hxxps://github[.]com/Endermanch/MalwareDatabase

max time kernel
104s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

10^/10

defense_evasion discovery persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_Birele.zip\\[email protected]"	[email protected]

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

Processes:

[email protected]

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	[email protected]
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	[email protected]
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	[email protected]
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	[email protected]
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	[email protected]
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	[email protected]

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3484-338-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/3484-340-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/3484-343-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/3484-344-0x0000000000400000-0x0000000000438000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_Birele.zip\\[email protected]"	[email protected]

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

71 raw.githubusercontent.com
69 raw.githubusercontent.com
70 raw.githubusercontent.com
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

flow	ioc
71	raw.githubusercontent.com
69	raw.githubusercontent.com
70	raw.githubusercontent.com

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

[email protected]taskkill.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2704 taskkill.exe

pid	process
2704	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133690211850500045"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings chrome.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

520 chrome.exe
520 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

520 chrome.exe
520 chrome.exe
520 chrome.exe
520 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeCreatePagefilePrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeCreatePagefilePrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeCreatePagefilePrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeCreatePagefilePrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeCreatePagefilePrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeCreatePagefilePrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeCreatePagefilePrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeCreatePagefilePrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeCreatePagefilePrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeCreatePagefilePrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeCreatePagefilePrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeCreatePagefilePrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeCreatePagefilePrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeCreatePagefilePrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeCreatePagefilePrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeCreatePagefilePrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeCreatePagefilePrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeCreatePagefilePrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeCreatePagefilePrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeCreatePagefilePrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeCreatePagefilePrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeCreatePagefilePrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeCreatePagefilePrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeCreatePagefilePrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeCreatePagefilePrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeCreatePagefilePrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeCreatePagefilePrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeCreatePagefilePrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeCreatePagefilePrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeCreatePagefilePrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeCreatePagefilePrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeCreatePagefilePrivilege	520	chrome.exe

Suspicious use of FindShellTrayWindow 40 IoCs

Processes:

chrome.exe

pid	process
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 520 wrote to memory of 816	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 816	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 2272	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 2272	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 2272	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 2272	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 2272	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 2272	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 2272	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 2272	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 2272	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 2272	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 2272	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 2272	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 2272	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 2272	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 2272	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 2272	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 2272	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 2272	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 2272	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 2272	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 2272	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 2272	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 2272	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 2272	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 2272	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 2272	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 2272	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 2272	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 2272	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 2272	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 560	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 560	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 4808	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 4808	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 4808	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 4808	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 4808	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 4808	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 4808	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 4808	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 4808	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 4808	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 4808	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 4808	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 4808	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 4808	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 4808	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 4808	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 4808	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 4808	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 4808	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 4808	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 4808	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 4808	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 4808	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 4808	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 4808	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 4808	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 4808	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 4808	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 4808	520	chrome.exe	chrome.exe
PID 520 wrote to memory of 4808	520	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Endermanch/MalwareDatabase
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff807f1cc40,0x7ff807f1cc4c,0x7ff807f1cc58
  2⤵
  PID:816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1872,i,356035426945363507,13862664260069258519,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1864 /prefetch:2
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2164,i,356035426945363507,13862664260069258519,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1968 /prefetch:3
  2⤵
  PID:560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,356035426945363507,13862664260069258519,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2452 /prefetch:8
  2⤵
  PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,356035426945363507,13862664260069258519,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,356035426945363507,13862664260069258519,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4536,i,356035426945363507,13862664260069258519,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4616 /prefetch:8
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4832,i,356035426945363507,13862664260069258519,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4864 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5020,i,356035426945363507,13862664260069258519,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3196 /prefetch:8
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4324,i,356035426945363507,13862664260069258519,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:3416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5164,i,356035426945363507,13862664260069258519,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4380 /prefetch:8
  2⤵
  PID:1844

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2132

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\Temp1_Birele.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_Birele.zip\[email protected]"
1⤵
- Modifies WinLogon for persistence
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3484
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
7815bdee9267d0dc4bb42ab6f587057e

SHA1
7c97bf21466b46c28e6324fca93a2460ce5f5b11

SHA256
ab3bbd1921c1ec76d825ed0c07323cccff2aee7733b9a3fc1b8fc699e3b75daf

SHA512
db41da095fceb621145d366f77cdf68a17d2676231dbb25d15337e75e11c2570d159387e1230e9322cd19bf2a99a90a0c0e5e56cf7e1a12ebfef24d2fd65df6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
846798d32677476e029dc3ca2579e209

SHA1
e94ce52134b65b40f8f09720475bec769085b2e2

SHA256
e8d030d73256c4fff8a47f98dddd12ab7192b574e6d6906f84e5822f58c77ac2

SHA512
85b2b0e52796ff3bc0e4bf0bfde8f8f4d67937b5d32a4e698701ac0ffe9e73680f9e9eae6acac2f7b7fe9d71d2d7ecb0cbe9356583b5bafae88249f16162f9ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
4ceb909764a5ed70f26a24bfd6056bea

SHA1
f2017cf6303d04f054d79704c7247e65e14bfd44

SHA256
3be24b431e5799ff5ed442ba4d349e79b059e7719941c10e620abecd3c43348d

SHA512
c1204a97f99c7304d9ead03cd48db2deea5a626dd2c04f1e6c40d9764ebc5840b0f7ed1f58cc1f8bc8ef527feda5271fde4773862f2d2307723385242ce84d99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
70bc959d2b4ea523943d42880e965063

SHA1
dcbb4f9dcb2f183ed2d39c54aab6a10d8d82e651

SHA256
8592d181d93344c5783a4b309632c5ecc02deab6938e4f0e130423d45f67084c

SHA512
09c51faf2d1ef433e581665fabfd4ccd2bfbf1bece809cac25da823e5556cf5936201efcb778a70ab297245ba6762fbe3f1447c248e6d7bde591c4fcfc6b87cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0c43047c8e258fdb1b46ad88b10faef0

SHA1
0db4ab72f235eeffa91f4f3b580158df055c6c89

SHA256
3658215fcd3cf3bc06377c9b19f58226db7f75e76716597a7ea0c2b7bc1abee3

SHA512
abb7c1831c4784e6f219d689efb84b83db80eb5e6802ea2e22093bdeb1684d43163a9f5d11e090a4b593996734a7d8c9b377111ab5f58a4748743e05674586cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1d88a8f33bd27cad2217fd029c86808c

SHA1
7208659a5f85b131f61d59c3839c54579522ea75

SHA256
e377976cc5a95fc69786c6d0446e3df570efc46d402d71536197fd8eec5740a0

SHA512
cac74d3bf25c30ca48ad9d8f568080bd0bd49dec62543da1b0411eb0193232b2bc16b186b51a10deac102881b3beca8aac6e49fb9f6339eb9739d590fdfaa476

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4404d533c992705a6cf3cd60ad25f668

SHA1
5c800b851f2899a0e1aa419b3f7f039c0aa1770e

SHA256
a02a830ee40a82586ea3335b92ef8626fadd3a07352b32044adde3d3119f3300

SHA512
7021e4a31ae8ad79cb1c10dc73d77f01ac83c99f4ef111cabb78609f82d8b99a765e3b1b64befeb7d69e308550820966bf9d8cc0ecbff39600d12f85ca3b383d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\c3989504-a333-40db-8183-1d2148783c84.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
65c0b71254009d73764d51aa6594e761

SHA1
40700bde361387688b24ac3782dc8f8731b9382b

SHA256
bedbe711e4fc37567cdf250ab4c8d5b584fbdad7e4b18accaa3c06d5c360a2bc

SHA512
f57f695df0c8595c20dbf27ecf11ffb4a52c8caa13e4775278505f9960561edc10b620be0e852b50a90afd38651c6cc727cefb6bf0600ab51c7bcae20af55df4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ff4fd286fadf31c189dcd4df9c676136

SHA1
3c79afb2ddd4bbce4dcb0b51690e189686ec499f

SHA256
9c0d6e234a04d64f8bd340d24e40c227dc37d817056550b9e0cc3da6fd7ec564

SHA512
e304a77d40584bc618657a04f2c442146bf1a24567f57402c33885e8206320037648cb27860c78270c2e0a97c8e8fd730b7db73c5f24f886f427f04d6a46de91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f60e709fb3ec0f745038ce7bc2ad370c

SHA1
5d2ce25a24577322f7543b2f63bca705eba87b7f

SHA256
5b54af2048a837725159b0e5705a7a76e70baadac914d4fe68ffd0c35e8b146e

SHA512
773017c5613169acb69e8255068b4bd5a0bb015fed5e0bb7134de1ad85223ee34f1b24df663c5419386e0d0c2a11192be5df02faaf395898d978973669f270b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4aa7d1f74d0117369d67daacc1bc037f

SHA1
079565905a8b9437606eb67dc4e2ff058d37524e

SHA256
25d089064e70b095778941711542cd34c1b9867e95bdc38447e572c82525a7e5

SHA512
a091341faf574e51211ff2aeb80eabeb5613380388a1204672db218fad4eb60645d1f790e14c20a64ad60143fc5529fa4fa6ffa601310e74103060acd784c223

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c1da5ad6a6031c7303da8757c74b7186

SHA1
518878db06fb9fbea1bdcd6c63b39dfa78c10da9

SHA256
5a70c9aadce3575ae0bf0c9cb07079b2d51b818ffa575903f2b2e4b6bd308996

SHA512
146a43ed3627e855847d2016385ef1c28cf5d070953404341ed0613826cc3fd7fc33da335a8e291f78e7e218a9659f0c90d85f3fa7e47beb93844c33f7650cf7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c2fc6848794e8aeac4cac2c896f4ab03

SHA1
038ecbe45f8e96375fc9f6fc3f1882513598ee91

SHA256
d9a71a0eecd6d86d7edb714e76d630b508a21d88e61c056fde17dc15a3156c63

SHA512
750f6ed4aaa2d499ee1548da8d3fb550b323a3496696458ab9909e914bfa0d1e61fa4c4bf67d055842711ff4353c24f3407ba95615577601eb442241b982d7a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
229aea04cbd14157b2d8df4f64ccef06

SHA1
317f905c3f70d84e0db056f39f4f92bd3cd3b084

SHA256
404130a733f0f5e9edc3014da748a8373ba5aa73b07070d16a6b49c684fa78cc

SHA512
42e268a6ccdc51974e2fe7f867cdfad5bf43996382c09a496586414cd7e5c7dbc3e579fa3932b85f197797ce57e6382e39b38f8094a8beb24292b928c928c779

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
63a155e51fcd11ff303eb713e0131722

SHA1
719c8da01c2365efc32922171b8fbf5961160cc1

SHA256
16a7b71c43a77fb4c35b5dca8324aeed42345b05b7365dd3c94d6b50922f4f5b

SHA512
6a4297f0bcac575f00f7b1ae9a7ec0074748bdb4980953749f8dc23eecad0eb5812cd16283533b370624be1bd6456632e2154ebc4c22e6351a2528e084382132

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
d9f95ea4017429d4f15d23bd6f8fc0b2

SHA1
b889cae0cf45875d4b9e3ca6e1e8ecf247b1ece8

SHA256
728139afe230f4a41d0b1cbc532fcf9198cca1784e23727b017836e64890621c

SHA512
64e2973d41c25df619ee20832b4fe6c74df32129a57b02136b033463e27c01f71b3a43aacf8aa542fc354ebfd809658e83961458845c16103b6104ffbee01eb2

Download Submit
C:\Users\Admin\Downloads\Birele.zip.crdownload

Filesize
113KB

MD5
6ca327b67f1a2b2a4fbb7f342e15e7bf

SHA1
aab4a7d8199e8416ad8649fede35b846fc96f082

SHA256
460a3e3a039c2d0bb2c76017b41403bf3e92727269f49b08778d33108278b58f

SHA512
b7a7574ca52885e531aca71ebe52f7832f8a2436cda047e7686936fe0337eae7c4ebcc57df27c26316871d4167ea4e6794beb933f7c13efb0addac0d400e4d9a

Download Submit
C:\Users\Admin\Downloads\Spark.zip.crdownload

Filesize
1.6MB

MD5
860168a14356be3e65650b8a3cf6c3a0

SHA1
ea99e29e119d88caf9d38fb6aac04a97e9c5ac63

SHA256
1ae2a53c8adc94b1566ea6b3aa63ce7fe2a2b2fcbe4cec3112f9ebe76e2e9bf9

SHA512
0637e4838beded9c829612f0961d981ee6c049f4390c3115fed9c4e919561ad3d0aa7110e32c1d62468a7e4cdc85d2f2e39a741939efd1aafae551de705aab61

Download Submit
\??\pipe\crashpad_520_EEELIICXITBQRJVU

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3484-338-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3484-339-0x00000000004C0000-0x00000000004C6000-memory.dmp

Filesize
24KB

Download
memory/3484-340-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3484-343-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3484-342-0x0000000000418000-0x0000000000425000-memory.dmp

Filesize
52KB

Download
memory/3484-344-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3484-345-0x0000000000418000-0x0000000000425000-memory.dmp

Filesize
52KB

Download