Suspicious
Unsigned 2015-era EXE with one tier-2 adware flag, process-injection behaviour, and direct-IP contacts but no tier-1 consensus.
64cd424ac3969f7b6c…b8d62d1b05The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The file shows classic borderline traits: minimal engine coverage (only one tier-2 malicious label), unsigned status, and sandbox evidence of process injection plus direct-IP communication. Prevalence data indicates long-term distribution without widespread malicious reputation. No tier-1 engines or family consensus support a malicious call, yet the offensive MITRE techniques and heuristic triggers prevent a clean safe verdict.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines.topDetections[0]: Zillya tier2 Adware.Eorezo.Win32.17620
behaviour.offensiveTechniques: T1055, T1562.001
externalIntel.circl.knownMalicious=malshare.com
prevalence.classification=common_old (295 sources, 387 submissions)
triggeredHeuristics[1]: MalwareTips.Synth.ProcessInjection high severity
- Common-old prevalence (387 submissions)
- No tier-1 malicious detections
- No malicious dropped children
- No malicious sandbox verdicts
- Unsigned executable
- Process injection (T1055) observed
- Direct-IP contacts without DNS
- Single adware label from tier-2 engine
Treat as suspicious pending further verification; do not execute on production systems without isolation.
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- a83f:8110:7400:6100:6e00:6400:6200:7900
- 20.99.132.105
- a83f:8110:0:0:100:0:1800:0
- 23.216.147.64
- 20.99.133.109
- 23.216.147.76
- 20.99.184.37
- a83f:8110:f80f:46f3:8609:ce9e:dce3:b686
- 192.229.211.108
- 20.99.186.246
- http://s1.skmedix.pl/launcher/2.8/sklauncher.json
- http://s1.skmedix.pl/launcher/2.8/sklauncher.json/
- http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
- http://crl.microsoft.com/pki/crl/products/WinPCA.crl
- C:\Users\<USER>\AppData\Local\Temp\hsperfdata_admin\2924
- C:\ProgramData\Oracle\Java\.oracle_jre_usage\cce3fe3b0d8d8401.timestamp
- C:\ProgramData\Oracle\Java\.oracle_jre_usage
- C:\ProgramData\Oracle\Java\.oracle_jre_usage\17dfc292991c8080.timestamp
- C:\Users\user\AppData\Local\Temp\hsperfdata_user
- C:\ProgramData\Oracle\Java\.oracle_jre_usage\17dfc292991c7c05.timestamp
- C:\ProgramData\Microsoft\Windows\WER\Temp\WERD0B.tmp.WERInternalMetadata.xml
- C:\ProgramData\Microsoft\Windows\WER\Temp\WERD1C.tmp.csv
- C:\ProgramData\Microsoft\Windows\WER\Temp\WERD2D.tmp.txt
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER19DC.tmp.WERInternalMetadata.xml
- Local\__DDrawExclMode__
- Local\__DDrawCheckExclMode__
- CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
- CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
- CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
Files this sample writes at runtime
This file drops 10 children at runtime. None are currently flagged malicious in our cache.
- 30486e68f76baab82133…5c285fNever scannednever seen before
- 93babcc66ef22dfc9e14…a5e8b5Never scannednever seen before
- 509eb3d47d81e6b052fe…d5d543Never scannednever seen before
- 0b75acf854f2f020bb49…0485c4Never scannednever seen before
- e0277fd504bda3bd7b6e…7a20eeNever scannednever seen before
- 650802f59259082d848f…ed02c4Never scannednever seen before
- 1ea4f71cedf08ae8014f…e96a6fNever scannednever seen before
- 1d08f16f4929b292bbf9…fbbee9Never scannednever seen before
- 550a4f11378f0ee9049a…2d2d3aNever scannednever seen before
- 394987d67c32ef2113cc…ab3f1eNever scannednever seen before
1 corroborating signal from researcher-curated sources
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
EvidenceC:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe" -nohome"Sample contacted 20 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidencea83f:8110:7400:6100:6e00:6400:6200:7900 · 20.99.132.105 · a83f:8110:0:0:100:0:1800:0
1 detection across 76 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.
Forensic fingerprint
- File name
- SKlauncher 2.8.exe
- Size
- 2.87 MB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- 64cd424ac3969f7b6cc24d0270a25a08358e11bc21bac9092d69bcb8d62d1b05
- MD5
- 1912147b702e3fb69dcb697f050fc08d
- SHA-1
- af3650e3bced91a94602506cf574da15ae26d8ef
- PE imphash
- 6011984d7c1f1b97a34d7517a498bff8
- First seen (VT)
- 6/5/2015, 8:54:39 AM
- Last analysis (VT)
- 3/24/2026, 1:24:27 PM
- First scan (MalwareTips)
- 7/5/2026, 5:09:37 AM
- Last scan (MalwareTips)
- 7/5/2026, 5:10:13 AM
- Community reputation
- +14trusted
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.