Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
23-06-2024 21:32
Behavioral task
behavioral1
Sample
skuld.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
skuld.exe
Resource
win10v2004-20240611-en
General
-
Target
skuld.exe
-
Size
9.5MB
-
MD5
37681ae19279fec51c002e7f6907bced
-
SHA1
d6dce788f74a5c827a84f7a28953dab34684ae29
-
SHA256
cd4fffe44462f93456326d20ad8a22ea1be87c9ba1670fb7e2e414e5e7c1c83f
-
SHA512
e80abbfd9d1ff49f90c097db2ad975d48df59b97ef922692e8b8adbac8629965008924064358b218e864b588c0d52e3c44245a08cc712f8c403b21180c1d8f30
-
SSDEEP
98304:60fFH9tHce0xpD034tfgPSgqaWqjOEMCoEBTp6u:LT5cZxB1YSgqabjrMCL6u
Malware Config
Extracted
skuld
https://discord.com/api/webhooks/1254543345703977021/GGEp1kTIdcnrlXbkstceRTKYL1MjeavIS4CYW77UE3k75CymaXcXytUfkZVnLNW1d_wt
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2316 powershell.exe 772 powershell.exe -
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe File opened for modification C:\Windows\System32\drivers\etc\hosts skuld.exe File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe" skuld.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 21 discord.com 12 discord.com 14 discord.com -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 api.ipify.org 4 api.ipify.org 9 ip-api.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 skuld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum skuld.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 4120 wmic.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 10 Go-http-client/1.1 -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133636520179784812" chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 skuld.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 skuld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 skuld.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 skuld.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 skuld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C skuld.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 2316 powershell.exe 644 skuld.exe 644 skuld.exe 2316 powershell.exe 644 skuld.exe 644 skuld.exe 772 powershell.exe 644 skuld.exe 644 skuld.exe 772 powershell.exe 1960 powershell.exe 644 skuld.exe 644 skuld.exe 1960 powershell.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe 644 skuld.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 644 skuld.exe Token: SeIncreaseQuotaPrivilege 4716 wmic.exe Token: SeSecurityPrivilege 4716 wmic.exe Token: SeTakeOwnershipPrivilege 4716 wmic.exe Token: SeLoadDriverPrivilege 4716 wmic.exe Token: SeSystemProfilePrivilege 4716 wmic.exe Token: SeSystemtimePrivilege 4716 wmic.exe Token: SeProfSingleProcessPrivilege 4716 wmic.exe Token: SeIncBasePriorityPrivilege 4716 wmic.exe Token: SeCreatePagefilePrivilege 4716 wmic.exe Token: SeBackupPrivilege 4716 wmic.exe Token: SeRestorePrivilege 4716 wmic.exe Token: SeShutdownPrivilege 4716 wmic.exe Token: SeDebugPrivilege 4716 wmic.exe Token: SeSystemEnvironmentPrivilege 4716 wmic.exe Token: SeRemoteShutdownPrivilege 4716 wmic.exe Token: SeUndockPrivilege 4716 wmic.exe Token: SeManageVolumePrivilege 4716 wmic.exe Token: 33 4716 wmic.exe Token: 34 4716 wmic.exe