Analysis Overview
SHA256
60cba21cb96bb62a49176c2211064df239a6d95a397d0ff9881dad21f9539c67
Threat Level: Known bad
The file WPS-ofcnuirya.msi was found to be: Known bad.
Malicious Activity Summary
FatalRat
Fatal Rat payload
Downloads MZ/PE file
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Enumerates connected drives
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Uses Volume Shadow Copy service COM API
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-07-31 03:56
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-31 03:56
Reported
2023-07-31 03:59
Platform
win10v2004-20230703-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
FatalRat
Fatal Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation | C:\Users\Public\cai3\u1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\cai3\u1.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\t\spolsvt.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\robot\elf.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Users\Public\cai3\u1.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\robot\elf.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hxrobot = "C:\\Users\\Admin\\Documents\\robot\\elf.exe" | C:\Users\Admin\Documents\robot\elf.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\cai3\u1.exe | N/A |
| N/A | N/A | C:\Users\Public\cai3\u1.exe | N/A |
| N/A | N/A | C:\Users\Public\cai3\u1.exe | N/A |
| N/A | N/A | C:\Users\Public\cai3\u1.exe | N/A |
| N/A | N/A | C:\Users\Public\cai3\u1.exe | N/A |
| N/A | N/A | C:\Users\Public\cai3\u1.exe | N/A |
| N/A | N/A | C:\Users\Public\cai3\u1.exe | N/A |
| N/A | N/A | C:\Users\Public\cai3\u1.exe | N/A |
| N/A | N/A | C:\Users\Public\cai3\u1.exe | N/A |
| N/A | N/A | C:\Users\Public\cai3\u1.exe | N/A |
| N/A | N/A | C:\Users\Public\cai3\u1.exe | N/A |
| N/A | N/A | C:\Users\Public\cai3\u1.exe | N/A |
| N/A | N/A | C:\Users\Public\cai3\u1.exe | N/A |
| N/A | N/A | C:\Users\Public\cai3\u1.exe | N/A |
| N/A | N/A | C:\Users\Public\cai3\u1.exe | N/A |
| N/A | N/A | C:\Users\Public\cai3\u1.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4916 set thread context of 936 | N/A | C:\Users\Public\cai3\u1.exe | C:\Users\Public\Documents\t\spolsvt.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Office\WPS Office\Wps\WPS_Installer.exe | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\{ED774442-3DA3-4970-891D-5715B35192C1}\WPS_Installer.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e580644.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6F0.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8E7.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA21.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{ED774442-3DA3-4970-891D-5715B35192C1}\WPS_Installer.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e580644.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7BC.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI81B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{ED774442-3DA3-4970-891D-5715B35192C1} | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007dd8df8e73a10d6f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007dd8df8e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000000032000000ffffffff0000000007000100006809007dd8df8e000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01232000000000020ed0d000000ffffffff0000000007000100006809197dd8df8e000000000000d0123200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007dd8df8e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Users\Public\cai3\u1.exe | N/A |
| N/A | N/A | C:\Users\Public\cai3\u1.exe | N/A |
| N/A | N/A | C:\Users\Public\cai3\u1.exe | N/A |
| N/A | N/A | C:\Users\Public\cai3\u1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\cai3\u1.exe | N/A |
| N/A | N/A | C:\Users\Public\cai3\u1.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WPS-ofcnuirya.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 6CE15426718EF256ED492D6E06E70832 C
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding E269D49B26509D65413858E41D9B3CB9
C:\Users\Public\cai3\u1.exe
"C:\Users\Public\cai3\u1.exe"
C:\Users\Public\Documents\t\spolsvt.exe
C:\Users\Public\Documents\t\spolsvt.exe
C:\Users\Admin\Documents\robot\elf.exe
"C:\Users\Admin\Documents\robot\elf.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del u1.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.208.253.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | assets.msn.com | udp |
| NL | 88.221.24.115:443 | assets.msn.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 115.24.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.104.207.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c3.wccabc.com | udp |
| HK | 206.238.115.150:3927 | c3.wccabc.com | tcp |
| US | 8.8.8.8:53 | xfer.10jqka.com.cn | udp |
| CN | 175.6.25.19:80 | xfer.10jqka.com.cn | tcp |
| N/A | 127.0.0.1:52699 | tcp | |
| US | 8.8.8.8:53 | 19.25.6.175.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.252.72.23.in-addr.arpa | udp |
| HK | 206.238.115.150:3927 | c3.wccabc.com | tcp |
| US | 8.8.8.8:53 | shusheng1.oss-cn-hongkong.aliyuncs.com | udp |
| HK | 47.75.19.136:443 | shusheng1.oss-cn-hongkong.aliyuncs.com | tcp |
| US | 8.8.8.8:53 | 136.19.75.47.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.21.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.20.18.104.in-addr.arpa | udp |
| HK | 206.238.115.150:3927 | c3.wccabc.com | tcp |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| HK | 206.238.115.150:3927 | c3.wccabc.com | tcp |
| HK | 206.238.115.150:3927 | c3.wccabc.com | tcp |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
| HK | 206.238.115.150:3927 | c3.wccabc.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\MSI802C.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI802C.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI829E.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI829E.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI835B.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI835B.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI835B.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI83BA.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI83BA.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI8409.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI8409.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI85BF.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSI85BF.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSI866C.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI866C.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI86CB.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI86CB.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI966C.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSI966C.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSI96AB.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSI96AB.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSI96AB.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSI96FA.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSI96FA.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Windows\Installer\MSI6F0.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Windows\Installer\MSI6F0.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Windows\Installer\MSI7BC.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Windows\Installer\MSI7BC.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Windows\Installer\MSI81B.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Windows\Installer\MSI81B.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Windows\Installer\MSI8E7.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Windows\Installer\MSI8E7.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Config.Msi\e580645.rbs
| MD5 | ccd6e55986b95ea85e80a94bd565120f |
| SHA1 | 2b092f9fa8b4bca25f7c2958c339df2492dd14a3 |
| SHA256 | 476d55f1aa2723b55060558820f66a39b011b6f017cdd92dec3c72d4718c964c |
| SHA512 | a04ba19aa65136c202e036ed6d726a0335346d4fcae5526f47f78625d514c8519e32d960939b758639a7311ba4a025aaeeeaf9f15358764d7ad7faa54a4a3715 |
C:\Users\Admin\AppData\Local\Temp\MSIC99.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSIC99.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Public\cai3\u1.exe
| MD5 | ba43cffa26292b012777fa3f8a7f954e |
| SHA1 | 9f1d429e700ae3605be5a787eca6730767b20f98 |
| SHA256 | 842c887dbcb6f908cc4d7368b88af62cb9b7cf3eb2910e701a51579193a3375d |
| SHA512 | cdeb4ce3dda6c7983489bbdec8c2f29d528106f76bf1924711135c88db7353b7ff96d19730ffd23a8ed4efa342d6de705d1009f1c421952923c6603b45591d57 |
C:\Users\Public\cai3\u1.exe
| MD5 | ba43cffa26292b012777fa3f8a7f954e |
| SHA1 | 9f1d429e700ae3605be5a787eca6730767b20f98 |
| SHA256 | 842c887dbcb6f908cc4d7368b88af62cb9b7cf3eb2910e701a51579193a3375d |
| SHA512 | cdeb4ce3dda6c7983489bbdec8c2f29d528106f76bf1924711135c88db7353b7ff96d19730ffd23a8ed4efa342d6de705d1009f1c421952923c6603b45591d57 |
C:\Users\Public\cai3\u1.exe
| MD5 | ba43cffa26292b012777fa3f8a7f954e |
| SHA1 | 9f1d429e700ae3605be5a787eca6730767b20f98 |
| SHA256 | 842c887dbcb6f908cc4d7368b88af62cb9b7cf3eb2910e701a51579193a3375d |
| SHA512 | cdeb4ce3dda6c7983489bbdec8c2f29d528106f76bf1924711135c88db7353b7ff96d19730ffd23a8ed4efa342d6de705d1009f1c421952923c6603b45591d57 |
memory/4916-236-0x0000000000400000-0x000000000086E000-memory.dmp
memory/4916-237-0x0000000076030000-0x0000000076245000-memory.dmp
memory/4916-4111-0x0000000075BF0000-0x0000000075D90000-memory.dmp
memory/4916-6120-0x00000000769B0000-0x0000000076A2A000-memory.dmp
\??\Volume{8edfd87d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1cf0f44d-129b-407d-86ef-ef57d863cf2c}_OnDiskSnapshotProp
| MD5 | e824f5efe99e43c61284920f6196d4a7 |
| SHA1 | 0c638e6c3b42b2b8e585dd2251cef6144b40c28e |
| SHA256 | efce7903dba3c272abc1416cf760f8b04fbf3a8a4794fa6e83ff8ef54cad0fa4 |
| SHA512 | 3af5da42a830c71cbbfd1a6d1697101ed53ddacef2c47b9b069d9b49ca1c62fa10cf3de539b105699b65831e04df4228bfa6f58d14144761eb009959e4458127 |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | b70171a66c224733f7a2d392f4d6b1bd |
| SHA1 | 8f61308f087703fc109e19b3aae48f7100631798 |
| SHA256 | 9814a28b936f6ee7d17605a903ce8f44e61af04a878a23ae8410002b6120b1e1 |
| SHA512 | 54a9e0f237d8371393d1b6baef945a2f97614b951ccdb49fb887b00d5ec17632b6c73eba95c0d413e90d2b4fb2701d76e605188e0067bb738558f774a34e0fca |
memory/936-13309-0x0000000000400000-0x0000000000430000-memory.dmp
memory/936-13310-0x0000000000400000-0x0000000000430000-memory.dmp
memory/936-13311-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Public\Documents\t\spolsvt.exe
| MD5 | cdce4713e784ae069d73723034a957ff |
| SHA1 | 9a393a6bab6568f1a774fb753353223f11367e09 |
| SHA256 | b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8 |
| SHA512 | 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f |
memory/936-13315-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Public\Documents\t\spolsvt.exe
| MD5 | cdce4713e784ae069d73723034a957ff |
| SHA1 | 9a393a6bab6568f1a774fb753353223f11367e09 |
| SHA256 | b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8 |
| SHA512 | 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f |
memory/936-13316-0x0000000010000000-0x000000001002A000-memory.dmp
C:\Users\Public\cai3\UnRAR.dll
| MD5 | c5587655293f83c72f0c88c74660dd10 |
| SHA1 | 675d7cac72e4caebebd7c2a88403d138b69acd89 |
| SHA256 | a647aec65edb9736ad9bbc60a99779d18438b783b3a7045533de97ba4134f4fe |
| SHA512 | 6b275764ba29dd5d2f789107de1b98095f42fe4929b725b5599136a6a626e32432fcb223ce1cf89050874102f0d24e6911c170e4d50a023dab4604c383380fd1 |
C:\Users\Public\cai3\UnRAR.dll
| MD5 | c5587655293f83c72f0c88c74660dd10 |
| SHA1 | 675d7cac72e4caebebd7c2a88403d138b69acd89 |
| SHA256 | a647aec65edb9736ad9bbc60a99779d18438b783b3a7045533de97ba4134f4fe |
| SHA512 | 6b275764ba29dd5d2f789107de1b98095f42fe4929b725b5599136a6a626e32432fcb223ce1cf89050874102f0d24e6911c170e4d50a023dab4604c383380fd1 |
C:\Users\Admin\Documents\robot\elf.exe
| MD5 | 33922d12e5bb8f40ecddf816124ae93d |
| SHA1 | 28244217fa205f12cf40278e97a3a01e6d7366a3 |
| SHA256 | 255e4c5b81ddabc02455b7b4560e168b4064e63ec3721230201d1a7928c9f158 |
| SHA512 | 1fdc906fdf3a89105d8e8996ec58e26e4d802fbbc99004d2f9a13a94cabeabde104fd55135763d5b959d1741d53e06ca18879407864c1e37e0a8764df9ea1973 |
C:\Users\Admin\Documents\robot\elf.exe
| MD5 | 33922d12e5bb8f40ecddf816124ae93d |
| SHA1 | 28244217fa205f12cf40278e97a3a01e6d7366a3 |
| SHA256 | 255e4c5b81ddabc02455b7b4560e168b4064e63ec3721230201d1a7928c9f158 |
| SHA512 | 1fdc906fdf3a89105d8e8996ec58e26e4d802fbbc99004d2f9a13a94cabeabde104fd55135763d5b959d1741d53e06ca18879407864c1e37e0a8764df9ea1973 |
C:\Users\Admin\Documents\robot\elf.exe
| MD5 | 33922d12e5bb8f40ecddf816124ae93d |
| SHA1 | 28244217fa205f12cf40278e97a3a01e6d7366a3 |
| SHA256 | 255e4c5b81ddabc02455b7b4560e168b4064e63ec3721230201d1a7928c9f158 |
| SHA512 | 1fdc906fdf3a89105d8e8996ec58e26e4d802fbbc99004d2f9a13a94cabeabde104fd55135763d5b959d1741d53e06ca18879407864c1e37e0a8764df9ea1973 |
C:\Users\Admin\Documents\robot\LoggerCollector.dll
| MD5 | 47fe0ab041a9c28fe838eb1b11556e33 |
| SHA1 | b7128f679230730cf477f3c081235de118c98960 |
| SHA256 | 29fc393b56fcfa4a242c7bc5177b0861072f35c7c8be2546115e0f34d059e2bf |
| SHA512 | 7191170e244dac3b176bf89c67511b5938751471d84f73c58c3ff7fef3e6e1e70c3af5d3143cf3b66be461152b80845231fc6a3fafc31328193d47edd2961a40 |
C:\Users\Admin\Documents\robot\LoggerCollector.dll
| MD5 | 47fe0ab041a9c28fe838eb1b11556e33 |
| SHA1 | b7128f679230730cf477f3c081235de118c98960 |
| SHA256 | 29fc393b56fcfa4a242c7bc5177b0861072f35c7c8be2546115e0f34d059e2bf |
| SHA512 | 7191170e244dac3b176bf89c67511b5938751471d84f73c58c3ff7fef3e6e1e70c3af5d3143cf3b66be461152b80845231fc6a3fafc31328193d47edd2961a40 |
C:\Users\Admin\Documents\robot\skin\mainres.xml
| MD5 | 47fb824e5df4deb39e5b5342e833d8e4 |
| SHA1 | 3196520d4dabefd5b4eb6c689210d5ce459476da |
| SHA256 | 04fb5ba3130fb6cb99ce5d5ffa11a8df2d2c02fcb9dd3517d691bf97e0369289 |
| SHA512 | fb64455995630400f73a4725e365e44c8d77dd1ccb534c2ba8a0ff50cf42c9b838abe7bf63e98596bc40466a3c7eafda29d7981564684772afd3cba136e6bb42 |
C:\Users\Admin\Documents\robot\skin\Robot\Robot.xml
| MD5 | 2fdb0ba1aa4f2088d10468757490b3fc |
| SHA1 | 3757f286d6fa2585747bf6135eb8c927bc3145b8 |
| SHA256 | 6f1d5abe5173cab5a5d5553d6ebf4c78f0b0d587337c8c942c170acf24d9f02a |
| SHA512 | aba55dd158a645d76c05c5b4e226547b42619f123de30050963cced626b914dce7c79574eca4f222b6eaae3a0acfd737818a423fc4bdf1402a31979f859fdaaa |
C:\Users\Admin\Documents\robot\skin\Robot\push_wnd.xml
| MD5 | ee58358ad4380ad0da672cdb49247454 |
| SHA1 | e99376e5eaa92538221789ff8f25768d83f0cf1e |
| SHA256 | 633b462f98038aa0f9ab302d3cd0def8352fde79990af747b3c97b49ebab2103 |
| SHA512 | eded6474a11deb02292682e3354b2d7d17ac898348f533fc13a74451fb5a312ec25a0de69bd40d2b9a4159e2284834277b47072b2e8990780f6783519b0dfda3 |
C:\Users\Admin\Documents\robot\skin\Robot\icon_wnd.xml
| MD5 | f74ff1f559d4f5a7af7b09b00d17a3f7 |
| SHA1 | 7ae57ae206977eb874cf1037e7dedb37cb464e4b |
| SHA256 | 1ebba2b9a0d222642016121ca19ee5cd6d1b32f40b43bd57aed165dc8dcdf781 |
| SHA512 | fc26f6af3c8e0d642a91e31e5060db94d7ed2cce33619a4d8e9b78c68b95b397db15863165ce536fbc364f2e361772ffb86be61e3d9a921011f167ca9c9d9c51 |
memory/4916-13377-0x0000000000400000-0x000000000086E000-memory.dmp
memory/4916-13387-0x0000000000400000-0x000000000086E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSI6F4B.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSI6F4B.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSI8D8E.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSI8D8E.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |