bdca2298fb4790b0f4495f187f9e40c8ea09d6e5f7ec8268939dbb5f050003a9

Analysis

max time kernel
43s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66705e2f337c1cbfc92b0082bc1d1c0d.exe
Size

84KB
MD5

66705e2f337c1cbfc92b0082bc1d1c0d
SHA1

221f47b853868e0b35694b7650c7220f99e410c2
SHA256

bdca2298fb4790b0f4495f187f9e40c8ea09d6e5f7ec8268939dbb5f050003a9
SHA512

35adf6138984470d8ffdb8a81371d162178e720dd8bccc7058697ff2acfdcd191887f7d376e91aa6d13be215b847f39b2b53b235d5600ab81e67f422cefeaace
SSDEEP

1536:xQQHwnG7UCYnKZcCvMHRAqlhOx+V3fbcyd1:xFQnG7UCMQcCvMlOx+V33d1

Score

8^/10

evasion

Malware Config

Signatures

Sets file to hidden 1 TTPs 47 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1068	attrib.exe
1744	attrib.exe
1668	attrib.exe
2332	attrib.exe
2004	attrib.exe
2724	attrib.exe
604	attrib.exe
2208	attrib.exe
2592	attrib.exe
2612	attrib.exe
2572	attrib.exe
1804	attrib.exe
1552	attrib.exe
2668	attrib.exe
2212	attrib.exe
2904	attrib.exe
2560	attrib.exe
2148	attrib.exe
2560	attrib.exe
996	attrib.exe
2168	attrib.exe
2912	attrib.exe
564	attrib.exe
1980	attrib.exe
3052	attrib.exe
2848	attrib.exe
1652	attrib.exe
1224	attrib.exe
2988	attrib.exe
2544	attrib.exe
2268	attrib.exe
2584	attrib.exe
332	attrib.exe
544	attrib.exe
2336	attrib.exe
1708	attrib.exe
708	attrib.exe
2280	attrib.exe
1864	attrib.exe
1216	attrib.exe
1728	attrib.exe
1040	attrib.exe
2928	attrib.exe
380	attrib.exe
2656	attrib.exe
1844	attrib.exe
2136	attrib.exe

Deletes itself 1 IoCs

pid	Process
3052	cmd.exe

Executes dropped EXE 14 IoCs

pid	Process
2896	MYThunder.exe
2580	MYThunder.exe
1752	MYThunder.exe
1548	MYThunder.exe
1592	MYThunder.exe
2260	MYThunder.exe
1416	MYThunder.exe
2440	MYThunder.exe
1876	MYThunder.exe
1808	MYThunder.exe
1440	MYThunder.exe
2708	MYThunder.exe
1584	MYThunder.exe
2984	cmd.exe

Loads dropped DLL 28 IoCs

pid	Process
3052	cmd.exe
3052	cmd.exe
2804	cmd.exe
2804	cmd.exe
2840	cmd.exe
2840	cmd.exe
2880	cmd.exe
2880	cmd.exe
2016	cmd.exe
2016	cmd.exe
384	cmd.exe
384	cmd.exe
2212	cmd.exe
2212	cmd.exe
3004	cmd.exe
3004	cmd.exe
1632	cmd.exe
1632	cmd.exe
1468	cmd.exe
1468	cmd.exe
2328	cmd.exe
2328	cmd.exe
2320	cmd.exe
2320	cmd.exe
2836	cmd.exe
2836	cmd.exe
2612	attrib.exe
2612	attrib.exe

Drops file in System32 directory 46 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MYThunder.exe	attrib.exe
File created	C:\Windows\SysWOW64\677.2882.bat	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.exe	attrib.exe
File created	C:\Windows\SysWOW64\35.50357.bat	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.dll	MYThunder.exe
File created	C:\Windows\SysWOW64\519.6344.bat	MYThunder.exe
File created	C:\Windows\SysWOW64\385.0214.bat	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.dll	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.dll	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.dll	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.dll	66705e2f337c1cbfc92b0082bc1d1c0d.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.exe	attrib.exe
File created	C:\Windows\SysWOW64\327.7704.bat	MYThunder.exe
File created	C:\Windows\SysWOW64\395.8704.bat	MYThunder.exe
File created	C:\Windows\SysWOW64\718.4564.bat	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.dll	MYThunder.exe
File created	C:\Windows\SysWOW64\931.4691.bat	MYThunder.exe
File created	C:\Windows\SysWOW64\MYThunder.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.dll	MYThunder.exe
File created	C:\Windows\SysWOW64\711.1017.bat	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.dll	cmd.exe
File created	C:\Windows\SysWOW64\201.1682.bat	cmd.exe
File created	C:\Windows\SysWOW64\535.bat	MYThunder.exe
File created	C:\Windows\SysWOW64\865.658.bat	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.dll	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.dll	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.dll	MYThunder.exe
File created	C:\Windows\SysWOW64\62.0386.bat	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.dll	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.exe	attrib.exe
File created	C:\Windows\SysWOW64\703.4875.bat	66705e2f337c1cbfc92b0082bc1d1c0d.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.dll	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.dll	MYThunder.exe
File created	C:\Windows\SysWOW64\712.5208.bat	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.dll	MYThunder.exe

Runs ping.exe 1 TTPs 48 IoCs

Remote System Discovery

T1018

pid	Process
1192	PING.EXE
2096	PING.EXE
2260	PING.EXE
844	PING.EXE
2280	PING.EXE
1544	PING.EXE
2804	PING.EXE
576	PING.EXE
1648	PING.EXE
1624	PING.EXE
2736	PING.EXE
2148	PING.EXE
964	PING.EXE
2180	PING.EXE
320	PING.EXE
2860	PING.EXE
2104	PING.EXE
2796	PING.EXE
1532	PING.EXE
2704	PING.EXE
1896	PING.EXE
540	PING.EXE
1740	PING.EXE
1688	PING.EXE
1656	PING.EXE
1840	PING.EXE
2028	PING.EXE
608	PING.EXE
2416	PING.EXE
1188	PING.EXE
1488	PING.EXE
380	PING.EXE
2664	PING.EXE
2548	PING.EXE
2852	PING.EXE
1472	PING.EXE
2132	PING.EXE
2368	PING.EXE
2360	PING.EXE
2824	PING.EXE
2980	PING.EXE
2164	PING.EXE
776	PING.EXE
2764	PING.EXE
2368	PING.EXE
2152	PING.EXE
1852	PING.EXE
2064	PING.EXE

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2332	66705e2f337c1cbfc92b0082bc1d1c0d.exe
2896	MYThunder.exe
2580	MYThunder.exe
1752	MYThunder.exe
1548	MYThunder.exe
1592	MYThunder.exe
2260	MYThunder.exe
1416	MYThunder.exe
2440	MYThunder.exe
1876	MYThunder.exe
1808	MYThunder.exe
1440	MYThunder.exe
2708	MYThunder.exe
1584	MYThunder.exe
2984	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 3052	2332	66705e2f337c1cbfc92b0082bc1d1c0d.exe	17
PID 2332 wrote to memory of 3052	2332	66705e2f337c1cbfc92b0082bc1d1c0d.exe	17
PID 2332 wrote to memory of 3052	2332	66705e2f337c1cbfc92b0082bc1d1c0d.exe	17
PID 2332 wrote to memory of 3052	2332	66705e2f337c1cbfc92b0082bc1d1c0d.exe	17
PID 3052 wrote to memory of 2764	3052	cmd.exe	15
PID 3052 wrote to memory of 2764	3052	cmd.exe	15
PID 3052 wrote to memory of 2764	3052	cmd.exe	15
PID 3052 wrote to memory of 2764	3052	cmd.exe	15
PID 3052 wrote to memory of 2572	3052	cmd.exe	35
PID 3052 wrote to memory of 2572	3052	cmd.exe	35
PID 3052 wrote to memory of 2572	3052	cmd.exe	35
PID 3052 wrote to memory of 2572	3052	cmd.exe	35
PID 3052 wrote to memory of 2896	3052	cmd.exe	34
PID 3052 wrote to memory of 2896	3052	cmd.exe	34
PID 3052 wrote to memory of 2896	3052	cmd.exe	34
PID 3052 wrote to memory of 2896	3052	cmd.exe	34
PID 2896 wrote to memory of 2804	2896	MYThunder.exe	33
PID 2896 wrote to memory of 2804	2896	MYThunder.exe	33
PID 2896 wrote to memory of 2804	2896	MYThunder.exe	33
PID 2896 wrote to memory of 2804	2896	MYThunder.exe	33
PID 2804 wrote to memory of 2736	2804	cmd.exe	31
PID 2804 wrote to memory of 2736	2804	cmd.exe	31
PID 2804 wrote to memory of 2736	2804	cmd.exe	31
PID 2804 wrote to memory of 2736	2804	cmd.exe	31
PID 2804 wrote to memory of 2560	2804	cmd.exe	40
PID 2804 wrote to memory of 2560	2804	cmd.exe	40
PID 2804 wrote to memory of 2560	2804	cmd.exe	40
PID 2804 wrote to memory of 2560	2804	cmd.exe	40
PID 2804 wrote to memory of 2580	2804	cmd.exe	39
PID 2804 wrote to memory of 2580	2804	cmd.exe	39
PID 2804 wrote to memory of 2580	2804	cmd.exe	39
PID 2804 wrote to memory of 2580	2804	cmd.exe	39
PID 2580 wrote to memory of 2840	2580	MYThunder.exe	38
PID 2580 wrote to memory of 2840	2580	MYThunder.exe	38
PID 2580 wrote to memory of 2840	2580	MYThunder.exe	38
PID 2580 wrote to memory of 2840	2580	MYThunder.exe	38
PID 2840 wrote to memory of 1840	2840	cmd.exe	36
PID 2840 wrote to memory of 1840	2840	cmd.exe	36
PID 2840 wrote to memory of 1840	2840	cmd.exe	36
PID 2840 wrote to memory of 1840	2840	cmd.exe	36
PID 2840 wrote to memory of 380	2840	cmd.exe	45
PID 2840 wrote to memory of 380	2840	cmd.exe	45
PID 2840 wrote to memory of 380	2840	cmd.exe	45
PID 2840 wrote to memory of 380	2840	cmd.exe	45
PID 2840 wrote to memory of 1752	2840	cmd.exe	44
PID 2840 wrote to memory of 1752	2840	cmd.exe	44
PID 2840 wrote to memory of 1752	2840	cmd.exe	44
PID 2840 wrote to memory of 1752	2840	cmd.exe	44
PID 1752 wrote to memory of 2880	1752	MYThunder.exe	43
PID 1752 wrote to memory of 2880	1752	MYThunder.exe	43
PID 1752 wrote to memory of 2880	1752	MYThunder.exe	43
PID 1752 wrote to memory of 2880	1752	MYThunder.exe	43
PID 2880 wrote to memory of 2028	2880	cmd.exe	41
PID 2880 wrote to memory of 2028	2880	cmd.exe	41
PID 2880 wrote to memory of 2028	2880	cmd.exe	41
PID 2880 wrote to memory of 2028	2880	cmd.exe	41
PID 2880 wrote to memory of 1068	2880	cmd.exe	46
PID 2880 wrote to memory of 1068	2880	cmd.exe	46
PID 2880 wrote to memory of 1068	2880	cmd.exe	46
PID 2880 wrote to memory of 1068	2880	cmd.exe	46
PID 2880 wrote to memory of 1548	2880	cmd.exe	50
PID 2880 wrote to memory of 1548	2880	cmd.exe	50
PID 2880 wrote to memory of 1548	2880	cmd.exe	50
PID 2880 wrote to memory of 1548	2880	cmd.exe	50

Views/modifies file attributes 1 TTPs 47 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1224	attrib.exe
2544	attrib.exe
2668	attrib.exe
1844	attrib.exe
2332	attrib.exe
2560	attrib.exe
2004	attrib.exe
1652	attrib.exe
2148	attrib.exe
332	attrib.exe
2612	attrib.exe
2208	attrib.exe
3052	attrib.exe
2280	attrib.exe
544	attrib.exe
1068	attrib.exe
1864	attrib.exe
708	attrib.exe
564	attrib.exe
2904	attrib.exe
1980	attrib.exe
1708	attrib.exe
1552	attrib.exe
2656	attrib.exe
2592	attrib.exe
2136	attrib.exe
380	attrib.exe
2724	attrib.exe
2988	attrib.exe
1668	attrib.exe
1040	attrib.exe
2560	attrib.exe
2212	attrib.exe
1744	attrib.exe
1728	attrib.exe
2848	attrib.exe
2572	attrib.exe
2168	attrib.exe
2912	attrib.exe
2268	attrib.exe
2928	attrib.exe
996	attrib.exe
1804	attrib.exe
1216	attrib.exe
2336	attrib.exe
604	attrib.exe
2584	attrib.exe

C:\Users\Admin\AppData\Local\Temp\66705e2f337c1cbfc92b0082bc1d1c0d.exe
"C:\Users\Admin\AppData\Local\Temp\66705e2f337c1cbfc92b0082bc1d1c0d.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\703.4875.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\SysWOW64\MYThunder.exe
    "C:\Windows\system32\MYThunder.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2896
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h "C:\Windows\system32\MYThunder.exe"
    3⤵
    - Sets file to hidden
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:2572
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\system32\21.70962.bat
    3⤵
    PID:2756
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h "C:\Windows\system32\MYThunder.exe"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2592
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.1
        5⤵
        Runs ping.exe
        
        PID:2180
  - - C:\Windows\SysWOW64\MYThunder.exe
      "C:\Windows\system32\MYThunder.exe"
      4⤵
      PID:1800

C:\Windows\SysWOW64\PING.EXE
ping 127.1
1⤵
- Runs ping.exe
PID:2764

C:\Windows\SysWOW64\PING.EXE
ping 127.1
1⤵
- Runs ping.exe
PID:2736

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\865.658.bat
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\SysWOW64\MYThunder.exe
  "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2580
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Sets file to hidden
  - Drops file in System32 directory
  - Views/modifies file attributes
  PID:2560

C:\Windows\SysWOW64\PING.EXE
ping 127.1
1⤵
- Runs ping.exe
PID:1840

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\718.4564.bat
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\SysWOW64\MYThunder.exe
  "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1752
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Sets file to hidden
  - Drops file in System32 directory
  - Views/modifies file attributes
  PID:380

C:\Windows\SysWOW64\PING.EXE
ping 127.1
1⤵
- Runs ping.exe
PID:2028

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\35.50357.bat
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Sets file to hidden
  - Drops file in System32 directory
  - Views/modifies file attributes
  PID:1068
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.1
    3⤵
    - Runs ping.exe
    PID:320
- C:\Windows\SysWOW64\MYThunder.exe
  "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:1548

C:\Windows\SysWOW64\PING.EXE
ping 127.1
1⤵
- Runs ping.exe
PID:2148

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\712.5208.bat
1⤵
- Loads dropped DLL
PID:2016
- C:\Windows\SysWOW64\MYThunder.exe
  "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:1592
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Sets file to hidden
  - Drops file in System32 directory
  - Views/modifies file attributes
  PID:2004

C:\Windows\SysWOW64\PING.EXE
ping 127.1
1⤵
- Runs ping.exe
PID:2368

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\327.7704.bat
1⤵
- Loads dropped DLL
PID:384
- C:\Windows\SysWOW64\MYThunder.exe
  "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:2260
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Sets file to hidden
  - Drops file in System32 directory
  - Views/modifies file attributes
  PID:2336

C:\Windows\SysWOW64\PING.EXE
ping 127.1
1⤵
- Runs ping.exe
PID:540

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\519.6344.bat
1⤵
- Loads dropped DLL
PID:2212
- C:\Windows\SysWOW64\MYThunder.exe
  "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:1416
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Sets file to hidden
  - Drops file in System32 directory
  - Views/modifies file attributes
  PID:996

