782e849a5a94ae4c8c93d6447dfaa0d36d596bc2727015a6f44044033581f385

Analysis

max time kernel
753s
max time network
735s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2023, 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

curl-8.4.0_6-win64-mingw.zip
Size

10.0MB
MD5

3f79e33d3fcbaa871c28c249624be75c
SHA1

87f86bc5be209756da289e16d85159c650f95d69
SHA256

782e849a5a94ae4c8c93d6447dfaa0d36d596bc2727015a6f44044033581f385
SHA512

33783f49fafd828441219412f975f5427b824ba479fa73e1d92d8dc400215b57840f4db7daf9b033efc61dda5e37d82a7a48862e44ad249c9dc23b3de59e445a
SSDEEP

196608:l0It7beRd2pIX2Iv3Gr1PHIZRBZn/Jo88UMa:lv7bA2pQ3qlC7bP8S

Score

8^/10

ransomware spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
85	208	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
3132	ukraine.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ukraine_flag.jpg"	powershell.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133430357017785763"	chrome.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2976	chrome.exe
2976	chrome.exe
208	powershell.exe
208	powershell.exe
208	powershell.exe
3648	powershell.exe
3648	powershell.exe
3648	powershell.exe
1596	chrome.exe
1596	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe
Token: SeShutdownPrivilege	2976	chrome.exe
Token: SeCreatePagefilePrivilege	2976	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2772	2976	chrome.exe	98
PID 2976 wrote to memory of 2772	2976	chrome.exe	98
PID 2976 wrote to memory of 3108	2976	chrome.exe	100
PID 2976 wrote to memory of 3108	2976	chrome.exe	100
PID 2976 wrote to memory of 3108	2976	chrome.exe	100
PID 2976 wrote to memory of 3108	2976	chrome.exe	100
PID 2976 wrote to memory of 3108	2976	chrome.exe	100
PID 2976 wrote to memory of 3108	2976	chrome.exe	100
PID 2976 wrote to memory of 3108	2976	chrome.exe	100
PID 2976 wrote to memory of 3108	2976	chrome.exe	100
PID 2976 wrote to memory of 3108	2976	chrome.exe	100
PID 2976 wrote to memory of 3108	2976	chrome.exe	100
PID 2976 wrote to memory of 3108	2976	chrome.exe	100
PID 2976 wrote to memory of 3108	2976	chrome.exe	100
PID 2976 wrote to memory of 3108	2976	chrome.exe	100
PID 2976 wrote to memory of 3108	2976	chrome.exe	100
PID 2976 wrote to memory of 3108	2976	chrome.exe	100
PID 2976 wrote to memory of 3108	2976	chrome.exe	100
PID 2976 wrote to memory of 3108	2976	chrome.exe	100
PID 2976 wrote to memory of 3108	2976	chrome.exe	100
PID 2976 wrote to memory of 3108	2976	chrome.exe	100
PID 2976 wrote to memory of 3108	2976	chrome.exe	100
PID 2976 wrote to memory of 3108	2976	chrome.exe	100
PID 2976 wrote to memory of 3108	2976	chrome.exe	100
PID 2976 wrote to memory of 3108	2976	chrome.exe	100
PID 2976 wrote to memory of 3108	2976	chrome.exe	100
PID 2976 wrote to memory of 3108	2976	chrome.exe	100
PID 2976 wrote to memory of 3108	2976	chrome.exe	100
PID 2976 wrote to memory of 3108	2976	chrome.exe	100
PID 2976 wrote to memory of 3108	2976	chrome.exe	100
PID 2976 wrote to memory of 3108	2976	chrome.exe	100
PID 2976 wrote to memory of 3108	2976	chrome.exe	100
PID 2976 wrote to memory of 3108	2976	chrome.exe	100
PID 2976 wrote to memory of 3108	2976	chrome.exe	100
PID 2976 wrote to memory of 3108	2976	chrome.exe	100
PID 2976 wrote to memory of 3108	2976	chrome.exe	100
PID 2976 wrote to memory of 3108	2976	chrome.exe	100
PID 2976 wrote to memory of 3108	2976	chrome.exe	100
PID 2976 wrote to memory of 3108	2976	chrome.exe	100
PID 2976 wrote to memory of 3108	2976	chrome.exe	100
PID 2976 wrote to memory of 1036	2976	chrome.exe	101
PID 2976 wrote to memory of 1036	2976	chrome.exe	101
PID 2976 wrote to memory of 2736	2976	chrome.exe	102
PID 2976 wrote to memory of 2736	2976	chrome.exe	102
PID 2976 wrote to memory of 2736	2976	chrome.exe	102
PID 2976 wrote to memory of 2736	2976	chrome.exe	102
PID 2976 wrote to memory of 2736	2976	chrome.exe	102
PID 2976 wrote to memory of 2736	2976	chrome.exe	102
PID 2976 wrote to memory of 2736	2976	chrome.exe	102
PID 2976 wrote to memory of 2736	2976	chrome.exe	102
PID 2976 wrote to memory of 2736	2976	chrome.exe	102
PID 2976 wrote to memory of 2736	2976	chrome.exe	102
PID 2976 wrote to memory of 2736	2976	chrome.exe	102
PID 2976 wrote to memory of 2736	2976	chrome.exe	102
PID 2976 wrote to memory of 2736	2976	chrome.exe	102
PID 2976 wrote to memory of 2736	2976	chrome.exe	102
PID 2976 wrote to memory of 2736	2976	chrome.exe	102
PID 2976 wrote to memory of 2736	2976	chrome.exe	102
PID 2976 wrote to memory of 2736	2976	chrome.exe	102
PID 2976 wrote to memory of 2736	2976	chrome.exe	102
PID 2976 wrote to memory of 2736	2976	chrome.exe	102
PID 2976 wrote to memory of 2736	2976	chrome.exe	102
PID 2976 wrote to memory of 2736	2976	chrome.exe	102
PID 2976 wrote to memory of 2736	2976	chrome.exe	102

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\curl-8.4.0_6-win64-mingw.zip
1⤵
PID:3812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffac6969758,0x7ffac6969768,0x7ffac6969778
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=2000,i,17761761282677807642,15317375220602323271,131072 /prefetch:2
  2⤵
  PID:3108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1920 --field-trial-handle=2000,i,17761761282677807642,15317375220602323271,131072 /prefetch:8
  2⤵
  PID:1036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2252 --field-trial-handle=2000,i,17761761282677807642,15317375220602323271,131072 /prefetch:8
  2⤵
  PID:2736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2784 --field-trial-handle=2000,i,17761761282677807642,15317375220602323271,131072 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2792 --field-trial-handle=2000,i,17761761282677807642,15317375220602323271,131072 /prefetch:1
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4632 --field-trial-handle=2000,i,17761761282677807642,15317375220602323271,131072 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4644 --field-trial-handle=2000,i,17761761282677807642,15317375220602323271,131072 /prefetch:8
  2⤵
  PID:2192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4920 --field-trial-handle=2000,i,17761761282677807642,15317375220602323271,131072 /prefetch:8
  2⤵
  PID:4144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 --field-trial-handle=2000,i,17761761282677807642,15317375220602323271,131072 /prefetch:8
  2⤵
  PID:1680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5244 --field-trial-handle=2000,i,17761761282677807642,15317375220602323271,131072 /prefetch:8
  2⤵
  PID:1276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 --field-trial-handle=2000,i,17761761282677807642,15317375220602323271,131072 /prefetch:8
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5184 --field-trial-handle=2000,i,17761761282677807642,15317375220602323271,131072 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 --field-trial-handle=2000,i,17761761282677807642,15317375220602323271,131072 /prefetch:8
  2⤵
  PID:3528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 --field-trial-handle=2000,i,17761761282677807642,15317375220602323271,131072 /prefetch:8
  2⤵
  PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4016 --field-trial-handle=2000,i,17761761282677807642,15317375220602323271,131072 /prefetch:8
  2⤵
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5840 --field-trial-handle=2000,i,17761761282677807642,15317375220602323271,131072 /prefetch:8
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 --field-trial-handle=2000,i,17761761282677807642,15317375220602323271,131072 /prefetch:8
  2⤵
  PID:3104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4000 --field-trial-handle=2000,i,17761761282677807642,15317375220602323271,131072 /prefetch:8
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6032 --field-trial-handle=2000,i,17761761282677807642,15317375220602323271,131072 /prefetch:8
  2⤵
  PID:2928
- C:\Users\Admin\Downloads\ukraine.exe
  "C:\Users\Admin\Downloads\ukraine.exe"
  2⤵
  - Executes dropped EXE
  PID:3132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://upload.wikimedia.org/wikipedia/commons/thumb/5/58/Flag_of_Ukraine_2.svg/1280px-Flag_of_Ukraine_2.svg.png' -OutFile '%TEMP%\ukraine_flag.jpg'"
    3⤵
    PID:456
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Invoke-WebRequest -Uri 'https://upload.wikimedia.org/wikipedia/commons/thumb/5/58/Flag_of_Ukraine_2.svg/1280px-Flag_of_Ukraine_2.svg.png' -OutFile 'C:\Users\Admin\AppData\Local\Temp\ukraine_flag.jpg'"
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      PID:208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class Wallpaper { [DllImport(\"user32.dll\", CharSet = CharSet.Auto)] public static extern int SystemParametersInfo(int uAction, int uParam, string lpvParam, int fuWinIni); }'; [Wallpaper]::SystemParametersInfo(20, 0, '%TEMP%\ukraine_flag.jpg', 3)"
    3⤵
    PID:4424
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class Wallpaper { [DllImport(\"user32.dll\", CharSet = CharSet.Auto)] public static extern int SystemParametersInfo(int uAction, int uParam, string lpvParam, int fuWinIni); }'; [Wallpaper]::SystemParametersInfo(20, 0, 'C:\Users\Admin\AppData\Local\Temp\ukraine_flag.jpg', 3)"
      4⤵
      Sets desktop wallpaper using registry
      Suspicious behavior: EnumeratesProcesses
      PID:3648
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nfzjwkty\nfzjwkty.cmdline"
        5⤵
        
        PID:1856
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A6D.tmp" "c:\Users\Admin\AppData\Local\Temp\nfzjwkty\CSCACD77F5DCCC24F7AB080FC663595758.TMP"
        6⤵
        
        PID:3956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2380 --field-trial-handle=2000,i,17761761282677807642,15317375220602323271,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1596

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
22bcc0aa428f5bc0b45e6c562d32d205

SHA1
e440d2dd4baaef952518e24e94a6d5fcee6e374e

SHA256
c49f7bb9e1b78995a5726ad75dfbc4830f5c874b31a965abd59d6c52246e9380

SHA512
2410d9ee258779c231bd89e89d80349a8ce15815b416cf2ebcccedcc7ae384912e82730a58db21388af1d30adbf06a50d4f6052b4a253ca4f1cbb5a3cceade73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\7ec5aa06-cb2d-479f-af46-5c282a7f2c88.tmp

Filesize
1KB

MD5
553af58f7a761bfd4ae2145ba7aadb83

SHA1
cc203cb36d45baeb2fac243d12ed3b84bec645df

SHA256
a52c4075bf9fca41f0b569f560757c2ca08afc842b967f0673a30bbf30ca017f

SHA512
feb1c67ec227a93343ab7aef5a2f147c05031a9b3bd09c4037e09d9b05afd891211c35de0c855af8eeec3a59ab4ce344d264fddc032553bd151f24e826882c93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
51cdf1294d4cc2a27bc1df9c15c42d4e

SHA1
9dda2ebbc4d60cf96b8002d3b49d419bded4be7d

SHA256
79874612366d326b19360dd0ec92e793cf9eb18afd184dce521c244da7eba303

SHA512
3e253e672b6c833f70e4956af35554c10049ee3bdfcb1e48aeed95411997387fe1a0924f0a998694fc90454b40e8659cc2214460067715410a2e0214e518644f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3bc6d8b4e2ac576fa2392d14aed22b7e

SHA1
bf2fc0eaa1add4cbc0fbaa13bfce48ce59f6c1b8

SHA256
6c0347ba9f3710d37fc439cb31c6944cf66ae669f0881bcd54bd628ae9f102c3

SHA512
317732f635391e4668d3c9b4ca5267c69caced8bf7ec08824284cdd7926e3948fac881c25a6b75c341556f57ea2e2c8343f34f44b1b119ffaee2ee749b811ab1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
99b4c09328142f356fffac8fd68bd23d

SHA1
4d7037426ed41535e3144e2ff842b5e430366d03

SHA256
e18606fff864a662f99b25951bfcc7f1c6f63936aa6bdd1fe78eaffacca87d83

SHA512
743314041af3ee488017f8cff2afa94e0d5b39b5bbe2fa482bb0df44bbc027062f925d543cfbed7699ee6dd3c06cb0914b3e843dde3eec83b1c038637a176426

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
494c2eed847c538db4368c1b06565b1e

SHA1
b6aaa064772f3d292205397caea0d0dd4b086f32

SHA256
41276a43b13d988b1bcecb8b1cc04cfe23b3455cd48b354d5ab6223601a5f09b

SHA512
6f4a9ec7b68e91bc34152d347d1cd0963d0dc5c7ec57b664e526796f30b2ce5c59076cdd5953c217f8991a296efbd224d69f21354e838d9638f8e1da96260bef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
f544d31d00618ce8f67c24c32379b284

SHA1
07696391ca86417df6748910bc6f20bda986ef4c

SHA256
ac7bfea7e192608ca192461666a68f211669ead3005dd5e6661c535dc8690f42

SHA512
3652c022e27fe77ba3f05611a26ec03386094a81aa8c3c2f16778eeb9d9a6f1ad92354f42b81e82ff468a2e0ab768a18739c35133f80d9ca4baf2a7a8514778e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
216KB

MD5
9297943a3925226dec7c342b06d1da95

SHA1
40da757664159d491836b9715566778b42e16147

SHA256
0119967acb54abf05b05b3fef40f5b42e05070a8970b80c96afe73592389aea7

SHA512
d5db616f14ebf20fa1c175239a4c1091917760966742d60e171ee33b7d7811f97e86b1162a82f90150218e4a029f0885b1a8b7ac1255fd1eacc55e8be79cd724

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
114KB

MD5
cedde6893bcbaed3df4b1e8e418746d5

SHA1
634ba26ecfca6f71917986f8b1720737b081b1c2

SHA256
09f923f466031a1abf06bd61f997adbec37a2dd494c04587c9abea672cb76b70

SHA512
ca854e9d0adf9cff5c8faa60e347145c99db6244332c1efd40cbc4cabc9e29aafc86ce5d835d0121411dd9a66ca4cca9c016930265490083d337e05e8781404c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
102KB

MD5
54b2e8f0888041df3bd4d2dc4c508e33

SHA1
13694bcb3e8b41cbcfd06919c4db58df2abbdf70

SHA256
dea3473a1f8a2a8d78fada6cd282a2909d0a235d022ee619050c3f8ad63f8f69

SHA512
466c6064fc0a2a763c7ede48e87fb0914701158f3729861428eaee699589c8d09ed43aae684314d9ef3a2cda0ee20151f596619e7c66be8f8339be4c31e09c3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe582a28.TMP

Filesize
98KB

MD5
e8d5cfc19ed293df59c778c3da4b2617

SHA1
b61fb8e19727f9e989bd88e7aed5127c0effe25f

SHA256
c626bd36b6ec2decc327a0b892ba0ef97b38209fcd1ea78eb9399d617d630cc9

SHA512
1a83c53786e757a200beab646dc1b06f9ee4e18cefd042a7b97d9aa1fe90b1becc096a361c867ac8ba73a16758487a5a2254a33a09ea77082d84de30faf991b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
95201d9e44c732d9b261b4b334505d6b

SHA1
d5f3f499ef27920d8a614152191a7e0c2f9c0264

SHA256
baa9a89717f4013b2799bd06490c738246759ecdf7a3200406fad5a443e83669

SHA512
15ddf637b642144dca99e2794cb4ca4d1dfa9d682e7eb42075d9b269dd5a479b5ea86017db142b599a3f022ebb695baf3691305ab17009060b4f64ddd7254282

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
1f5e03b94cee8874b27445379ccc405a

SHA1
5808d8adf153a1a2ec3c67df6c162aa2f8a7d4f9

SHA256
f1217a8058d30e357e7e1554434747041db18eb65f74c61f9b0a1d775b363e33

SHA512
95cd009bf2bc8a55301dfcbca7f9aecaacb66b8efb1b657bf7f6f66148854d5e4599c2b3af3f14d287ac892fa7f2e9b9b5c89cb21a90374cc4fdfeb7329fbdbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6A6D.tmp

Filesize
1KB

MD5
c4efb28ca5758e08767c8e1dee792c6c

SHA1
27cc34a56a7f3e61102075af0a36df83071d107f

SHA256
24c018549d23b1d94222a5f9c4918431de862a6eec94527adb840b5591636055

SHA512
3464e2e7742bf903c25a554f14a6e1874fbb778245d6ddc901f6c2cc623c7e3d2ae2250903b32c8e97dbf66f90daa25ebd128d97b8c2d8a6f1223b18472b0e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_butajz2e.exe.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nfzjwkty\nfzjwkty.dll

Filesize
3KB

MD5
b671af937d955b752580b960b031551b

SHA1
ca6df6e558823e0e450b321617e2bb6bf5a9645e

SHA256
fb82674dc6c032b82f9b5987d461999612c01ee7a0d2709a18b05a2618b111b6

SHA512
b5cd300814fd1db0d9c009162eb437e8697fa765ec5124aece2ac81d2229f4df6fc8209c22895302274be2482ed74fe3f9e9de3e906a06103fe8c841c5df27cc

Download Submit
C:\Users\Admin\Desktop\CopySync.TS

Filesize
461KB

MD5
abd2e1abd2b984f0236de341dea92e6d

SHA1
37733a7005a731c63e928b4b97e06c995a571a89

SHA256
813c2b4adb8fcf25a6a71a33c6a6ad8349b6b5c3826d14a15d21955915813d0f

SHA512
e1de6a1cc57fe6cab67c025fd0296a5bcadd1d81cd163d7e8ab3f02bacb1755e83d9a75a0228fe9fb445a2cb48b9b5b2525ebcd3f5917b66946e160700809dcb

Download Submit
C:\Users\Admin\Desktop\DenyResume.mpeg2

Filesize
322KB

MD5
6c82c2d9e1725bbb99ee1c3b8ee78cf7

SHA1
2fc02ea253ecdfe40dc1f1c23dae226c7f7ca1f5

SHA256
ae98fdc40ca43407c58b10c2140df37d28c72df525bd706a80407497d84670f9

SHA512
b99cfbd08cbc7684288b1679e722f76bc662e890ed7bed78337ff83cb1db0106b98199001fafe26828b8e779cb766d698744a920c0fab71203e19967f2bc75a3

Download Submit
C:\Users\Admin\Desktop\ExitBlock.3gp

Filesize
496KB

MD5
a0a084ba26616cb79c32e0cdbefab486

SHA1
259fa4a4173360a66b97cb44e0f44723e6113e37

SHA256
5e4c8ff3188141593fe1cf618baa7f74d852259520eefe64317845139c63c56c

SHA512
e32d638d862977fdd86caf19d6f193f56b03ab6004d7f737d9abb3e623a86bedc30cfa60897a707656e41c69b2cc7244d20e72d201bb2f9fc2c0a72f95726593

Download Submit
C:\Users\Admin\Desktop\ExitStart.txt

Filesize
270KB

MD5
0834e35e946cd26f7a7a6f37e1fbaf87

SHA1
bc49ad2cfaa5697d713ab91b42fe8e0575e80f12

SHA256
e9a31979a56081c1ed16bd2dc0eff11bf195013d51a84e50dbcaa4184cd7d649

SHA512
2c7515b6532e9fa251f47cc267adde4ed7b42061776ad6b1865f72506c7f513fa7cfe5a0e8738777cfcf6da72774dfc3c7aa2194af707289d9ec391d2700fb5b

Download Submit
C:\Users\Admin\Desktop\ExpandOut.ex_

Filesize
235KB

MD5
12f26df32e36f7d1c0f62bd5035aafec

SHA1
acfafc0d84f65314ebd783a0300932da2a64bf2c

SHA256
60f68fa5f97695597019c1219a824b356d8733b695e2a8d4e4c9797c1c6a33ab

SHA512
541b69ab9c0cb2a764d8cd8cf266a1fc2f5fc83ab81a1220d39c9802d4781f527ac9f9d4cff1cf4c91b85a979cececb0df0bebe6c91b9986aaac9d59df4ea12f

Download Submit
C:\Users\Admin\Desktop\GetConnect.pptm

Filesize
409KB

MD5
da1a0be45cae47cc791d4d4db97333df

SHA1
2f9698021ef2dee454cd43ff1b3661d09a394b8b

SHA256
339e1fa2d192c7cd27ac900269422a3d6e97c8e9f2ad1e2ed91af5e6ab4634a9

SHA512
92b2c90d09170a04b100ec21bd49aa73c92287aa4f71e5a259e4bb3a939ce6637733c396488c3f0dfcd2dd2ca59ca2184f86cd3f595600936407b97b862b5f54

Download Submit
C:\Users\Admin\Desktop\HideUndo.htm

Filesize
304KB

MD5
cff35c42d4723a2e8908d474fb340d59

SHA1
82e7dbca5fe45f70629ce96231b2ffb984eb69e2

SHA256
1cc3fba79bd214774eb1a6bae0e8cf3e40c310239fd5a4509cccda2d58ffc544

SHA512
601b6c6be724f7d359c394c6ad2cf755980bd3b96d7f23f321043286edf9aaf0b1a594a808e090b803d7cf19e7bc29f7607f6214fe6f5e3793c988b23d41ae31

Download Submit
C:\Users\Admin\Desktop\ImportLimit.m1v

Filesize
531KB

MD5
2100576130d229091ecd825fcd5c0590

SHA1
bef826ba793f0216f538bf87e8de896a11bea1f9

SHA256
21e4b5ca65c29f8d3cf08f0caceb784a92171ba31771868ac957af22a2017386

SHA512
b36f340b5a981b2de817231511dde6ff63e414d2beb766b24de870d62f22836f8555ce04d63230e2171ab7a283e390002c8a3880f94cfcb4bf03e416a7dda06c

Download Submit
C:\Users\Admin\Desktop\ImportPublish.mpg

Filesize
391KB

MD5
f455001724b90872612c7b2de83fcb7e

SHA1
85d80a3c1a967ba4ec02e9788a6587674a1a0562

SHA256
293a891a488f4d06a8d5041255a410b597d3d126f41f17aea0e52db574289902

SHA512
8ca8410101e4e785fcda02c3226f361400a19b6c89fb1087826c24b60ce6c4d29a61719bf5511907088d0b228fb850533304d227670bb794b815d92bcb936f33

Download Submit
C:\Users\Admin\Desktop\InstallSet.php

Filesize
357KB

MD5
323f2f921ad79e1c27c7bdf3b1dbf5c3

SHA1
2e4950367c96ce0419719bf8bd50357c3b62fa97

SHA256
b851b23e3ee230bef3b0eba0126aba71ad859eec38ffb0378ef6a7616f9eeedb

SHA512
f9470267b0bd10ba672e79001d9ca282deff68875d184b05faf36f167c17c8a57831991be6ffaad976066d9d9c93c82492ab2a0025dbba60c87e41fd52bd6bb4

Download Submit
C:\Users\Admin\Desktop\RedoWait.fon

Filesize
217KB

MD5
60be0c9d2ff82d9f24f72883c210b665

SHA1
f4bdff54c43db0432c2e4adf1a1d46d10f9fbcf8

SHA256
d890bf007c6d314c2d66a42fa929f457011b6a27c8a57d662379719a69f46d10

SHA512
657d34d237d1e86f53e7b7c7836ff99973ad1504a96367b5c6d19d3894f65d062029d91617d8d56cf0422a15193253261015709e97282a71f715b0c5e2976d9b

Download Submit
C:\Users\Admin\Desktop\RegisterInitialize.ps1xml

Filesize
513KB

MD5
f2e7eadff064df481d1741732ba68a10

SHA1
7274b8d2295849556ecaa02e2cfb2a616d5508f1

SHA256
d9bc2bbffbee4e562ce1b188ae2d54f97fb8a761c4a5e348f26c451676e04ae1

SHA512
e3eff702b48455613551fd17ac900d823c531fb67ce62d75520b0d357150427328201da5e229ad6ec39dcbd869345f2fddb1abfb6fc655be8af400225015b7b9

Download Submit
C:\Users\Admin\Desktop\ResetSkip.m3u

Filesize
252KB

MD5
22f788e2f74eaf580cba6ce68175197d

SHA1
9b21b69082d49871f9b935e823fd5c69150e772c

SHA256
6d7fc81a9c57eb163b6ba4d19af1436472e562775f81474a12022e5cc1aa1c65

SHA512
2a854c1560c2b7509dd538ca03c26f61e24d39bbb74e20005e1fca24e1a84fbf4785081fd8ec94a692e697c0bcf7e32840542fde47f196210bb56a21fe38283b

Download Submit
C:\Users\Admin\Desktop\RestartBlock.doc

Filesize
479KB

MD5
3203fa7b37495d2269ca34d5a25adba6

SHA1
68809096421c7a343a307616c0dc663713ef9101

SHA256
904c853b30d52ac6ba85761711715e89cb133fd49172c3acd8ce4e010c022c10

SHA512
1f923cf00e2fa65bfbc368431dd54c11109d2fd1065bb372274055cdfb563f37dedde0a56fae800c817107057aa7fb0eff44aec8468198a72902e3edb30fc2b8

Download Submit
C:\Users\Admin\Desktop\RestoreRevoke.css

Filesize
426KB

MD5
a3e5f82f1828012f2b2a35ed403d4eee

SHA1
06e29800b4bb0d866b3ebd3ec10eaed20e45f152

SHA256
5dbe8a48aebb8971768d74156c8f2a4b3472ff2e3b5d452cbbd6ed634bb6b849

SHA512
d9d8e6eeaf2fae151d78de283290336e71c39729c296acd6038b997f9dca037d48feb28a5a1eca0a941374f80d41fbd7c2ed97b6f37f058fbb1f8ad1d6fdfbcd

Download Submit
C:\Users\Admin\Desktop\SelectWatch.inf

Filesize
339KB

MD5
4d83fc3ce70d8fe2538162599bb7d9b0

SHA1
5025446a146b756c2a7068b9741e29b743fba5a9

SHA256
0b83b27f4c124c9824a34c4aebaf7815a141aae6403cd4f882029305c24a0eac

SHA512
6295c086c50dd9332535157a8b5030d31a2b1ff90cf668b8fa9d9377b510e879d01c2a7f3f7e8fc1ce77f0c76d6ad09b7fc7927451632fdc57817023cd51f7b2

Download Submit
C:\Users\Admin\Desktop\SendTrace.001

Filesize
287KB

MD5
d828bbd9d923e81e6e21b68aceefc05e

SHA1
f5fa8d8c4cb5a2512c5ec93f983a6dbab2ee2881

SHA256
1504cb528bd4fe658af8a45e8ec973516ffdb42f3cfd8a65d40c6c05153521a3

SHA512
3f4d5b2ecc9d194612020f0f43344d3464231b13f278f8c6b140c40952d899d9820a7b8d40809f045b267c6a9700f88da5266fb102e165a7a558a7417d4b63f7

Download Submit
C:\Users\Admin\Desktop\SkipUndo.cab

Filesize
783KB

MD5
25a41bed4cfb7d9c480149e4598eaabc

SHA1
70ebb27fb6fc5a4e78ade219c41eceb3221bb9dc

SHA256
db1d34c7a79418bdfd8a1ae2fcb60cbb044cbb0f18a366f73f2d98051a126dc7

SHA512
afc8af82bd45dd7ffd60b36e7214a4dac7bd67cf3acc9cebb8545b06e7c8da706dd31bc795d8849f9af1f7c1c4f4ab771cb1ee2a2c17ef4c4bf878b2de3dbffc

Download Submit
C:\Users\Admin\Desktop\StopRevoke.TS

Filesize
444KB

MD5
920cd3b914c8211fbceae171220e0a09

SHA1
476e9e0f2d0025c7d2f28092d355211aa9910d24

SHA256
667b5bdaaafd60ca0c608ed373948b8cfb0795039943462e03b3b2b0b42a0c2a

SHA512
160abdc77017b832be6934d5ace14277c7f3e314cf405c99443683cf308771e9a9381ccdd97868c09db4c27f3906974692a3579baa4b3f4d13fbe38e5053238c

Download Submit
C:\Users\Admin\Desktop\SyncMerge.odt

Filesize
548KB

MD5
a8fc244502e2f4616ec448bf29796aa4

SHA1
9806f28e55973d3484f9053f8d784c944db4761a

SHA256
cb848120732804934c0673625905e40e649b960ed5882ba0fff92c9c11551681

SHA512
7e71932c00348c1a6371d842c3adb20be96de543fe7c7d423536537f8702402519b8f7bb3295c75e2a5fd5f4f5ffb9f145542988d2b07291a0b73f112d54b112

Download Submit
C:\Users\Admin\Desktop\UnlockFind.vsx

Filesize
566KB

MD5
6f992f42b38af158d90ec4cf9022f8b3

SHA1
00b413b6640176eb58d891676f9c2ac88bfc8027

SHA256
bae1881448af97cb99efca23728e03b91a7646bad8f8a261ebeefc2631e829bd

SHA512
3d195363cb713840ee61861b42238ceea709d1c6e15e835947981630987e448c7776c2fdf04461ff2a1bde059bd63457450d6ba4a49d2641959a3fa53ba32529

Download Submit
C:\Users\Admin\Desktop\UnpublishSuspend.pptm

Filesize
200KB

MD5
6de87731530e35b6420ee9c2bf00ddfc

SHA1
0792c1350f9d00f7cf8257121912ed5ed84da311

SHA256
8b15b3c9fa67adc0bf16df7eb4346e025bc1c87929638837dcd1281af137a154

SHA512
d66360fa777bd66c30090736b71134ed21169e8370d295b8fcb387d2d3d690b002d604b3a7d493044ef93397bab36ce3adeb441c01202aeb49124bbffbb8081d

Download Submit
C:\Users\Admin\Desktop\UnregisterPop.vstm

Filesize
374KB

MD5
04b7a2225497843e92c6958ae8e90b04

SHA1
28de414cc803c18e677020065e533e2c26f3e3b7

SHA256
32c33a4918c2e84730c5571cfc981b27eadd76fb6acf2d39ced5a07de643b957

SHA512
e305cf146c28fcec3794007b331b022c7263e2922720a97ed7031c8361452800bcb686c6241be938160a66574b337b7cfddaa4e248e8878e7924c622b84f99ea

Download Submit
C:\Users\Admin\Downloads\ukraine.exe

Filesize
91KB

MD5
0de7375deb42ee8482fe5fc49251151b

SHA1
edf930f23982db789e4584296300c6d1e8932d86

SHA256
8200dec6578c5a4632da3291be655616743b4121b8a8dd314837dc5a9c4ee05c

SHA512
0ae60da19a74e43f742070c560f940ae7df6b0709ee3be092bfbce588d6eaab5ca6b7f0e44e06a05106cf81bf9917f7e1cb67e7dfe5ded44b9c9ce3734dc7b6e

Download Submit
C:\Users\Admin\Downloads\ukraine.exe

Filesize
91KB

MD5
0de7375deb42ee8482fe5fc49251151b

SHA1
edf930f23982db789e4584296300c6d1e8932d86

SHA256
8200dec6578c5a4632da3291be655616743b4121b8a8dd314837dc5a9c4ee05c

SHA512
0ae60da19a74e43f742070c560f940ae7df6b0709ee3be092bfbce588d6eaab5ca6b7f0e44e06a05106cf81bf9917f7e1cb67e7dfe5ded44b9c9ce3734dc7b6e

Download Submit
C:\Users\Admin\Downloads\ukraine.exe

Filesize
91KB

MD5
0de7375deb42ee8482fe5fc49251151b

SHA1
edf930f23982db789e4584296300c6d1e8932d86

SHA256
8200dec6578c5a4632da3291be655616743b4121b8a8dd314837dc5a9c4ee05c

SHA512
0ae60da19a74e43f742070c560f940ae7df6b0709ee3be092bfbce588d6eaab5ca6b7f0e44e06a05106cf81bf9917f7e1cb67e7dfe5ded44b9c9ce3734dc7b6e

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk

Filesize
2KB

MD5
8e5918aa7b5650e0a9dce88c4c1127e9

SHA1
2b17be13cfb73bc462866ddcd8a50168ff36b3ee

SHA256
252d6e1f8a064c6960765730aadd709f23567c40cafa0d5638e25c28d646af02

SHA512
db9d67e98aa23a3f74fb7e5f2ad584c3100ef4743020234f5e0c1ee243aaf05c0076b804e131d583a7b700139cc6c60f7f29dfd8c7abba5ed6b1765dc2d37761

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
923B

MD5
17af66131493ea07cce188e3c74384b3

SHA1
8d79dc126a8c7893b4a4645c8ac32b8f4f3153a8

SHA256
091e36b13a0bfc8b7bef961d56abb9b3cbb6e68ebafa2ddb2786776c10ab5e93

SHA512
b4f055789871ae381c0d965e41c5ad966b0ddadc78416fce2d13b21b5260843ad782364f22ef591488bad6e1448381d2beb9a99afb6eb7b9becd7a0ffceeb39e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nfzjwkty\CSCACD77F5DCCC24F7AB080FC663595758.TMP

Filesize
652B

MD5
043be530ddd4ec8d55dc424e3cdcfef2

SHA1
0ad1766ebaedb16a24d91a505e4e435c9ac9469c

SHA256
817a4a7ad913e26a7c18dc62a9e550139fd65eb325c7b31488400a12ba38945b

SHA512
986fd4e90f00c8a74e982bb2e3e8f51b9dbdc274315cc1976e6769efeec72f267c8f770870c1cbc0ec128e36bbdc3059d4036fdfb12cf6d802e9f1eb809a1f11

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nfzjwkty\nfzjwkty.0.cs

Filesize
234B

MD5
b5bc6f9136dce704041d49aebb0b4fa1

SHA1
9b2966bebcbd68d70a40f85682f148d5c6bbb8bb

SHA256
d17a04b258a3f4d6c07a25e77ca59c310f7030062eceec328eea1f0d2047f024

SHA512
e828bc3fae857240e623fd28c2524b56c8d294ac2bf45a24869dc6786a7cd2d5bd2299546a2a9b4b286f96b91e48c2d8f185a3d508808edf06a4da0e54b02c6a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nfzjwkty\nfzjwkty.cmdline

Filesize
369B

MD5
975321c26765ab0d2d428154d91f4d24

SHA1
2763971850f3347a8f9e14e931338698fb369be7

SHA256
4fe10bfd4f43d1bd2d5060b32916a6fe9ef866d858134ff63bdb243817a099fe

SHA512
b92592f8d98f26fc54db536166a72ff9a668bba813dc7d18e1af238b5e2a960757d34d78ca6285125ac07c8eba09429bd128352eeac61933ff8b5bcd4edf8d5f

Download Submit
memory/208-133-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/208-137-0x00000000060B0000-0x0000000006116000-memory.dmp

Filesize
408KB

Download
memory/208-158-0x0000000008080000-0x00000000086FA000-memory.dmp

Filesize
6.5MB

Download
memory/208-157-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/208-171-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/208-130-0x0000000005200000-0x0000000005236000-memory.dmp

Filesize
216KB

Download
memory/208-151-0x0000000006890000-0x00000000068DC000-memory.dmp

Filesize
304KB

Download
memory/208-131-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/208-132-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/208-150-0x00000000067F0000-0x000000000680E000-memory.dmp

Filesize
120KB

Download
memory/208-147-0x00000000061A0000-0x00000000064F4000-memory.dmp

Filesize
3.3MB

Download
memory/208-159-0x0000000006CC0000-0x0000000006CDA000-memory.dmp

Filesize
104KB

Download
memory/208-136-0x0000000005FD0000-0x0000000006036000-memory.dmp

Filesize
408KB

Download
memory/208-135-0x00000000057F0000-0x0000000005812000-memory.dmp

Filesize
136KB

Download
memory/208-134-0x0000000005930000-0x0000000005F58000-memory.dmp

Filesize
6.2MB

Download
memory/3132-214-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3132-175-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3648-185-0x0000000006090000-0x00000000063E4000-memory.dmp

Filesize
3.3MB

Download
memory/3648-173-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/3648-172-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/3648-212-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/3648-209-0x00000000052F0000-0x00000000052F8000-memory.dmp

Filesize
32KB

Download
memory/3648-174-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/3648-196-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download