af031905bb25bfe31a522056cf45d00d52cb79d5e0b05a3d318a966099f3ab77

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

slitheris_installer.exe
Size

7.5MB
MD5

04f6dade94b26b39a62a96d51a37e127
SHA1

12832e117c24728f983ba5dce474262d03cef66f
SHA256

af031905bb25bfe31a522056cf45d00d52cb79d5e0b05a3d318a966099f3ab77
SHA512

df8e3f691c60e5deeee7523f577a61d976b9f5e87af7f9359ca4a1ae44800725ebc94057bdda161b14f84f1b8ec02214feaf3bf6a16b942a056172349890aa6d
SSDEEP

196608:MCjDh10L/+LWcjetcGbieXBL5mpeDnHvCVQjW4:HJSb+iKGbpmpCnPGQH

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023430-136.dat	acprotect

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023431-105.dat	upx
behavioral2/files/0x0007000000023430-136.dat	upx
behavioral2/memory/2084-145-0x0000000000400000-0x0000000000A6C000-memory.dmp	upx
behavioral2/memory/2084-170-0x0000000034240000-0x00000000343DF000-memory.dmp	upx
behavioral2/memory/2084-175-0x0000000034240000-0x00000000343DF000-memory.dmp	upx
behavioral2/memory/2084-174-0x0000000000400000-0x0000000000A6C000-memory.dmp	upx
behavioral2/memory/2084-176-0x0000000000400000-0x0000000000A6C000-memory.dmp	upx
behavioral2/memory/2084-178-0x0000000000400000-0x0000000000A6C000-memory.dmp	upx
behavioral2/memory/2084-180-0x0000000000400000-0x0000000000A6C000-memory.dmp	upx
behavioral2/memory/2084-181-0x0000000034240000-0x00000000343DF000-memory.dmp	upx
behavioral2/memory/2084-188-0x0000000034240000-0x00000000343DF000-memory.dmp	upx
behavioral2/memory/2084-187-0x0000000000400000-0x0000000000A6C000-memory.dmp	upx
behavioral2/memory/2084-195-0x0000000034240000-0x00000000343DF000-memory.dmp	upx
behavioral2/memory/2084-194-0x0000000000400000-0x0000000000A6C000-memory.dmp	upx
behavioral2/memory/2084-213-0x0000000034240000-0x00000000343DF000-memory.dmp	upx
behavioral2/memory/2084-212-0x0000000000400000-0x0000000000A6C000-memory.dmp	upx
behavioral2/memory/2084-226-0x0000000000400000-0x0000000000A6C000-memory.dmp	upx

Drops file in System32 directory 13 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\is-41ARO.tmp	slitheris_installer.tmp
File created	C:\Windows\SysWOW64\is-D60SN.tmp	slitheris_installer.tmp
File created	C:\Windows\SysWOW64\is-IQ0K3.tmp	slitheris_installer.tmp
File created	C:\Windows\SysWOW64\is-57PN6.tmp	slitheris_installer.tmp
File created	C:\Windows\SysWOW64\is-MFH2P.tmp	slitheris_installer.tmp
File created	C:\Windows\SysWOW64\is-BF508.tmp	slitheris_installer.tmp
File created	C:\Windows\SysWOW64\is-0Q1FV.tmp	slitheris_installer.tmp
File created	C:\Windows\SysWOW64\is-P3B96.tmp	slitheris_installer.tmp
File created	C:\Windows\SysWOW64\is-2VJQ4.tmp	slitheris_installer.tmp
File created	C:\Windows\SysWOW64\is-FG33N.tmp	slitheris_installer.tmp
File created	C:\Windows\SysWOW64\is-03RDA.tmp	slitheris_installer.tmp
File created	C:\Windows\SysWOW64\is-PU5S7.tmp	slitheris_installer.tmp
File created	C:\Windows\SysWOW64\is-IHOOI.tmp	slitheris_installer.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 32 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\Components\is-1OBJB.tmp	slitheris_installer.tmp
File created	C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\Components\is-CI99P.tmp	slitheris_installer.tmp
File opened for modification	C:\Program Files (x86)\Komodo Labs\Slitheris\Slitheris.exe	Slitheris.exe
File created	C:\Program Files (x86)\Komodo Labs\Slitheris\unins000.dat	slitheris_installer.tmp
File created	C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\Components\is-1JCLE.tmp	slitheris_installer.tmp
File opened for modification	C:\Program Files (x86)\Komodo Labs\Slitheris\SlitherisDetect.ldb	Slitheris.exe
File opened for modification	C:\Program Files (x86)\Komodo Labs\Slitheris	Slitheris.exe
File created	C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\Components\is-R5RM7.tmp	slitheris_installer.tmp
File created	C:\Program Files (x86)\Komodo Labs\Slitheris\is-SC9A5.tmp	slitheris_installer.tmp
File created	C:\Program Files (x86)\Komodo Labs\Slitheris\is-EH9LE.tmp	slitheris_installer.tmp
File created	C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\Components\is-HDGCV.tmp	slitheris_installer.tmp
File created	C:\Program Files (x86)\Komodo Labs\Slitheris\is-UV7TO.tmp	slitheris_installer.tmp
File created	C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\Components\is-RNB3O.tmp	slitheris_installer.tmp
File created	C:\Program Files (x86)\Komodo Labs\Slitheris\is-PF65B.tmp	slitheris_installer.tmp
File created	C:\Program Files (x86)\Komodo Labs\Slitheris\is-ML6MO.tmp	slitheris_installer.tmp
File created	C:\Program Files (x86)\Komodo Labs\Slitheris\is-C199L.tmp	slitheris_installer.tmp
File created	C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\Components\is-LLRF4.tmp	slitheris_installer.tmp
File created	C:\Program Files (x86)\Komodo Labs\Slitheris\Welcome.dat	Slitheris.exe
File created	C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\Components\is-TQOC5.tmp	slitheris_installer.tmp
File created	C:\Program Files (x86)\Komodo Labs\Slitheris\is-57RRB.tmp	slitheris_installer.tmp
File created	C:\Program Files (x86)\Komodo Labs\Slitheris\is-RHRCG.tmp	slitheris_installer.tmp
File created	C:\Program Files (x86)\Komodo Labs\Slitheris\is-081IM.tmp	slitheris_installer.tmp
File created	C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\is-1CPTL.tmp	slitheris_installer.tmp
File opened for modification	C:\Program Files (x86)\Komodo Labs\Slitheris\unins000.dat	slitheris_installer.tmp
File opened for modification	C:\Program Files (x86)\Komodo Labs\Slitheris\system.mdb	Slitheris.exe
File opened for modification	C:\Program Files (x86)\Komodo Labs\Slitheris\SlitherisDetect.mdb	Slitheris.exe
File created	C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\Components\is-P9TPA.tmp	slitheris_installer.tmp
File created	C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\Components\is-9IUSV.tmp	slitheris_installer.tmp
File created	C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\Components\is-VJJ4U.tmp	slitheris_installer.tmp
File created	C:\Program Files (x86)\Komodo Labs\Slitheris\is-LL7TG.tmp	slitheris_installer.tmp
File created	C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\Components\is-AKSV2.tmp	slitheris_installer.tmp
File created	C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\Components\is-U0DIP.tmp	slitheris_installer.tmp

Executes dropped EXE 2 IoCs

pid	Process
1692	slitheris_installer.tmp
2084	Slitheris.exe

Loads dropped DLL 25 IoCs

pid	Process
1860	regsvr32.exe
760	regsvr32.exe
1056	regsvr32.exe
8	regsvr32.exe
1884	regsvr32.exe
2188	regsvr32.exe
5056	regsvr32.exe
3852	regsvr32.exe
4188	regsvr32.exe
3444	regsvr32.exe
3560	regsvr32.exe
3560	regsvr32.exe
3572	regsvr32.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{612A8624-0FB3-11CE-8747-524153480004}\AlternateCLSID = "{97992019-74A6-46C7-9CA3-7F8C0D39940B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{58DA8D8A-9D6A-101B-AFC0-4210102A8DA7}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{58DA8D8A-9D6A-101B-AFC0-4210102A8DA7}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6B7E638F-850A-101B-AFC0-4210102A8DA7}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6B7E638F-850A-101B-AFC0-4210102A8DA7}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9ED94440-E5E8-101B-B9B5-444553540000}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{58DA8D8F-9D6A-101B-AFC0-4210102A8DA7}\AlternateCLSID = "{53749718-F78D-4A67-8703-8AE050075170}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0713E8A2-850A-101B-AFC0-4210102A8DA7}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0713E8A2-850A-101B-AFC0-4210102A8DA7}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0713E8A2-850A-101B-AFC0-4210102A8DA7}\AlternateCLSID = "{E44F7BD4-3AB1-4D55-9190-FC53343AD2D2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{58DA8D8F-9D6A-101B-AFC0-4210102A8DA7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{58DA8D8A-9D6A-101B-AFC0-4210102A8DA7}\AlternateCLSID = "{79C784C5-8F0D-4A55-ADB3-590CCFC8EB0D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9ED94440-E5E8-101B-B9B5-444553540000}\AlternateCLSID = "{44E266A2-CD46-47A0-9ED5-EEEC5F0C2A6E}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{612A8624-0FB3-11CE-8747-524153480004}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{373FF7F0-EB8B-11CD-8820-08002B2F4F5A}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{373FF7F0-EB8B-11CD-8820-08002B2F4F5A}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{373FF7F0-EB8B-11CD-8820-08002B2F4F5A}\AlternateCLSID = "{2B577565-36F7-4351-B2E7-DAFC75E9D72A}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{58DA8D8F-9D6A-101B-AFC0-4210102A8DA7}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0713E8D2-850A-101B-AFC0-4210102A8DA7}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0713E8D2-850A-101B-AFC0-4210102A8DA7}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0713E8D2-850A-101B-AFC0-4210102A8DA7}\AlternateCLSID = "{612685EF-57C8-469F-88AB-E4E0B595C5AB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6B7E638F-850A-101B-AFC0-4210102A8DA7}\AlternateCLSID = "{E8F8E80F-02EB-44CC-ABB5-6E5132BA6B24}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9ED94440-E5E8-101B-B9B5-444553540000}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{612A8624-0FB3-11CE-8747-524153480004}	regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CD9BCC77-27BF-4CB1-9ABF-4558D9835223}\ = "ChartSeriesPointCollection"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E1427354-A852-11D4-B06C-00500427A693}\InprocServer32\ = "C:\\Windows\\SysWow64\\vbalTbar6.ocx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8875BF9C-48A4-4AD2-BAEE-575B7D4BAC71}\TypeLib\Version = "2.5"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C478243C-A968-4A05-BD31-7F812FCB5266}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E54F8C36-B15D-4E52-A0BE-8E7514060EFA}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0713E8A0-850A-101B-AFC0-4210102A8DA7}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B3E406A0-9E7E-4478-8042-4F705A6BF96B}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\vbRichClient5.cpSpace	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\vbRichClient5.cpConstraint\ = "vbRichClient5.cpConstraint"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\vbRichClient5.cRPCConnection\Clsid\ = "{40BE39F8-38C3-4231-A097-0D041DBF33E4}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\vbRichClient5.cOOEmbed	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7477B63-093A-4861-9AF1-E98316CF8BC1}\ProgID\ = "vbRichClient5.cReportDocument"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1D0B0153-24DB-433B-AAAB-5A11035F353C}\ProxyStubClsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8D0-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8530E4AA-2BF0-4FBF-BBC1-DA307BBD5280}\ = "_iGrid"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F674FDF0-C394-45DA-B86B-7C602E5B3320}\TypeLib\ = "{C79C91A4-10F5-4F71-A490-3B7915514344}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{349C75AA-5D98-47F9-B735-952B0A2C73C7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B16C3CA9-3325-492B-A8E7-62021824F97D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C787A52-E01C-11CF-8E74-00A0C90F26F8}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B9CDECF2-CABC-4BE8-9E6D-84ED8FBA3A3E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB2B7DEA-C45E-4C71-80CA-67C18045F275}\TypeLib\Version = "2.5"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EDE3979D-5287-4840-8610-494E5BEC946A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F517FDAF-E3AA-4F0E-885C-36F5A427FCD8}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4D30D4B7-6853-44E6-A9D3-99B2D04CF051}\4.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EC36E24F-E93E-4FC7-BFAE-19FBE4F8244B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C1A40FD6-0E0C-4A4D-970F-263695E6F5D4}\ = "vbRichClient5.cColumns"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7ED5EC75-FCFE-4EBE-9CF7-5B61364A1CA4}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{393BCC77-27BF-4CB1-9ABF-4558D9835223}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44490E6F-92B6-4671-9613-6B2A0FBF80A8}\ProgID\ = "Codejock.ChartCandleStickSeriesStyle.15.1.3.0908"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5109D33B-09DF-43F6-ACFA-5A4574166068}\TypeLib\ = "{C79C91A4-10F5-4F71-A490-3B7915514344}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{612C1945-13A5-47BC-9090-2615F336769E}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E35BCC77-27BF-4CB1-9ABF-4558D9835223}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ABB2F9E2-C95B-41A2-B0CE-DD18A8A777ED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F34BCC77-27BF-4CB1-9ABF-4558D9835223}\TypeLib\Version = "f.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C1ED8A1C-D473-4BC8-8CA9-D44738AF2B2D}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DBFBD44F-58EA-466A-A9E1-C00ED534F83E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EE95C0B3-FC98-408B-BE07-4051A67DAF78}\ = "cViews"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{14E469E0-BF61-11CF-8385-8F69D8F1350B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{456BCC77-27BF-4CB1-9ABF-4558D9835223}\TypeLib\Version = "f.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED990E6F-92B6-4671-9613-6B2A0FBF80A8}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B68B694-D418-4DF1-A12C-AEE466A4D20D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2A691DDC-C17B-491C-914C-2A0B5E1F4B95}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{349C75AA-5D98-47F9-B735-952B0A2C73C7}\ = "__cMMDeviceEnumerator"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29FCD8C4-84FC-498F-A632-BF3B7CC458FF}\ = "__cPart"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7A0FD946-C455-4987-A0ED-5B0E9885FBE0}\ProgID\ = "vbRichClient5.cDeviceTopology"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44E266A2-CD46-47A0-9ED5-EEEC5F0C2A6E}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7BDFD378-F749-4AF4-9C67-FFF1DE4A03F5}\ = "SortGroupObject"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28D8149D-C650-4F39-BB55-6D0083D0DA0E}\ = "cToolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\vbRichClient5.IComparer\Clsid\ = "{5DC5928D-1849-4B60-814B-E0BB625A898F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E44F7BD4-3AB1-4D55-9190-FC53343AD2D2}\MiscStatus\1\ = "131473"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\vbRichClient5.cVBDraw\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F13F4A0-F8AC-4BD0-A1F4-87626F3BB08D}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB7FA237-4377-438E-89B8-F2C3A3E8A239}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9374CB13-789E-455B-B8E3-89EB9C9674AA}\ProxyStubClsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F004863B-E7F2-4607-9EB1-11EB7E50CFC3}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9F8812DF-12FE-4838-BEF4-B9B345A50682}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D30901B-11BC-46AD-8E31-E261A0860E48}\ = "vbRichClient5.cOOActionApproval"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E37BCC77-27BF-4CB1-9ABF-4558D9835223}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10557A3A-D6F5-4008-B944-BBEC48F4470B}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\vbRichClient5.cIndex	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A158AD8-202B-48F7-8862-8809A6158241}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\vbRichClient5.cJPG\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3934EE2-DA47-4EEE-812F-B2965CD755AB}\TypeLib\ = "{C79C91A4-10F5-4F71-A490-3B7915514344}"	regsvr32.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	Slitheris.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Slitheris.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Slitheris.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Slitheris.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Slitheris.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Slitheris.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	Slitheris.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1692	slitheris_installer.tmp
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe

Suspicious use of SetWindowsHookEx 38 IoCs

pid	Process
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe
2084	Slitheris.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 1692	2404	slitheris_installer.exe	83
PID 2404 wrote to memory of 1692	2404	slitheris_installer.exe	83
PID 2404 wrote to memory of 1692	2404	slitheris_installer.exe	83
PID 1692 wrote to memory of 216	1692	slitheris_installer.tmp	97
PID 1692 wrote to memory of 216	1692	slitheris_installer.tmp	97
PID 1692 wrote to memory of 216	1692	slitheris_installer.tmp	97
PID 1692 wrote to memory of 1860	1692	slitheris_installer.tmp	98
PID 1692 wrote to memory of 1860	1692	slitheris_installer.tmp	98
PID 1692 wrote to memory of 1860	1692	slitheris_installer.tmp	98
PID 1692 wrote to memory of 760	1692	slitheris_installer.tmp	100
PID 1692 wrote to memory of 760	1692	slitheris_installer.tmp	100
PID 1692 wrote to memory of 760	1692	slitheris_installer.tmp	100
PID 1692 wrote to memory of 1056	1692	slitheris_installer.tmp	101
PID 1692 wrote to memory of 1056	1692	slitheris_installer.tmp	101
PID 1692 wrote to memory of 1056	1692	slitheris_installer.tmp	101
PID 1692 wrote to memory of 8	1692	slitheris_installer.tmp	102
PID 1692 wrote to memory of 8	1692	slitheris_installer.tmp	102
PID 1692 wrote to memory of 8	1692	slitheris_installer.tmp	102
PID 1692 wrote to memory of 1884	1692	slitheris_installer.tmp	103
PID 1692 wrote to memory of 1884	1692	slitheris_installer.tmp	103
PID 1692 wrote to memory of 1884	1692	slitheris_installer.tmp	103
PID 1692 wrote to memory of 2188	1692	slitheris_installer.tmp	104
PID 1692 wrote to memory of 2188	1692	slitheris_installer.tmp	104
PID 1692 wrote to memory of 2188	1692	slitheris_installer.tmp	104
PID 1692 wrote to memory of 5056	1692	slitheris_installer.tmp	105
PID 1692 wrote to memory of 5056	1692	slitheris_installer.tmp	105
PID 1692 wrote to memory of 5056	1692	slitheris_installer.tmp	105
PID 1692 wrote to memory of 3852	1692	slitheris_installer.tmp	106
PID 1692 wrote to memory of 3852	1692	slitheris_installer.tmp	106
PID 1692 wrote to memory of 3852	1692	slitheris_installer.tmp	106
PID 1692 wrote to memory of 4188	1692	slitheris_installer.tmp	107
PID 1692 wrote to memory of 4188	1692	slitheris_installer.tmp	107
PID 1692 wrote to memory of 4188	1692	slitheris_installer.tmp	107
PID 1692 wrote to memory of 3444	1692	slitheris_installer.tmp	108
PID 1692 wrote to memory of 3444	1692	slitheris_installer.tmp	108
PID 1692 wrote to memory of 3444	1692	slitheris_installer.tmp	108
PID 1692 wrote to memory of 3560	1692	slitheris_installer.tmp	109
PID 1692 wrote to memory of 3560	1692	slitheris_installer.tmp	109
PID 1692 wrote to memory of 3560	1692	slitheris_installer.tmp	109
PID 1692 wrote to memory of 3572	1692	slitheris_installer.tmp	110
PID 1692 wrote to memory of 3572	1692	slitheris_installer.tmp	110
PID 1692 wrote to memory of 3572	1692	slitheris_installer.tmp	110
PID 1692 wrote to memory of 2084	1692	slitheris_installer.tmp	112
PID 1692 wrote to memory of 2084	1692	slitheris_installer.tmp	112
PID 1692 wrote to memory of 2084	1692	slitheris_installer.tmp	112
PID 1692 wrote to memory of 2084	1692	slitheris_installer.tmp	112
PID 1692 wrote to memory of 2084	1692	slitheris_installer.tmp	112

C:\Users\Admin\AppData\Local\Temp\slitheris_installer.exe
"C:\Users\Admin\AppData\Local\Temp\slitheris_installer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\AppData\Local\Temp\is-DMDDC.tmp\slitheris_installer.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-DMDDC.tmp\slitheris_installer.tmp" /SL5="$120032,6946262,876032,C:\Users\Admin\AppData\Local\Temp\slitheris_installer.exe"
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\msvbvm60.dll"
    3⤵
    - Modifies registry class
    PID:216
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\COMCTL32.OCX"
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:1860
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\cNewMenu6.dll"
    3⤵
    - Loads dropped DLL
    PID:760
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\iGrid700_10Tec.ocx"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:1056
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\Codejock.ChartPro.v15.1.3.0908.ocx"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:8
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\SSubTmr6.dll"
    3⤵
    - Loads dropped DLL
    PID:1884
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\vbalIml240_10Tec.ocx"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:2188
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\vbalSbar6.ocx"
    3⤵
    - Loads dropped DLL
    PID:5056
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\vbalTbar6.ocx"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:3852
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\ThreadFactoryOCX_RUNTIME.ocx"
    3⤵
    - Loads dropped DLL
    PID:4188
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\ThreadFactoryLib_RUNTIME.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:3444
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\vbRichClient5.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:3560
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Komodo Labs\Slitheris\Slitheris.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:3572
- - C:\Program Files (x86)\Komodo Labs\Slitheris\Slitheris.exe
    "C:\Program Files (x86)\Komodo Labs\Slitheris\Slitheris.exe"
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Komodo Labs\Slitheris\IL16.il

Filesize
519KB

MD5
73c71da668e17fc1b0498537533c26d2

SHA1
4fc4c70dcbc3c132bdf8bf6547c16805ae7fd71c

SHA256
f446cbbcb610a0ad8d1e533213a59540bc6005ad79d0f6e59ded05bf116674f3

SHA512
cd50be22e922d2efce05446c305f36f265c10120a73fb9647771facc1179a574d61ed44fd5ff54f84d6046816dc7f897ac9141a94e67cee3f42bc9b3b7a8220b

Download Submit
C:\Program Files (x86)\Komodo Labs\Slitheris\IL24.il

Filesize
37KB

MD5
c456dac11bc04e33b8fdff4ec5f205ce

SHA1
b47dc77cdc99720a459e70a3ffdd9ef388a94f80

SHA256
127ac9ebe860baeacb020e2b7c872f0dd16727e6bb84fc77862d0c6289fc76bc

SHA512
cb45994fb02935833b999d2c96b6c7fd011419f4df2db060d04e8394d8161dde9972eaa60c0218672aaf16a7ba6cfb5f3869118df40affdc2f768cc766a95932

Download Submit
C:\Program Files (x86)\Komodo Labs\Slitheris\IL32.il

Filesize
42.9MB

MD5
1d9199e4f22bda92ea253b8f9d116a19

SHA1
8b8dedba96efcad94c4c297fbe7df29927aba323

SHA256
4ba4c69de7387cab3f783d0fcfa0d761bd8f2e200b21a86aaeb7f2c1a5e7b76f

SHA512
dc56f7910919f5eb72785509d442c75fd949a876232c52c354d508ed682654420312bc1fb06871f1eb0e6b6841027a2f269aaa83cae6463697fe92e1f4a85092

Download Submit
C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\Components\COMCTL32.OCX

Filesize
600KB

MD5
fc9fef25cd6620d5691375f392b0fdc8

SHA1
fdddec932d2842d94459e86212e17a88f9ce2c77

SHA256
4f97aa44d3f5ecab907908d44a2cccd73ad67193fc10084ee1ba01577d9ad384

SHA512
c2f3907d20efe2f71c7d5cd43d84f631a1adef4664c2de7b802ce2b766417906a22e534d771b29d6b29c6889f6045bcdfe91269a093c9a5af859c97c4f3ce137

Download Submit
C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\Components\Codejock.ChartPro.v15.1.3.0908.ocx

Filesize
1.2MB

MD5
4eeb2b0ace3849d7714f782aa5ea687b

SHA1
947fd7bcbb0e15f92562cead861163a07e227316

SHA256
c279bae9525dcd4708d6ba7284c1a00c1081834ec9a97837ded435e0fbdd6ea6

SHA512
89d0bd04acaf127fbb8ed749fca2915e03cd8fa70d6ae47b8f074dc71c3914540849af3f3c11c302a45cca0bd9f777d9bc12eb5b4a3ca6fc9da9e97fc6eb9824

Download Submit
C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\Components\SSubTmr6.dll

Filesize
40KB

MD5
dc7a3bc0fc185cd68848dc6f7d7b026b

SHA1
c661cb1198f5e3927a67884e71ca95ff33026224

SHA256
6618b3ab331642449f0b07e4f39abf9fc3bb90ae90b298f1b9ffd58ca5397399

SHA512
22c9b2b7930e9e442699e37f43944f7cb4cd2562ed8319b4341c59475fa8071b501f4908227378b7883930f14c3059f66531bf876b386dea0027151b08006577

Download Submit
C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\Components\ThreadFactoryLib_RUNTIME.dll

Filesize
236KB

MD5
78553ebfaa9dbeed86d36cada603dd28

SHA1
8116289100f08644433a8287048b1dc173f19651

SHA256
6f785af3c555e69be6b862ce9e7073adc060e5b940808d63b1aed142b50352fd

SHA512
3eaa60beb40a3c2181cdf61df651b6bde29ed187fe5083ebeacf9d7c406bb0e8a727b5493b64921276c9951ccf66d005c1591c84755bbf46402500a81643bf69

Download Submit
C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\Components\ThreadFactoryOCX_RUNTIME.ocx

Filesize
168KB

MD5
f20177009cb6681e6a98270527f4d781

SHA1
d7b48256530bcdfe6c39ea0a56d644f437d6d9cf

SHA256
eaae5e67e234944c588ef4ae17fdf7aad06a924e04bf8804decb43484e38e37e

SHA512
474a383ed666ded0c2d74b5e58e653a2f2cdede31873e9732ed27fd9fd719df3dc415c9ffd0eb5fb9d5cf28bb915df6e1b42d8ba8249ae2c026d0e0e17cc7c37

Download Submit
C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\Components\cNewMenu6.dll

Filesize
156KB

MD5
0a096566e80eab85c466a3f260d0d2fe

SHA1
517abbe0d2c2311e84ed5a9ecea7d0f00656eb25

SHA256
d8097ac6080f06779f6d6ee48c2ae79882d562f66bd3de18afe6bd84a5783004

SHA512
f0bbaa449e33adea49163665935ba7d8bb9e0255690b6b65e9c77a2cdaece53643b9943ba342c6fff4404afab862bd48d3b5f86bd61b1dfb7d98d6213bae0b82

Download Submit
C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\Components\iGrid700_10Tec.ocx

Filesize
918KB

MD5
2bf7311a50ff74525b69f360018fe245

SHA1
957a5675ae31082a2d0af04d2fbd2df6ff29d429

SHA256
3195717080dcd458068d3253d20935a12173e6ecb171b74cb3aa4d05f139f8b6

SHA512
b3f061797e26ec9dc42c3a04523a6b3ec98311ab9f2bb5b7260515d9e43ddf4e35c741ed2dc80335dc7922b1ee712f4c7585fe323495353ac52b0c20ca359a9b

Download Submit
C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\Components\is-9IUSV.tmp

Filesize
2.5MB

MD5
4af8e37c0fe4ff8d19927e708816d474

SHA1
6cacf3eb3159535239abd9d7d7fd787f3a0966d5

SHA256
a450d8204ab794fd00ace8539e7b828e4a2e85d4731f54edee4a82a269b15801

SHA512
b7ac820af2978216d975b8db681172f12ba8e354a0da93c2f9075ed219ba2516a62adb4d658adf9f390812b40a2c29f352b246563cc8a2410631c648ea21408b

Download Submit
C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\Components\vbRichClient5.dll

Filesize
3.7MB

MD5
92c39b92040ad9c88af3fe70bf0abff5

SHA1
866a3af0e503bdc1a9e13d7ebfee08f43a690dd5

SHA256
5d4e60ceb742a6c53855c2c2c80c960a788109881d6a2d4948b38a488862ce6a

SHA512
0b1ffab958735bcc2fb4d42aab4f7158faeb723c6286cd4050a3fca01ae7c25f62d18f975d17badf0b7aacc645c7117e28992870fb0eb0b6fe59523da4537f97

Download Submit
C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\Components\vbalIml240_10Tec.ocx

Filesize
136KB

MD5
f8df78f319736723c2551e781b2562d4

SHA1
0ea470ffe6da1520320b073fe42e6dc500359ff0

SHA256
2aa5262d0fbb8ad08e3b0913ebe65b39e9d7f142102536b94ea6c056345a785e

SHA512
e7a406314d0fc3ed1e84ccfb08a81a7520bc6030c4e815bba61b4074157fd170e0f4ef2d82eac4dc65b4baed11185407b672866f538b87e54868d24de33e7efb

Download Submit
C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\Components\vbalSbar6.ocx

Filesize
56KB

MD5
f2a60642c8c2f180da8ebeac3e089334

SHA1
d449a76765887bb3bbc2cda641087a048d5d37d1

SHA256
9018b1ccd2a67cba1c5fb93e868240473d53e7b9fa2b5e31d17a66c9b325c4e2

SHA512
7607e6d4885b0571e6c7f816cc24b10e5c403aaf8143190ab6a83464aea7041e5e98160454a161f7cd6985b6cb4b6b266f0a04b7acb65448fd82606095fcd2b4

Download Submit
C:\Program Files (x86)\Komodo Labs\Slitheris\Portable\Components\vbalTbar6.ocx

Filesize
364KB

MD5
93968a328cbc6495860f9ae1c9f5ee71

SHA1
98ea43ec154d5a7344888ec72babee5b2fe7142b

SHA256
35e6c9095fb07b5b45d5c3b1ff9a335ed2df3db38ce8f9d4cb7a3b081caab404

SHA512
05c543dabab48ad964a312aeb67e14b72472ab662e9ce30af49e6d210c423ec20ff372467ef78b5772eb12b350cbfde11e19baaa8711ca9aa98f9b0120db2392

Download Submit
C:\Program Files (x86)\Komodo Labs\Slitheris\Slitheris.cfg

Filesize
583B

MD5
fa981bce7a31a65a5025f4aa78abb87e

SHA1
961fee76f84455de110e05d6645a8e10bab17298

SHA256
f0369961acafed9e30252e688f873cf767e4c4b0bb4faeb3c098a4be96ebe7a6

SHA512
6b08e3abc258d8700a3489a3ada7cf7809f50ebb05ea7f3e8454287f63f19297d992a518b35ad224cdcda3d3481f448dbe6b51727688aaa1ed04acc071ab788a

Download Submit
C:\Program Files (x86)\Komodo Labs\Slitheris\Slitheris.dll

Filesize
438KB

MD5
5afd55df4d7962cd0dc79149feef7bc2

SHA1
f55805fe197907c121013e02a924e9c9f5bacc48

SHA256
5dd00c80477d0cd0feff6d49a71b0cf1c50847f58a5c0eef8adb88dc4f6d5762

SHA512
3afd52aad5cd8c24177060f335c3a01f685e84d0f71db34c48e71e745c18758d0b5e8c54bdea6f0f14e085941f2b1c92b2da716b405864d7a4db6eb770ced3de

Download Submit
C:\Program Files (x86)\Komodo Labs\Slitheris\Slitheris.exe

Filesize
841KB

MD5
3b814b7f43e1bf1bb55d09159a1ae85f

SHA1
ec27002b647c965577e1eef42a1a37a8679c3c6f

SHA256
fff2511a3479dc9c07ae18d44928e5789a478b1cf96638a9a47e6faf07eaf782

SHA512
9f370f73e02a9d48c6b2b7dcfe8464094a7419ec48b16384e81ba7db73eb5a44de9461e98919f16545fd22f89448bc4c362a15c7928ea2edbf72c77d9a9e4f25

Download Submit
C:\Program Files (x86)\Komodo Labs\Slitheris\SlitherisDetect.dat

Filesize
344B

MD5
7b5d735e9303aa72a083ab18bb7c935e

SHA1
bd510db065670bef723c24292df0b9ebe47560bf

SHA256
75e0964e8d343fe1b6dcaf7904619f9660f3204c7d14d4d7a68b8efe0321b0b2

SHA512
fa6bc9020b6373844fab779f77bc4f849c23ca408703db00affc11a4e288123de94852f42138b1d16e2811a89f4a1ebe0199e1bb0a83d7f294b0bed7de60de02

Download Submit
C:\Program Files (x86)\Komodo Labs\Slitheris\SlitherisDetect.mdb

Filesize
5.6MB

MD5
29a79ab4f77d33bc7597fe966f530e53

SHA1
4bafd0cb7a297dd69fa9d7612c5110e6d844ed31

SHA256
4bef4d49c0b8c58437932a1c04fa28350257656d31b02c31eb58420fd870d010

SHA512
57a2658650184feac970206e78169e3c5ec30d935a5ecbe60fe0739b8f860054a938c66af579f6252cdc9380545928933dbca25ab1ff0e5aaf729c3e1b7e2cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DMDDC.tmp\slitheris_installer.tmp

Filesize
3.1MB

MD5
b43d853e5756b57ab6343dc87dec1ab6

SHA1
f650c16f7d98fd5ce153294dcd5b21cd866956af

SHA256
3c3a08aefde2193b047846dcf244c8139270c9738e80c7b652386b8c34d586cc

SHA512
95fa7036adbcd2f940d5370695ae49e9c8090facc3888327729350b0a2371ca099c56ee4720554f5fcecdf14cb1191d622400c30c7d33cd634ad5fec63e4ab4f

Download Submit
C:\Windows\SysWOW64\DirectCOM.dll

Filesize
23KB

MD5
f9cad96ec2e655d19d474160c7c53485

SHA1
3cbfc63d55c695f2aafb2add276fe60da968d952

SHA256
f7fef855fdf9dac44fd23b06d1c7ecbe4142f11aaa5d68a3c91c578bdc64df05

SHA512
9d6f379c873ed8028cfae606f31536495babdd3224682cf200864b5c7b493d69b7604978e8882872340a7a64ab21f141fb4ee9bb63843400bf68ed58a6c6b3b3

Download Submit
memory/1692-6-0x0000000000400000-0x000000000071F000-memory.dmp

Filesize
3.1MB

Download
memory/1692-137-0x0000000000400000-0x000000000071F000-memory.dmp

Filesize
3.1MB

Download
memory/1692-143-0x0000000000400000-0x000000000071F000-memory.dmp

Filesize
3.1MB

Download
memory/1692-9-0x0000000000400000-0x000000000071F000-memory.dmp

Filesize
3.1MB

Download
memory/1692-163-0x0000000000400000-0x000000000071F000-memory.dmp

Filesize
3.1MB

Download
memory/2084-145-0x0000000000400000-0x0000000000A6C000-memory.dmp

Filesize
6.4MB

Download
memory/2084-195-0x0000000034240000-0x00000000343DF000-memory.dmp

Filesize
1.6MB

Download
memory/2084-157-0x0000000003BF0000-0x0000000003C2C000-memory.dmp

Filesize
240KB

Download
memory/2084-226-0x0000000000400000-0x0000000000A6C000-memory.dmp

Filesize
6.4MB

Download
memory/2084-170-0x0000000034240000-0x00000000343DF000-memory.dmp

Filesize
1.6MB

Download
memory/2084-212-0x0000000000400000-0x0000000000A6C000-memory.dmp

Filesize
6.4MB

Download
memory/2084-213-0x0000000034240000-0x00000000343DF000-memory.dmp

Filesize
1.6MB

Download
memory/2084-175-0x0000000034240000-0x00000000343DF000-memory.dmp

Filesize
1.6MB

Download
memory/2084-174-0x0000000000400000-0x0000000000A6C000-memory.dmp

Filesize
6.4MB

Download
memory/2084-176-0x0000000000400000-0x0000000000A6C000-memory.dmp

Filesize
6.4MB

Download
memory/2084-178-0x0000000000400000-0x0000000000A6C000-memory.dmp

Filesize
6.4MB

Download
memory/2084-180-0x0000000000400000-0x0000000000A6C000-memory.dmp

Filesize
6.4MB

Download
memory/2084-181-0x0000000034240000-0x00000000343DF000-memory.dmp

Filesize
1.6MB

Download
memory/2084-188-0x0000000034240000-0x00000000343DF000-memory.dmp

Filesize
1.6MB

Download
memory/2084-187-0x0000000000400000-0x0000000000A6C000-memory.dmp

Filesize
6.4MB

Download
memory/2084-194-0x0000000000400000-0x0000000000A6C000-memory.dmp

Filesize
6.4MB

Download
memory/2404-164-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2404-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2404-8-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2404-0-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3572-138-0x0000000034240000-0x00000000343DF000-memory.dmp

Filesize
1.6MB

Download