C:\Windows\SysWOW64\PING.EXE
ping 127.1
1⤵
- Runs ping.exe
PID:2280

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\395.8704.bat
1⤵
- Loads dropped DLL
PID:3004
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Sets file to hidden
  - Drops file in System32 directory
  - Views/modifies file attributes
  PID:1864
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\system32\305.4163.bat
    3⤵
    PID:2404
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.1
      4⤵
      Runs ping.exe
      PID:2360
  - - C:\Windows\SysWOW64\MYThunder.exe
      "C:\Windows\system32\MYThunder.exe"
      4⤵
      PID:1308
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h "C:\Windows\system32\MYThunder.exe"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1216
- C:\Windows\SysWOW64\MYThunder.exe
  "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:2440
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\116.7871.bat
  2⤵
  PID:1560

C:\Windows\SysWOW64\PING.EXE
ping 127.1
1⤵
- Runs ping.exe
PID:1472

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\385.0214.bat
1⤵
- Loads dropped DLL
PID:1632
- C:\Windows\SysWOW64\MYThunder.exe
  "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:1876
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Sets file to hidden
  - Drops file in System32 directory
  - Views/modifies file attributes
  PID:2168

C:\Windows\SysWOW64\PING.EXE
ping 127.1
1⤵
- Runs ping.exe
PID:964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\686.4587.bat
  2⤵
  PID:644
- - C:\Windows\SysWOW64\MYThunder.exe
    "C:\Windows\system32\MYThunder.exe"
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h "C:\Windows\system32\MYThunder.exe"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\62.0386.bat
1⤵
- Loads dropped DLL
PID:1468
- C:\Windows\SysWOW64\MYThunder.exe
  "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:1808
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Sets file to hidden
  - Drops file in System32 directory
  - Views/modifies file attributes
  PID:1652

C:\Windows\SysWOW64\PING.EXE
ping 127.1
1⤵
- Runs ping.exe
PID:1740

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\677.2882.bat
1⤵
- Loads dropped DLL
PID:2328
- C:\Windows\SysWOW64\MYThunder.exe
  "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:1440
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Sets file to hidden
  - Drops file in System32 directory
  - Views/modifies file attributes
  PID:1224

C:\Windows\SysWOW64\PING.EXE
ping 127.1
1⤵
- Runs ping.exe
PID:1544

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\931.4691.bat
1⤵
- Loads dropped DLL
PID:2320
- C:\Windows\SysWOW64\MYThunder.exe
  "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:2708
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Sets file to hidden
  - Drops file in System32 directory
  - Views/modifies file attributes
  PID:2912

C:\Windows\SysWOW64\PING.EXE
ping 127.1
1⤵
- Runs ping.exe
PID:2860

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\535.bat
1⤵
- Loads dropped DLL
PID:2836
- C:\Windows\SysWOW64\MYThunder.exe
  "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:1584
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Sets file to hidden
  - Drops file in System32 directory
  - Views/modifies file attributes
  PID:2724

C:\Windows\SysWOW64\PING.EXE
ping 127.1
1⤵
- Runs ping.exe
PID:2804

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\711.1017.bat
1⤵
PID:2612
- C:\Windows\SysWOW64\MYThunder.exe
  "C:\Windows\system32\MYThunder.exe"
  2⤵
  PID:2984
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.1
    3⤵
    - Runs ping.exe
    PID:380
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Sets file to hidden
  - Drops file in System32 directory
  - Views/modifies file attributes
  PID:2988

C:\Windows\SysWOW64\PING.EXE
ping 127.1
1⤵
- Runs ping.exe
PID:2132

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\201.1682.bat
1⤵
PID:676
- C:\Windows\SysWOW64\MYThunder.exe
  "C:\Windows\system32\MYThunder.exe"
  2⤵
  PID:2844
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:1708

C:\Windows\SysWOW64\PING.EXE
ping 127.1
1⤵
- Runs ping.exe
PID:2104

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\580.5322.bat
1⤵
PID:1360
- C:\Windows\SysWOW64\MYThunder.exe
  "C:\Windows\system32\MYThunder.exe"
  2⤵
  PID:1832
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.1
    3⤵
    - Runs ping.exe
    PID:776
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.1
      4⤵
      Runs ping.exe
      PID:2096
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:1804

C:\Windows\SysWOW64\PING.EXE
ping 127.1
1⤵
- Runs ping.exe
PID:2152

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\195.7819.bat
1⤵
PID:1596
- C:\Windows\SysWOW64\MYThunder.exe
  "C:\Windows\system32\MYThunder.exe"
  2⤵
  PID:332
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:708

C:\Windows\SysWOW64\PING.EXE
ping 127.1
1⤵
- Runs ping.exe
PID:2368

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\258.4192.bat
1⤵
PID:2508
- C:\Windows\SysWOW64\MYThunder.exe
  "C:\Windows\system32\MYThunder.exe"
  2⤵
  PID:2548
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:2544

C:\Windows\SysWOW64\PING.EXE
ping 127.1
1⤵
- Runs ping.exe
PID:608

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\139.2481.bat
1⤵
PID:2252
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:2212
- C:\Windows\SysWOW64\MYThunder.exe
  "C:\Windows\system32\MYThunder.exe"
  2⤵
  PID:2416

C:\Windows\SysWOW64\PING.EXE
ping 127.1
1⤵
- Runs ping.exe
PID:576

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\440.8991.bat
1⤵
PID:2956
- C:\Windows\SysWOW64\MYThunder.exe
  "C:\Windows\system32\MYThunder.exe"
  2⤵
  PID:1864
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:2280

C:\Windows\SysWOW64\PING.EXE
ping 127.1
1⤵
- Runs ping.exe
PID:1852

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\294.5673.bat
1⤵
PID:344
- C:\Windows\SysWOW64\MYThunder.exe
  "C:\Windows\system32\MYThunder.exe"
  2⤵
  PID:1008
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:1552

C:\Windows\SysWOW64\PING.EXE
ping 127.1
1⤵
- Runs ping.exe
PID:1688

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\486.4313.bat
1⤵
PID:1996
- C:\Windows\SysWOW64\MYThunder.exe
  "C:\Windows\system32\MYThunder.exe"
  2⤵
  PID:1736
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\system32\629.0552.bat
    3⤵
    PID:2656
  - - C:\Windows\SysWOW64\MYThunder.exe
      "C:\Windows\system32\MYThunder.exe"
      4⤵
      PID:3048
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h "C:\Windows\system32\MYThunder.exe"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2332
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:1744

C:\Windows\SysWOW64\PING.EXE
ping 127.1
1⤵
- Runs ping.exe
PID:1192

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\152.2791.bat
1⤵
PID:1436
- C:\Windows\SysWOW64\MYThunder.exe
  "C:\Windows\system32\MYThunder.exe"
  2⤵
  PID:3048
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\system32\754.5587.bat
    3⤵
    PID:2668
  - - C:\Windows\SysWOW64\MYThunder.exe
      "C:\Windows\system32\MYThunder.exe"
      4⤵
      PID:2264
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\system32\369.8084.bat
        5⤵
        
        PID:2592
      - C:\Windows\SysWOW64\MYThunder.exe
        
        "C:\Windows\system32\MYThunder.exe"
        6⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\system32\546.8256.bat
        7⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\MYThunder.exe"
        8⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2584
        
        C:\Windows\SysWOW64\MYThunder.exe
        
        "C:\Windows\system32\MYThunder.exe"
        8⤵
        
        PID:2576
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\MYThunder.exe"
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2560
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h "C:\Windows\system32\MYThunder.exe"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:3052
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:2656
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.1
    3⤵
    - Runs ping.exe
    PID:1532

C:\Windows\SysWOW64\PING.EXE
ping 127.1
1⤵
- Runs ping.exe
PID:2796

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\829.2963.bat
1⤵
PID:2376
- C:\Windows\SysWOW64\MYThunder.exe
  "C:\Windows\system32\MYThunder.exe"
  2⤵
  PID:3052
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:2668
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.1
    3⤵
    - Runs ping.exe
    PID:2704

C:\Windows\SysWOW64\PING.EXE
ping 127.1
1⤵
- Runs ping.exe
PID:2824

C:\Windows\SysWOW64\PING.EXE
ping 127.1
1⤵
- Runs ping.exe
PID:2980

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\197.8113.bat
1⤵
PID:1516
- C:\Windows\SysWOW64\MYThunder.exe
  "C:\Windows\system32\MYThunder.exe"
  2⤵
  PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\system32\874.8285.bat
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:2984
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h "C:\Windows\system32\MYThunder.exe"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1844
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.1
        5⤵
        Runs ping.exe
        
        PID:1648
  - - C:\Windows\SysWOW64\MYThunder.exe
      "C:\Windows\system32\MYThunder.exe"
      4⤵
      PID:2856
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\system32\739.2389.bat
    3⤵
    PID:1844
  - - C:\Windows\SysWOW64\MYThunder.exe
      "C:\Windows\system32\MYThunder.exe"
      4⤵
      PID:2652
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h "C:\Windows\system32\MYThunder.exe"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2848
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Sets file to hidden
  - Loads dropped DLL
  - Views/modifies file attributes
  PID:2612

C:\Windows\SysWOW64\PING.EXE
ping 127.1
1⤵
- Runs ping.exe
PID:2164
- C:\Windows\SysWOW64\PING.EXE
  ping 127.1
  2⤵
  - Runs ping.exe
  PID:1624

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\875.6982.bat
1⤵
PID:2460
- C:\Windows\SysWOW64\MYThunder.exe
  "C:\Windows\system32\MYThunder.exe"
  2⤵
  PID:2128
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:2136

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\569.0271.bat
1⤵
PID:1832
- C:\Windows\SysWOW64\MYThunder.exe
  "C:\Windows\system32\MYThunder.exe"
  2⤵
  PID:812
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:1668

C:\Windows\SysWOW64\PING.EXE
ping 127.1
1⤵
- Runs ping.exe
PID:2664

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\433.5443.bat
1⤵
PID:320
- C:\Windows\SysWOW64\MYThunder.exe
  "C:\Windows\system32\MYThunder.exe"
  2⤵
  PID:2916
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:1040

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\422.6953.bat
1⤵
PID:2260
- C:\Windows\SysWOW64\PING.EXE
  ping 127.1
  2⤵
  - Runs ping.exe
  PID:2548
- C:\Windows\SysWOW64\MYThunder.exe
  "C:\Windows\system32\MYThunder.exe"
  2⤵
  PID:1208
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:604

C:\Windows\SysWOW64\PING.EXE
ping 127.1
1⤵
- Runs ping.exe
PID:2416

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\348.9801.bat
1⤵
PID:844
- C:\Windows\SysWOW64\MYThunder.exe
  "C:\Windows\system32\MYThunder.exe"
  2⤵
  PID:1424
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:564

C:\Windows\SysWOW64\PING.EXE
ping 127.1
1⤵
- Runs ping.exe
PID:1188

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\467.3578.bat
1⤵
PID:1896
- C:\Windows\SysWOW64\MYThunder.exe
  "C:\Windows\system32\MYThunder.exe"
  2⤵
  PID:2232
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:2904

C:\Windows\SysWOW64\PING.EXE
ping 127.1
1⤵
- Runs ping.exe
PID:1488

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\82.60744.bat
1⤵
PID:1004
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:1728
- C:\Windows\SysWOW64\MYThunder.exe
  "C:\Windows\system32\MYThunder.exe"
  2⤵
  PID:2888

C:\Windows\SysWOW64\PING.EXE
ping 127.1
1⤵
- Runs ping.exe
PID:2064

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\8.892239.bat
1⤵
PID:1868
- C:\Windows\SysWOW64\MYThunder.exe
  "C:\Windows\system32\MYThunder.exe"
  2⤵
  PID:964
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:2208

