Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 06:32
Static task
static1
Behavioral task
behavioral1
Sample
slitheris_installer.exe
Resource
win7-20240220-en
windows7-x64
16 signatures
150 seconds
General
-
Target
slitheris_installer.exe
-
Size
7.5MB
-
MD5
04f6dade94b26b39a62a96d51a37e127
-
SHA1
12832e117c24728f983ba5dce474262d03cef66f
-
SHA256
af031905bb25bfe31a522056cf45d00d52cb79d5e0b05a3d318a966099f3ab77
-
SHA512
df8e3f691c60e5deeee7523f577a61d976b9f5e87af7f9359ca4a1ae44800725ebc94057bdda161b14f84f1b8ec02214feaf3bf6a16b942a056172349890aa6d
-
SSDEEP
196608:MCjDh10L/+LWcjetcGbieXBL5mpeDnHvCVQjW4:HJSb+iKGbpmpCnPGQH
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0006000000015f23-144.dat acprotect -
resource yara_rule behavioral1/files/0x0006000000015fa6-99.dat upx behavioral1/files/0x0006000000015f23-144.dat upx behavioral1/memory/580-153-0x0000000000400000-0x0000000000A6C000-memory.dmp upx behavioral1/memory/580-177-0x0000000034240000-0x00000000343DF000-memory.dmp upx behavioral1/memory/580-182-0x0000000034240000-0x00000000343DF000-memory.dmp upx behavioral1/memory/580-181-0x0000000000400000-0x0000000000A6C000-memory.dmp upx behavioral1/memory/580-183-0x0000000000400000-0x0000000000A6C000-memory.dmp upx behavioral1/memory/580-184-0x0000000000400000-0x0000000000A6C000-memory.dmp upx behavioral1/memory/580-186-0x0000000000400000-0x0000000000A6C000-memory.dmp upx behavioral1/memory/580-194-0x0000000034240000-0x00000000343DF000-memory.dmp upx behavioral1/memory/580-193-0x0000000000400000-0x0000000000A6C000-memory.dmp upx behavioral1/memory/580-200-0x0000000034240000-0x00000000343DF000-memory.dmp upx behavioral1/memory/580-199-0x0000000000400000-0x0000000000A6C000-memory.dmp upx behavioral1/memory/580-262-0x0000000034240000-0x00000000343DF000-memory.dmp upx behavioral1/memory/580-261-0x0000000000400000-0x0000000000A6C000-memory.dmp upx behavioral1/memory/580-263-0x0000000000400000-0x0000000000A6C000-memory.dmp upx behavioral1/memory/580-280-0x0000000000400000-0x0000000000A6C000-memory.dmp upx -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\is-BRE0U.tmp slitheris_installer.tmp File created C:\Windows\SysWOW64\is-5JGOQ.tmp slitheris_installer.tmp File created C:\Windows\SysWOW64\is-VD17L.tmp slitheris_installer.tmp File created C:\Windows\SysWOW64\is-MIIHV.tmp slitheris_installer.tmp File created C:\Windows\SysWOW64\is-406GT.tmp slitheris_installer.tmp File created C:\Windows\SysWOW64\is-I2KT6.tmp slitheris_installer.tmp File created C:\Windows\SysWOW64\is-DH06D.tmp slitheris_installer.tmp File created C:\Windows\SysWOW64\is-FOJ53.tmp slitheris_installer.tmp File created C:\Windows\SysWOW64\is-EGMVT.tmp slitheris_installer.tmp File created C:\Windows\SysWOW64\is-ETRH3.tmp slitheris_installer.tmp File created C:\Windows\SysWOW64\is-CQUMN.tmp slitheris_installer.tmp File created C:\Windows\SysWOW64\is-3ARAI.tmp slitheris_installer.tmp File created C:\Windows\SysWOW64\is-M5IO7.tmp slitheris_installer.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 32 IoCs
description ioc Process File created C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\Components\is-85ROE.tmp slitheris_installer.tmp File created C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\Components\is-OJ1U6.tmp slitheris_installer.tmp File created C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\Components\is-R8RE7.tmp slitheris_installer.tmp File created C:\Program Files (x86)\Komodo Labs\Slitheris\is-09A6Q.tmp slitheris_installer.tmp File created C:\Program Files (x86)\Komodo Labs\Slitheris\is-AVV4U.tmp slitheris_installer.tmp File opened for modification C:\Program Files (x86)\Komodo Labs\Slitheris\system.mdb Slitheris.exe File created C:\Program Files (x86)\Komodo Labs\Slitheris\Welcome.dat Slitheris.exe File created C:\Program Files (x86)\Komodo Labs\Slitheris\unins000.dat slitheris_installer.tmp File created C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\Components\is-62NEE.tmp slitheris_installer.tmp File created C:\Program Files (x86)\Komodo Labs\Slitheris\is-AI787.tmp slitheris_installer.tmp File created C:\Program Files (x86)\Komodo Labs\Slitheris\is-IQTI7.tmp slitheris_installer.tmp File created C:\Program Files (x86)\Komodo Labs\Slitheris\is-GOC7B.tmp slitheris_installer.tmp File opened for modification C:\Program Files (x86)\Komodo Labs\Slitheris\SlitherisDetect.ldb Slitheris.exe File created C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\Components\is-LEDOM.tmp slitheris_installer.tmp File created C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\Components\is-J3JAV.tmp slitheris_installer.tmp File created C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\Components\is-JGUPG.tmp slitheris_installer.tmp File created C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\Components\is-8433P.tmp slitheris_installer.tmp File created C:\Program Files (x86)\Komodo Labs\Slitheris\is-N5R2A.tmp slitheris_installer.tmp File created C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\Components\is-TFDAL.tmp slitheris_installer.tmp File opened for modification C:\Program Files (x86)\Komodo Labs\Slitheris\unins000.dat slitheris_installer.tmp File created C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\Components\is-1JJPN.tmp slitheris_installer.tmp File created C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\Components\is-T94B5.tmp slitheris_installer.tmp File created C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\is-EMG6M.tmp slitheris_installer.tmp File created C:\Program Files (x86)\Komodo Labs\Slitheris\is-RB2TE.tmp slitheris_installer.tmp File opened for modification C:\Program Files (x86)\Komodo Labs\Slitheris\SlitherisDetect.mdb Slitheris.exe File opened for modification C:\Program Files (x86)\Komodo Labs\Slitheris\Slitheris.exe Slitheris.exe File created C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\Components\is-M6NNK.tmp slitheris_installer.tmp File created C:\Program Files (x86)\Komodo Labs\Slitheris\is-1PHNJ.tmp slitheris_installer.tmp File opened for modification C:\Program Files (x86)\Komodo Labs\Slitheris Slitheris.exe File created C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\Components\is-IPNIO.tmp slitheris_installer.tmp File created C:\Program Files (x86)\Komodo Labs\Slitheris\is-BUUR0.tmp slitheris_installer.tmp File created C:\Program Files (x86)\Komodo Labs\Slitheris\is-6PSFS.tmp slitheris_installer.tmp -
Executes dropped EXE 2 IoCs
pid Process 2916 slitheris_installer.tmp 580 Slitheris.exe -
Loads dropped DLL 29 IoCs
pid Process 2064 slitheris_installer.exe 2916 slitheris_installer.tmp 2916 slitheris_installer.tmp 2916 slitheris_installer.tmp 2916 slitheris_installer.tmp 1012 regsvr32.exe 2344 regsvr32.exe 2328 regsvr32.exe 620 regsvr32.exe 1172 regsvr32.exe 1680 regsvr32.exe 2088 regsvr32.exe 632 regsvr32.exe 1724 regsvr32.exe 2848 regsvr32.exe 1444 regsvr32.exe 1444 regsvr32.exe 392 regsvr32.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{612A8624-0FB3-11CE-8747-524153480004}\Compatibility Flags = "1024" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0713E8A2-850A-101B-AFC0-4210102A8DA7}\AlternateCLSID = "{E44F7BD4-3AB1-4D55-9190-FC53343AD2D2}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{58DA8D8F-9D6A-101B-AFC0-4210102A8DA7} regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{58DA8D8F-9D6A-101B-AFC0-4210102A8DA7}\Compatibility Flags = "1024" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{58DA8D8A-9D6A-101B-AFC0-4210102A8DA7} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0713E8D2-850A-101B-AFC0-4210102A8DA7}\AlternateCLSID = "{612685EF-57C8-469F-88AB-E4E0B595C5AB}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6B7E638F-850A-101B-AFC0-4210102A8DA7} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6B7E638F-850A-101B-AFC0-4210102A8DA7}\AlternateCLSID = "{E8F8E80F-02EB-44CC-ABB5-6E5132BA6B24}" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9ED94440-E5E8-101B-B9B5-444553540000}\Compatibility Flags = "1024" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9ED94440-E5E8-101B-B9B5-444553540000}\AlternateCLSID = "{44E266A2-CD46-47A0-9ED5-EEEC5F0C2A6E}" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{58DA8D8A-9D6A-101B-AFC0-4210102A8DA7}\Compatibility Flags = "1024" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0713E8D2-850A-101B-AFC0-4210102A8DA7} regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0713E8D2-850A-101B-AFC0-4210102A8DA7}\Compatibility Flags = "1024" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0713E8A2-850A-101B-AFC0-4210102A8DA7}\Compatibility Flags = "1024" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{373FF7F0-EB8B-11CD-8820-08002B2F4F5A}\AlternateCLSID = "{2B577565-36F7-4351-B2E7-DAFC75E9D72A}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9ED94440-E5E8-101B-B9B5-444553540000} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0713E8A2-850A-101B-AFC0-4210102A8DA7} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{58DA8D8F-9D6A-101B-AFC0-4210102A8DA7}\AlternateCLSID = "{53749718-F78D-4A67-8703-8AE050075170}" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6B7E638F-850A-101B-AFC0-4210102A8DA7}\Compatibility Flags = "1024" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{373FF7F0-EB8B-11CD-8820-08002B2F4F5A} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{612A8624-0FB3-11CE-8747-524153480004}\AlternateCLSID = "{97992019-74A6-46C7-9CA3-7F8C0D39940B}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{58DA8D8A-9D6A-101B-AFC0-4210102A8DA7}\AlternateCLSID = "{79C784C5-8F0D-4A55-ADB3-590CCFC8EB0D}" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{373FF7F0-EB8B-11CD-8820-08002B2F4F5A}\Compatibility Flags = "1024" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{612A8624-0FB3-11CE-8747-524153480004} regsvr32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79C784C5-8F0D-4A55-ADB3-590CCFC8EB0D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E1427346-A852-11D4-B06C-00500427A693}\Forward regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E895E1B6-DECD-4F0F-AF78-DB95B5D888D9}\VERSION regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\vbRichClient5.cDBAccess\ = "vbRichClient5.cDBAccess" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\vbRichClient5.cProperty\Clsid regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\vbRichClient5.cAttribute\ = "vbRichClient5.cAttribute" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7791BA40-E020-11CF-8E74-00A0C90F26F8} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8B1-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{373BCC77-27BF-4CB1-9ABF-4558D9835223}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48890E6F-92B6-4671-9613-6B2A0FBF80A8}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ThreadFactoryLib.TFHelperFunctions\CLSID\ = "{C3B7D31C-B15C-438B-9ED4-DA1CFDE2C2D4}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2460CC9-4AE5-423E-A08C-3B4D485D3105}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{297F84E0-E58D-44AC-B2C6-B77D91A5EF3D}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AC88A9B6-E0F4-43FA-939A-8AD9EAA30E4B} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86DF2A53-895B-4B17-9BCC-3750C4CF595C}\TypeLib\ = "{C79C91A4-10F5-4F71-A490-3B7915514344}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{70A5837B-0AB0-42CF-97DF-CE237A10C488}\ = "_cAudioClient" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C5A8A8AA-610E-4322-89C5-F1C59E48070B} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C991EE4F-79A4-4330-B8D7-9723299880FA}\VERSION\ = "2.5" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{757D29C3-8013-448B-9979-551795C60D86}\Implemented Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10150733-F52C-4E8D-9C95-EE2AE53E985F} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5240FE04-495B-4D2D-9DB9-A7A4A022FA86} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E54F8C36-B15D-4E52-A0BE-8E7514060EFA} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Codejock.ChartFunnelSeriesStyle.15.1.3.0908\ = "Codejock.ChartFunnelSeriesStyle.15.1.3.0908" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{343FD413-69EF-4A4E-88D7-4B3F10DA20D9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B32EC07-1D38-48CC-A3B4-87DF9A23FF56} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\vbRichClient5.cTDD\ = "vbRichClient5.cTDD" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0948BFBA-58D9-4976-9351-38C914512313}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D827C63-1D99-4E33-A80C-70F6499AEB04}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BF877896-E026-11CF-8E74-00A0C90F26F8}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35AEE29C-4A65-401A-AADD-996F91B9B286} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E2460CC9-4AE5-423E-A08C-3B4D485D3105}\ = "cAttributes" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\vbRichClient5.cRPCConnection\Clsid\ = "{40BE39F8-38C3-4231-A097-0D041DBF33E4}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A7464812-5F5C-4AFB-A8DD-DEF5AFCE3B7F}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D3955E19-0239-49EB-8ED6-D663DD9EDE35}\ProxyStubClsid regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3E8F27C-F537-4589-97BE-CFC26B39B317}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F674FDF0-C394-45DA-B86B-7C602E5B3320}\TypeLib\ = "{C79C91A4-10F5-4F71-A490-3B7915514344}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BB860E7-3582-4EF8-B233-525AE1B60457}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{612C1945-13A5-47BC-9090-2615F336769E}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F004863B-E7F2-4607-9EB1-11EB7E50CFC3}\ = "vbRichClient5.cpSlideJoint" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\vbRichClient5.cDataBase\Clsid\ = "{6A7B007F-155D-4D03-AE1C-B94B05999AA1}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5245727E-3F9B-4AF7-8B41-4BC691337635}\Implemented Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DA8D90-9D6A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B5E8AC2-337D-465f-A1F3-257564521643}\VersionIndependentProgID\ = "ThreadFactoryLib.CancelObject" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7F53C674-CEB8-47DA-B4E1-15C00F54A876}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0D0751D-991B-44F2-B5BC-5643ECDCAB64}\ = "_cpSimpleMotor" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BA548D2-0717-4A67-A3D7-1635396BA8CE}\TypeLib\ = "{C79C91A4-10F5-4F71-A490-3B7915514344}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9B4BDF1-2DDA-4297-BF30-08CB972BF385}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DDD90E19-C78F-4215-86DA-055BC2923DDA}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{487BCC77-27BF-4CB1-9ABF-4558D9835223}\ = "_DChartPyramidSeriesStyle" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B5528F-56B8-46B8-B2D3-1809B31E91E8}\TypeLib\ = "{C79C91A4-10F5-4F71-A490-3B7915514344}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{40875BBA-818A-406D-A1DA-1D4B6C3A288F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7A87A32-8E0B-4CC0-8C94-EC290907A4DB}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{297F84E0-E58D-44AC-B2C6-B77D91A5EF3D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E5B2929-000E-4921-B0E5-976597BD763B}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ECC8FE6A-7D7C-4AF1-BBFF-9525B27988A7}\Control regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27BCC77-27BF-4CB1-9ABF-4558D9835223} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\TypeLib\ = "{71A2702D-C7D8-11D2-BEF8-525400DFB47A}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{99186E0F-BE23-41B7-B9F9-662DF4B44596}\TypeLib\ = "{C79C91A4-10F5-4F71-A490-3B7915514344}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEAE345B-9984-4988-A6AA-5D26BE59BC44}\ProgID\ = "vbRichClient5.cFactory" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D1E2F62-1B8E-4EDE-9271-74B08080336A}\TypeLib\ = "{C79C91A4-10F5-4F71-A490-3B7915514344}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Codejock.ChartPieSeriesStyle.15.1.3.0908\CLSID\ = "{23490E6F-92B6-4671-9613-6B2A0FBF80A8}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94FE8370-0848-44B1-B46A-FF89CF341BD6}\TypeLib\ = "{C79C91A4-10F5-4F71-A490-3B7915514344}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A0DF48C0-4578-41CC-86A1-D15E8396539C}\TypeLib\Version = "2.5" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62D82D27-03D2-402D-9517-32CDDA215042}\ = "_cGlobal" regsvr32.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Slitheris.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Slitheris.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Slitheris.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Slitheris.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C Slitheris.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 Slitheris.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 2916 slitheris_installer.tmp 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe -
Suspicious use of SetWindowsHookEx 38 IoCs
pid Process 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe 580 Slitheris.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2064 wrote to memory of 2916 2064 slitheris_installer.exe 28 PID 2064 wrote to memory of 2916 2064 slitheris_installer.exe 28 PID 2064 wrote to memory of 2916 2064 slitheris_installer.exe 28 PID 2064 wrote to memory of 2916 2064 slitheris_installer.exe 28 PID 2064 wrote to memory of 2916 2064 slitheris_installer.exe 28 PID 2064 wrote to memory of 2916 2064 slitheris_installer.exe 28 PID 2064 wrote to memory of 2916 2064 slitheris_installer.exe 28 PID 2916 wrote to memory of 2752 2916 slitheris_installer.tmp 29 PID 2916 wrote to memory of 2752 2916 slitheris_installer.tmp 29 PID 2916 wrote to memory of 2752 2916 slitheris_installer.tmp 29 PID 2916 wrote to memory of 2752 2916 slitheris_installer.tmp 29 PID 2916 wrote to memory of 2752 2916 slitheris_installer.tmp 29 PID 2916 wrote to memory of 2752 2916 slitheris_installer.tmp 29 PID 2916 wrote to memory of 2752 2916 slitheris_installer.tmp 29 PID 2916 wrote to memory of 1012 2916 slitheris_installer.tmp 31 PID 2916 wrote to memory of 1012 2916 slitheris_installer.tmp 31 PID 2916 wrote to memory of 1012 2916 slitheris_installer.tmp 31 PID 2916 wrote to memory of 1012 2916 slitheris_installer.tmp 31 PID 2916 wrote to memory of 1012 2916 slitheris_installer.tmp 31 PID 2916 wrote to memory of 1012 2916 slitheris_installer.tmp 31 PID 2916 wrote to memory of 1012 2916 slitheris_installer.tmp 31 PID 2916 wrote to memory of 2344 2916 slitheris_installer.tmp 32 PID 2916 wrote to memory of 2344 2916 slitheris_installer.tmp 32 PID 2916 wrote to memory of 2344 2916 slitheris_installer.tmp 32 PID 2916 wrote to memory of 2344 2916 slitheris_installer.tmp 32 PID 2916 wrote to memory of 2344 2916 slitheris_installer.tmp 32 PID 2916 wrote to memory of 2344 2916 slitheris_installer.tmp 32 PID 2916 wrote to memory of 2344 2916 slitheris_installer.tmp 32 PID 2916 wrote to memory of 2328 2916 slitheris_installer.tmp 33 PID 2916 wrote to memory of 2328 2916 slitheris_installer.tmp 33 PID 2916 wrote to memory of 2328 2916 slitheris_installer.tmp 33 PID 2916 wrote to memory of 2328 2916 slitheris_installer.tmp 33 PID 2916 wrote to memory of 2328 2916 slitheris_installer.tmp 33 PID 2916 wrote to memory of 2328 2916 slitheris_installer.tmp 33 PID 2916 wrote to memory of 2328 2916 slitheris_installer.tmp 33 PID 2916 wrote to memory of 620 2916 slitheris_installer.tmp 34 PID 2916 wrote to memory of 620 2916 slitheris_installer.tmp 34 PID 2916 wrote to memory of 620 2916 slitheris_installer.tmp 34 PID 2916 wrote to memory of 620 2916 slitheris_installer.tmp 34 PID 2916 wrote to memory of 620 2916 slitheris_installer.tmp 34 PID 2916 wrote to memory of 620 2916 slitheris_installer.tmp 34 PID 2916 wrote to memory of 620 2916 slitheris_installer.tmp 34 PID 2916 wrote to memory of 1172 2916 slitheris_installer.tmp 35 PID 2916 wrote to memory of 1172 2916 slitheris_installer.tmp 35 PID 2916 wrote to memory of 1172 2916 slitheris_installer.tmp 35 PID 2916 wrote to memory of 1172 2916 slitheris_installer.tmp 35 PID 2916 wrote to memory of 1172 2916 slitheris_installer.tmp 35 PID 2916 wrote to memory of 1172 2916 slitheris_installer.tmp 35 PID 2916 wrote to memory of 1172 2916 slitheris_installer.tmp 35 PID 2916 wrote to memory of 1680 2916 slitheris_installer.tmp 36 PID 2916 wrote to memory of 1680 2916 slitheris_installer.tmp 36 PID 2916 wrote to memory of 1680 2916 slitheris_installer.tmp 36 PID 2916 wrote to memory of 1680 2916 slitheris_installer.tmp 36 PID 2916 wrote to memory of 1680 2916 slitheris_installer.tmp 36 PID 2916 wrote to memory of 1680 2916 slitheris_installer.tmp 36 PID 2916 wrote to memory of 1680 2916 slitheris_installer.tmp 36 PID 2916 wrote to memory of 2088 2916 slitheris_installer.tmp 37 PID 2916 wrote to memory of 2088 2916 slitheris_installer.tmp 37 PID 2916 wrote to memory of 2088 2916 slitheris_installer.tmp 37 PID 2916 wrote to memory of 2088 2916 slitheris_installer.tmp 37 PID 2916 wrote to memory of 2088 2916 slitheris_installer.tmp 37 PID 2916 wrote to memory of 2088 2916 slitheris_installer.tmp 37 PID 2916 wrote to memory of 2088 2916 slitheris_installer.tmp 37 PID 2916 wrote to memory of 632 2916 slitheris_installer.tmp 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\slitheris_installer.exe"C:\Users\Admin\AppData\Local\Temp\slitheris_installer.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Users\Admin\AppData\Local\Temp\is-2CCAA.tmp\slitheris_installer.tmp"C:\Users\Admin\AppData\Local\Temp\is-2CCAA.tmp\slitheris_installer.tmp" /SL5="$4010A,6946262,876032,C:\Users\Admin\AppData\Local\Temp\slitheris_installer.exe"2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\msvbvm60.dll"3⤵PID:2752
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\COMCTL32.OCX"3⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
PID:1012
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\cNewMenu6.dll"3⤵
- Loads dropped DLL
PID:2344
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\iGrid700_10Tec.ocx"3⤵
- Loads dropped DLL
- Modifies registry class
PID:2328
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\Codejock.ChartPro.v15.1.3.0908.ocx"3⤵
- Loads dropped DLL
- Modifies registry class
PID:620
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\SSubTmr6.dll"3⤵
- Loads dropped DLL
- Modifies registry class
PID:1172
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\vbalIml240_10Tec.ocx"3⤵
- Loads dropped DLL
PID:1680
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\vbalSbar6.ocx"3⤵
- Loads dropped DLL
PID:2088
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\vbalTbar6.ocx"3⤵
- Loads dropped DLL
- Modifies registry class
PID:632
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\ThreadFactoryOCX_RUNTIME.ocx"3⤵
- Loads dropped DLL
PID:1724
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\ThreadFactoryLib_RUNTIME.dll"3⤵
- Loads dropped DLL
- Modifies registry class
PID:2848
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\vbRichClient5.dll"3⤵
- Loads dropped DLL
- Modifies registry class
PID:1444
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Komodo Labs\Slitheris\Slitheris.dll"3⤵
- Loads dropped DLL
- Modifies registry class
PID:392
-
-
C:\Program Files (x86)\Komodo Labs\Slitheris\Slitheris.exe"C:\Program Files (x86)\Komodo Labs\Slitheris\Slitheris.exe"3⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:580
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
519KB
MD573c71da668e17fc1b0498537533c26d2
SHA14fc4c70dcbc3c132bdf8bf6547c16805ae7fd71c
SHA256f446cbbcb610a0ad8d1e533213a59540bc6005ad79d0f6e59ded05bf116674f3
SHA512cd50be22e922d2efce05446c305f36f265c10120a73fb9647771facc1179a574d61ed44fd5ff54f84d6046816dc7f897ac9141a94e67cee3f42bc9b3b7a8220b
-
Filesize
37KB
MD5c456dac11bc04e33b8fdff4ec5f205ce
SHA1b47dc77cdc99720a459e70a3ffdd9ef388a94f80
SHA256127ac9ebe860baeacb020e2b7c872f0dd16727e6bb84fc77862d0c6289fc76bc
SHA512cb45994fb02935833b999d2c96b6c7fd011419f4df2db060d04e8394d8161dde9972eaa60c0218672aaf16a7ba6cfb5f3869118df40affdc2f768cc766a95932
-
Filesize
42.9MB
MD51d9199e4f22bda92ea253b8f9d116a19
SHA18b8dedba96efcad94c4c297fbe7df29927aba323
SHA2564ba4c69de7387cab3f783d0fcfa0d761bd8f2e200b21a86aaeb7f2c1a5e7b76f
SHA512dc56f7910919f5eb72785509d442c75fd949a876232c52c354d508ed682654420312bc1fb06871f1eb0e6b6841027a2f269aaa83cae6463697fe92e1f4a85092
-
Filesize
600KB
MD5fc9fef25cd6620d5691375f392b0fdc8
SHA1fdddec932d2842d94459e86212e17a88f9ce2c77
SHA2564f97aa44d3f5ecab907908d44a2cccd73ad67193fc10084ee1ba01577d9ad384
SHA512c2f3907d20efe2f71c7d5cd43d84f631a1adef4664c2de7b802ce2b766417906a22e534d771b29d6b29c6889f6045bcdfe91269a093c9a5af859c97c4f3ce137
-
Filesize
1.2MB
MD54eeb2b0ace3849d7714f782aa5ea687b
SHA1947fd7bcbb0e15f92562cead861163a07e227316
SHA256c279bae9525dcd4708d6ba7284c1a00c1081834ec9a97837ded435e0fbdd6ea6
SHA51289d0bd04acaf127fbb8ed749fca2915e03cd8fa70d6ae47b8f074dc71c3914540849af3f3c11c302a45cca0bd9f777d9bc12eb5b4a3ca6fc9da9e97fc6eb9824
-
Filesize
23KB
MD5f9cad96ec2e655d19d474160c7c53485
SHA13cbfc63d55c695f2aafb2add276fe60da968d952
SHA256f7fef855fdf9dac44fd23b06d1c7ecbe4142f11aaa5d68a3c91c578bdc64df05
SHA5129d6f379c873ed8028cfae606f31536495babdd3224682cf200864b5c7b493d69b7604978e8882872340a7a64ab21f141fb4ee9bb63843400bf68ed58a6c6b3b3
-
Filesize
40KB
MD5dc7a3bc0fc185cd68848dc6f7d7b026b
SHA1c661cb1198f5e3927a67884e71ca95ff33026224
SHA2566618b3ab331642449f0b07e4f39abf9fc3bb90ae90b298f1b9ffd58ca5397399
SHA51222c9b2b7930e9e442699e37f43944f7cb4cd2562ed8319b4341c59475fa8071b501f4908227378b7883930f14c3059f66531bf876b386dea0027151b08006577
-
Filesize
236KB
MD578553ebfaa9dbeed86d36cada603dd28
SHA18116289100f08644433a8287048b1dc173f19651
SHA2566f785af3c555e69be6b862ce9e7073adc060e5b940808d63b1aed142b50352fd
SHA5123eaa60beb40a3c2181cdf61df651b6bde29ed187fe5083ebeacf9d7c406bb0e8a727b5493b64921276c9951ccf66d005c1591c84755bbf46402500a81643bf69
-
Filesize
168KB
MD5f20177009cb6681e6a98270527f4d781
SHA1d7b48256530bcdfe6c39ea0a56d644f437d6d9cf
SHA256eaae5e67e234944c588ef4ae17fdf7aad06a924e04bf8804decb43484e38e37e
SHA512474a383ed666ded0c2d74b5e58e653a2f2cdede31873e9732ed27fd9fd719df3dc415c9ffd0eb5fb9d5cf28bb915df6e1b42d8ba8249ae2c026d0e0e17cc7c37
-
Filesize
156KB
MD50a096566e80eab85c466a3f260d0d2fe
SHA1517abbe0d2c2311e84ed5a9ecea7d0f00656eb25
SHA256d8097ac6080f06779f6d6ee48c2ae79882d562f66bd3de18afe6bd84a5783004
SHA512f0bbaa449e33adea49163665935ba7d8bb9e0255690b6b65e9c77a2cdaece53643b9943ba342c6fff4404afab862bd48d3b5f86bd61b1dfb7d98d6213bae0b82
-
Filesize
918KB
MD52bf7311a50ff74525b69f360018fe245
SHA1957a5675ae31082a2d0af04d2fbd2df6ff29d429
SHA2563195717080dcd458068d3253d20935a12173e6ecb171b74cb3aa4d05f139f8b6
SHA512b3f061797e26ec9dc42c3a04523a6b3ec98311ab9f2bb5b7260515d9e43ddf4e35c741ed2dc80335dc7922b1ee712f4c7585fe323495353ac52b0c20ca359a9b
-
Filesize
3.7MB
MD592c39b92040ad9c88af3fe70bf0abff5
SHA1866a3af0e503bdc1a9e13d7ebfee08f43a690dd5
SHA2565d4e60ceb742a6c53855c2c2c80c960a788109881d6a2d4948b38a488862ce6a
SHA5120b1ffab958735bcc2fb4d42aab4f7158faeb723c6286cd4050a3fca01ae7c25f62d18f975d17badf0b7aacc645c7117e28992870fb0eb0b6fe59523da4537f97
-
Filesize
2.5MB
MD54af8e37c0fe4ff8d19927e708816d474
SHA16cacf3eb3159535239abd9d7d7fd787f3a0966d5
SHA256a450d8204ab794fd00ace8539e7b828e4a2e85d4731f54edee4a82a269b15801
SHA512b7ac820af2978216d975b8db681172f12ba8e354a0da93c2f9075ed219ba2516a62adb4d658adf9f390812b40a2c29f352b246563cc8a2410631c648ea21408b
-
Filesize
136KB
MD5f8df78f319736723c2551e781b2562d4
SHA10ea470ffe6da1520320b073fe42e6dc500359ff0
SHA2562aa5262d0fbb8ad08e3b0913ebe65b39e9d7f142102536b94ea6c056345a785e
SHA512e7a406314d0fc3ed1e84ccfb08a81a7520bc6030c4e815bba61b4074157fd170e0f4ef2d82eac4dc65b4baed11185407b672866f538b87e54868d24de33e7efb
-
Filesize
56KB
MD5f2a60642c8c2f180da8ebeac3e089334
SHA1d449a76765887bb3bbc2cda641087a048d5d37d1
SHA2569018b1ccd2a67cba1c5fb93e868240473d53e7b9fa2b5e31d17a66c9b325c4e2
SHA5127607e6d4885b0571e6c7f816cc24b10e5c403aaf8143190ab6a83464aea7041e5e98160454a161f7cd6985b6cb4b6b266f0a04b7acb65448fd82606095fcd2b4
-
Filesize
364KB
MD593968a328cbc6495860f9ae1c9f5ee71
SHA198ea43ec154d5a7344888ec72babee5b2fe7142b
SHA25635e6c9095fb07b5b45d5c3b1ff9a335ed2df3db38ce8f9d4cb7a3b081caab404
SHA51205c543dabab48ad964a312aeb67e14b72472ab662e9ce30af49e6d210c423ec20ff372467ef78b5772eb12b350cbfde11e19baaa8711ca9aa98f9b0120db2392
-
Filesize
583B
MD5fa981bce7a31a65a5025f4aa78abb87e
SHA1961fee76f84455de110e05d6645a8e10bab17298
SHA256f0369961acafed9e30252e688f873cf767e4c4b0bb4faeb3c098a4be96ebe7a6
SHA5126b08e3abc258d8700a3489a3ada7cf7809f50ebb05ea7f3e8454287f63f19297d992a518b35ad224cdcda3d3481f448dbe6b51727688aaa1ed04acc071ab788a
-
Filesize
344B
MD57b5d735e9303aa72a083ab18bb7c935e
SHA1bd510db065670bef723c24292df0b9ebe47560bf
SHA25675e0964e8d343fe1b6dcaf7904619f9660f3204c7d14d4d7a68b8efe0321b0b2
SHA512fa6bc9020b6373844fab779f77bc4f849c23ca408703db00affc11a4e288123de94852f42138b1d16e2811a89f4a1ebe0199e1bb0a83d7f294b0bed7de60de02
-
Filesize
5.6MB
MD529a79ab4f77d33bc7597fe966f530e53
SHA14bafd0cb7a297dd69fa9d7612c5110e6d844ed31
SHA2564bef4d49c0b8c58437932a1c04fa28350257656d31b02c31eb58420fd870d010
SHA51257a2658650184feac970206e78169e3c5ec30d935a5ecbe60fe0739b8f860054a938c66af579f6252cdc9380545928933dbca25ab1ff0e5aaf729c3e1b7e2cd2
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
438KB
MD55afd55df4d7962cd0dc79149feef7bc2
SHA1f55805fe197907c121013e02a924e9c9f5bacc48
SHA2565dd00c80477d0cd0feff6d49a71b0cf1c50847f58a5c0eef8adb88dc4f6d5762
SHA5123afd52aad5cd8c24177060f335c3a01f685e84d0f71db34c48e71e745c18758d0b5e8c54bdea6f0f14e085941f2b1c92b2da716b405864d7a4db6eb770ced3de
-
Filesize
841KB
MD53b814b7f43e1bf1bb55d09159a1ae85f
SHA1ec27002b647c965577e1eef42a1a37a8679c3c6f
SHA256fff2511a3479dc9c07ae18d44928e5789a478b1cf96638a9a47e6faf07eaf782
SHA5129f370f73e02a9d48c6b2b7dcfe8464094a7419ec48b16384e81ba7db73eb5a44de9461e98919f16545fd22f89448bc4c362a15c7928ea2edbf72c77d9a9e4f25
-
Filesize
3.1MB
MD55e2dd0805be1e620b0e365d52678e110
SHA1053875c8d357553434a3d5fce0e3924adc514b92
SHA2567d8a853cb75d90d34681b3b989f9f2d461fc9bd6c157eb587b0e3b7ab6d495bb
SHA51215ed845e31f0490f5063285f5aa90285cf9179d4d4fbd512502d8b8abeab50a223d1a9c1b95c9dbff0e6663b53e8fcfdd8f808e65a8b977aee34887473edffbf
-
Filesize
3.1MB
MD5b43d853e5756b57ab6343dc87dec1ab6
SHA1f650c16f7d98fd5ce153294dcd5b21cd866956af
SHA2563c3a08aefde2193b047846dcf244c8139270c9738e80c7b652386b8c34d586cc
SHA51295fa7036adbcd2f940d5370695ae49e9c8090facc3888327729350b0a2371ca099c56ee4720554f5fcecdf14cb1191d622400c30c7d33cd634ad5fec63e4ab4f