Token: 35 4716 wmic.exe Token: 36 4716 wmic.exe Token: SeIncreaseQuotaPrivilege 4716 wmic.exe Token: SeSecurityPrivilege 4716 wmic.exe Token: SeTakeOwnershipPrivilege 4716 wmic.exe Token: SeLoadDriverPrivilege 4716 wmic.exe Token: SeSystemProfilePrivilege 4716 wmic.exe Token: SeSystemtimePrivilege 4716 wmic.exe Token: SeProfSingleProcessPrivilege 4716 wmic.exe Token: SeIncBasePriorityPrivilege 4716 wmic.exe Token: SeCreatePagefilePrivilege 4716 wmic.exe Token: SeBackupPrivilege 4716 wmic.exe Token: SeRestorePrivilege 4716 wmic.exe Token: SeShutdownPrivilege 4716 wmic.exe Token: SeDebugPrivilege 4716 wmic.exe Token: SeSystemEnvironmentPrivilege 4716 wmic.exe Token: SeRemoteShutdownPrivilege 4716 wmic.exe Token: SeUndockPrivilege 4716 wmic.exe Token: SeManageVolumePrivilege 4716 wmic.exe Token: 33 4716 wmic.exe Token: 34 4716 wmic.exe Token: 35 4716 wmic.exe Token: 36 4716 wmic.exe Token: SeIncreaseQuotaPrivilege 4120 wmic.exe Token: SeSecurityPrivilege 4120 wmic.exe Token: SeTakeOwnershipPrivilege 4120 wmic.exe Token: SeLoadDriverPrivilege 4120 wmic.exe Token: SeSystemProfilePrivilege 4120 wmic.exe Token: SeSystemtimePrivilege 4120 wmic.exe Token: SeProfSingleProcessPrivilege 4120 wmic.exe Token: SeIncBasePriorityPrivilege 4120 wmic.exe Token: SeCreatePagefilePrivilege 4120 wmic.exe Token: SeBackupPrivilege 4120 wmic.exe Token: SeRestorePrivilege 4120 wmic.exe Token: SeShutdownPrivilege 4120 wmic.exe Token: SeDebugPrivilege 4120 wmic.exe Token: SeSystemEnvironmentPrivilege 4120 wmic.exe Token: SeRemoteShutdownPrivilege 4120 wmic.exe Token: SeUndockPrivilege 4120 wmic.exe Token: SeManageVolumePrivilege 4120 wmic.exe Token: 33 4120 wmic.exe Token: 34 4120 wmic.exe Token: 35 4120 wmic.exe Token: 36 4120 wmic.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
pid Process 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe 2236 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 644 wrote to memory of 4892 644 skuld.exe 85 PID 644 wrote to memory of 4892 644 skuld.exe 85 PID 644 wrote to memory of 2136 644 skuld.exe 86 PID 644 wrote to memory of 2136 644 skuld.exe 86 PID 644 wrote to memory of 4716 644 skuld.exe 87 PID 644 wrote to memory of 4716 644 skuld.exe 87 PID 644 wrote to memory of 4120 644 skuld.exe 91 PID 644 wrote to memory of 4120 644 skuld.exe 91 PID 644 wrote to memory of 2316 644 skuld.exe 92 PID 644 wrote to memory of 2316 644 skuld.exe 92 PID 644 wrote to memory of 772 644 skuld.exe 93 PID 644 wrote to memory of 772 644 skuld.exe 93 PID 644 wrote to memory of 1960 644 skuld.exe 94 PID 644 wrote to memory of 1960 644 skuld.exe 94 PID 772 wrote to memory of 4412 772 powershell.exe 95 PID 772 wrote to memory of 4412 772 powershell.exe 95 PID 4412 wrote to memory of 4440 4412 csc.exe 96 PID 4412 wrote to memory of 4440 4412 csc.exe 96 PID 644 wrote to memory of 2024 644 skuld.exe 97 PID 644 wrote to memory of 2024 644 skuld.exe 97 PID 644 wrote to memory of 1948 644 skuld.exe 98 PID 644 wrote to memory of 1948 644 skuld.exe 98 PID 2236 wrote to memory of 880 2236 chrome.exe 109 PID 2236 wrote to memory of 880 2236 chrome.exe 109 PID 2236 wrote to memory of 4884 2236 chrome.exe 110 PID 2236 wrote