C:\Windows\SysWOW64\PING.EXE
ping 127.1
1⤵
- Runs ping.exe
PID:1656

C:\Windows\SysWOW64\PING.EXE
ping 127.1
1⤵
- Runs ping.exe
PID:2852

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\416.2561.bat
1⤵
PID:2164
- C:\Windows\SysWOW64\MYThunder.exe
  "C:\Windows\system32\MYThunder.exe"
  2⤵
  PID:1748
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:2148

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\580.639.bat
1⤵
PID:776
- C:\Windows\SysWOW64\MYThunder.exe
  "C:\Windows\system32\MYThunder.exe"
  2⤵
  PID:2420
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:332

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\773.0524.bat
1⤵
PID:1068
- C:\Windows\SysWOW64\MYThunder.exe
  "C:\Windows\system32\MYThunder.exe"
  2⤵
  PID:2060
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:2268

C:\Windows\SysWOW64\PING.EXE
ping 127.1
1⤵
- Runs ping.exe
PID:2260

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\450.0696.bat
1⤵
PID:2448
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:2928
- C:\Windows\SysWOW64\MYThunder.exe
  "C:\Windows\system32\MYThunder.exe"
  2⤵
  PID:2908

C:\Windows\SysWOW64\PING.EXE
ping 127.1
1⤵
- Runs ping.exe
PID:844

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\127.6361.bat
1⤵
PID:2032
- C:\Windows\SysWOW64\MYThunder.exe
  "C:\Windows\system32\MYThunder.exe"
  2⤵
  PID:3004
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system32\MYThunder.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:544

C:\Windows\SysWOW64\PING.EXE
ping 127.1
1⤵
- Runs ping.exe
PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\703.4875.bat

Filesize
311B

MD5
1c9048fc7805ab67f69dcfa18bfe912b

SHA1
54c0237af024fc2fbf0b6105a78ab31e3c31244b

SHA256
908add401d7a561fd3ba1c7560631ca084d1206692ae8145dfc0bcc752929368

SHA512
4162300c95b000651d4b3692a0f9f98347e7295304871757b31fa189707a068d9b64c7a2d2f7ac1cf9b0b45d80fdc267078363b727a756c3fa57a73e71bf965d

Download Submit
C:\Windows\SysWOW64\865.658.bat

Filesize
237B

MD5
c0ea8e4f6bff2b368876aae30e5b9133

SHA1
60752e2339f9595484a633921f6a41ca96851614

SHA256
78a469841695afd4cef2c5656bafe2bc328dbf9c181a31a676daad391e8d2a8d

SHA512
5aaf2b9913f95a5e371c70731e33ee09cb2d874ea2afbba92112481e39b3e58f84017234b3ac4df09d2532a22da8c7eef53045d6c1b24168ef906c1c5edb10fc

Download Submit
C:\Windows\SysWOW64\MYThunder.dll

Filesize
40KB

MD5
d7e2d8bb3274c718d168b871a34c3915

SHA1
46b0119255f6eb229efda2e5509f6e8437bace61

SHA256
7128af1d5903e332900a2ecbe8bc6fa9194968dfc7150d38d7adb7b8bf8a1a34

SHA512
0cc1eca7af98fc9cfd1a73fdd6fd786a595193b647dc6235d86660d5d3088f68eb6cc31a4f0ddb8388525aab3fe167b8bfa25a499aedf145264cdc9730e747cd

Download Submit
C:\Windows\SysWOW64\MYThunder.exe

Filesize
84KB

MD5
66705e2f337c1cbfc92b0082bc1d1c0d

SHA1
221f47b853868e0b35694b7650c7220f99e410c2

SHA256
bdca2298fb4790b0f4495f187f9e40c8ea09d6e5f7ec8268939dbb5f050003a9

SHA512
35adf6138984470d8ffdb8a81371d162178e720dd8bccc7058697ff2acfdcd191887f7d376e91aa6d13be215b847f39b2b53b235d5600ab81e67f422cefeaace

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads