-0x0000000010000000-0x000000001002A000-memory.dmp

memory/3944-26361-0x0000000000400000-0x0000000000532000-memory.dmp

memory/3944-26362-0x0000000000400000-0x0000000000531200-memory.dmp