The article walks through reversing a RokRAT loader sample used in a Malops challenge focused on APT37 activity. The analysis identifies the sample MD5, entry point, a single-byte XOR key of 0x29 used to decrypt embedded shellcode, and use of VirtualAlloc with PAGE_EXECUTE_READWRITE to stage the decrypted payload. It also describes API hashing behavior, including the hash used to resolve VirtualAlloc, an ROR-based DLL-name hashing algorithm, and PE validation checks against the PE header value. The write-up is useful for APT37/RokRAT tracking because it documents loader internals, shellcode decryption, executable-memory allocation, and hashed API resolution patterns analysts can use when triaging similar samples.