to memory of 4884 2236 chrome.exe 110 PID 2236 wrote to memory of 4884 2236 chrome.exe 110 PID 2236 wrote to memory of 4884 2236 chrome.exe 110 PID 2236 wrote to memory of 4884 2236 chrome.exe 110 PID 2236 wrote to memory of 4884 2236 chrome.exe 110 PID 2236 wrote to memory of 4884 2236 chrome.exe 110 PID 2236 wrote to memory of 4884 2236 chrome.exe 110 PID 2236 wrote to memory of 4884 2236 chrome.exe 110 PID 2236 wrote to memory of 4884 2236 chrome.exe 110 PID 2236 wrote to memory of 4884 2236 chrome.exe 110 PID 2236 wrote to memory of 4884 2236 chrome.exe 110 PID 2236 wrote to memory of 4884 2236 chrome.exe 110 PID 2236 wrote to memory of 4884 2236 chrome.exe 110 PID 2236 wrote to memory of 4884 2236 chrome.exe 110 PID 2236 wrote to memory of 4884 2236 chrome.exe 110 PID 2236 wrote to memory of 4884 2236 chrome.exe 110 PID 2236 wrote to memory of 4884 2236 chrome.exe 110 PID 2236 wrote to memory of 4884 2236 chrome.exe 110 PID 2236 wrote to memory of 4884 2236 chrome.exe 110 PID 2236 wrote to memory of 4884 2236 chrome.exe 110 PID 2236 wrote to memory of 4884 2236 chrome.exe 110 PID 2236 wrote to memory of 4884 2236 chrome.exe 110 PID 2236 wrote to memory of 4884 2236 chrome.exe 110 PID 2236 wrote to memory of 4884 2236 chrome.exe 110 PID 2236 wrote to memory of 4884 2236 chrome.exe 110 PID 2236 wrote to memory of 4884 2236 chrome.exe 110 PID 2236 wrote to memory of 4884 2236 chrome.exe 110 PID 2236 wrote to memory of 4884 2236 chrome.exe 110 PID 2236 wrote to memory of 4884 2236 chrome.exe 110 PID 2236 wrote to memory of 4884 2236 chrome.exe 110 PID 2236 wrote to memory of 324 2236 chrome.exe 111 PID 2236 wrote to memory of 324 2236 chrome.exe 111 PID 2236 wrote to memory of 2608 2236 chrome.exe 112 PID 2236 wrote to memory of 2608 2236 chrome.exe 112 PID 2236 wrote to memory of 2608 2236 chrome.exe 112 PID 2236 wrote to memory of 2608 2236 chrome.exe 112 PID 2236 wrote to memory of 2608 2236 chrome.exe 112 PID 2236 wrote to memory of 2608 2236 chrome.exe 112 PID 2236 wrote to memory of 2608 2236 chrome.exe 112 -
Views/modifies file attributes 1 TTPs 4 IoCs
pid Process 2136 attrib.exe 2024 attrib.exe 1948 attrib.exe 4892 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\skuld.exe"C:\Users\Admin\AppData\Local\Temp\skuld.exe"1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Maps connected drives based on registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\system32\attrib.exeattrib +h +s C:\Users\Admin\AppData\Local\Temp\skuld.exe2⤵
- Views/modifies file attributes
PID:4892
-
-
C:\Windows\system32\attrib.exeattrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe2⤵
- Views/modifies file attributes
PID:2136
-
-
C:\Windows\System32\Wbem\wmic.exewmic csproduct get UUID2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4716
-
-
C:\Windows\System32\Wbem\wmic.exewmic path win32_VideoController get name2⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:4120
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\skuld.exe2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vg2to5mv\vg2to5mv.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A16.tmp" "c:\Users\Admin\AppData\Local\Temp\vg2to5mv\CSC7719FC7E64FF487DBD9BE53610FCDDA.TMP"4⤵PID:4440
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1960
-
-
C:\Windows\system32\attrib.exeattrib -r C:\Windows\System32\drivers\etc\hosts2⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:2024
-
-
C:\Windows\system32\attrib.exeattrib +r C:\Windows\System32\drivers\etc\hosts2⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:1948
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff7d0aab58,0x7fff7d0aab68,0x7fff7d0aab782⤵PID:880
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=1940,i,4072622569820558084,16422568203767682130,131072 /prefetch:22⤵PID:4884
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1940,i,4072622569820558084,16422568203767682130,131072 /prefetch:82⤵PID:324
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2276 --field-trial-handle=1940,i,4072622569820558084,16422568203767682130,131072 /prefetch:82⤵PID:2608
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2940 --field-trial-handle=1940,i,4072622569820558084,16422568203767682130,131072 /prefetch:12⤵PID:4564
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2948 --field-trial-handle=1940,i,4072622569820558084,16422568203767682130,131072 /prefetch:12⤵PID:2824
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4240 --field-trial-handle=1940,i,4072622569820558084,16422568203767682130,131072 /prefetch:12⤵PID:3708
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3976 --field-trial-handle=1940,i,4072622569820558084,16422568203767682130,131072 /prefetch:82⤵PID:1220
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4624 --field-trial-handle=1940,i,4072622569820558084,16422568203767682130,131072 /prefetch:82⤵PID:2756
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4508 --field-trial-handle=1940,i,4072622569820558084,16422568203767682130,131072 /prefetch:82⤵PID:2984
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4580 --field-trial-handle=1940,i,4072622569820558084,16422568203767682130,131072 /prefetch:82⤵PID:3620
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:1676
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\5aa4b85a-e733-44aa-841b-184344aa35c4.tmp
Filesize1KB
MD51afcd20052ad711b1d4504e4729e6b6b
SHA1aa73501bb715ebc64affbc20179e82ce829a0e30
SHA256bf2f0ff2b45c122c820d5bc34188c7cdf199319b9115f1104de5d9705a3426d8
SHA51237faf7273076b405dce3a82d8609492da3bb7b0535579c3680ea505e40eb639e18fe9cd5bf34ad7cea0b0fccb128bad302cc62bf3bc2f6f40dd946ce6405d434
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5ba57533c678770aab8de5f8b479fbc92
SHA1b0bdf8760b75009d6d367f4bc5cf0d0f24b26bf1
SHA256b882d6676cfd5f5c5afda66d2074082b8da5032ddd7ee3996c43d677a9145cc3
SHA512461817cb57560d4d3ca6bf79c4bb5f8f3f763e1e6d70681126d11ba7b02164294d3f22c282a6b93f53e397a323795ccd267cd591d0579d1cae8c4391f40db55d
-
Filesize
6KB
MD51813de2d2b9fdbda89c4c44d9f8fbc04
SHA11e231b2bdad103eb42099663cc8f55502e52d48e
SHA256ad586eed408e3e8a8295774dfd5da527f1e7a428e785142b8d849c4854d493a7
SHA512ee15697d28bfd514250c1adc3e850b8f3e9214c03cccf013da3e12fdd15694c3839273691b490ec4a0fd02be2ba987fc95e9893de30cc47900694479403e47be
-
Filesize
16KB
MD5ff01fa1045c5fdc2d2c6bd4d96e97bb3
SHA191d9bf37048c7495107dff5456de4f04f5919ab7
SHA2568d43ca271857fa39c307c268965f335685166e239a3dcbcf9f270643e54e494c
SHA512a9f664d59b3a8cae463cdb71554b50b0f549557c523c32f8e96ddaad35a4b0d3a7ccd2e62fbd39436ed5d4d779f4a741aa7ff6ca7cfc422af3d35948bdc7f461
-
Filesize
138KB
MD5e7605709cb89a48c62e8a88b6cd0b689
SHA1246d2f2d6e7c8a0d832e2ff3715abaa8dda98680
SHA2562602c6e1d049d710a0d3dce44db7a733a6604d1c4ccea7fb5a7bb098a2f70a28
SHA5124692da10e1b2ded119cde2812f8455a2d6f0012d12d15b7db3d8802831add60b2c38f6693a6451376098966306980afef95457d3862d06d23ffeb181608261d0
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD526403455115fbc3da2573a37cc28744a
SHA16a9bf407036a8b9d36313462c0257f53b4ee9170
SHA256222a7adb94c5e82df6466a4afce283e905c69f7feb18b3e34583b5cbbd88b352
SHA512be96d478e5d804b8daf805ad28d5eba644fb63a59a799273e029c8047a036f8aac74098efcadee0e4f405dcd1c0a689a1e8eb23f51a93634ed44f5a7c821beb6
-
Filesize
1KB
MD5968da7cccc88900b0eb71106f3913c9c
SHA1f948025f0b43ef4331fedd87e26dedbdc3b3cff6
SHA2569e3687d32b1c4e8c196d5069eb9ef05940fb83142923d5a37b9a053de85bfce6
SHA512aa4f9bd8ced6c08eb7e6c3d9d3e9108f35638283c3a02d911d443e854fae24cd2e549e28749a6a7177aa65580a9e02052fefa64b4bd268202ee101429a05888e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5d5763767fcf436fc0064ef1cf65e0959
SHA184ae3da8bff48cac6f89ee455b626d6d5a0a7908
SHA256060aa5fbf82af8eb4e51a6f6c2b0e23cd30d7c464ab9c51de36c68d0f431afef
SHA51295629cb6d7234a36fa61e04b7c040e271f2e32145a2d6741bc55f4ced610930affd85f3160a37695107b3037a794728448386ed3ddcfdd69331d7ae586d6bedf
-
Filesize
408KB
MD5734e6d692d3ef0dfdadbea05251cbe54
SHA1520808515ce85e1a28f4fe3de4b76f5d511bb305
SHA256d6b1d9675c1ce2ad800bdf9109859f67317b9aa9faf5b0c2fb3438c86d686430
SHA512b09c594aeaf32e2bdce6afe217d391e993072a21e34c1a943168dd93c5e208b9ccd9f18f8d47b9bb83b1a20bf3ff442e0b3616f37aea10e659337104c69132f6
-
Filesize
9.5MB
MD537681ae19279fec51c002e7f6907bced
SHA1d6dce788f74a5c827a84f7a28953dab34684ae29
SHA256cd4fffe44462f93456326d20ad8a22ea1be87c9ba1670fb7e2e414e5e7c1c83f
SHA512e80abbfd9d1ff49f90c097db2ad975d48df59b97ef922692e8b8adbac8629965008924064358b218e864b588c0d52e3c44245a08cc712f8c403b21180c1d8f30
-
Filesize
2KB
MD56e2386469072b80f18d5722d07afdc0b
SHA1032d13e364833d7276fcab8a5b2759e79182880f
SHA256ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075
SHA512e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb
-
Filesize
652B
MD5e31b976474be5156448ccdb9302ec0f0
SHA1cbaf26af4955c1a65c682cc5fbfa5f320aa44560
SHA256d9944db4602fdce611a434e591e5bd5543c3f5604e42539d3bb8fe15586bd09f
SHA51268cbdf3c7805e4d9eafb07b10f95eb57a8216c060988d3fb261b28cdb25709a9e26f874f447e145f9384479bec51b40ea6969fdcc91e2591d0b7064f6a1d0eb2
-
Filesize
1004B
MD5c76055a0388b713a1eabe16130684dc3
SHA1ee11e84cf41d8a43340f7102e17660072906c402
SHA2568a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA51222d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2
-
Filesize
607B
MD56cb4f7ed1784b269bcd0b6b7c50003db
SHA1a6920d9cffacd5c5d3dc1e2b2779292449b11234
SHA25638ff2aac6ca07c3d5c46597c28f10b72c5d5f1e81a2147463c5af6be45f05dca
SHA5123577db27f98bc19d002b9158ed5ea9eb886b3fbafdb301d3efe2fc11a8878ecd60e890a9e05e449cd393c1289903aed8cba7c3ee3825254f6ed361b47cdfcb06