782e849a5a94ae4c8c93d6447dfaa0d36d596bc2727015a6f44044033581f385

Analysis

max time kernel
721s
max time network
734s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2023 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

curl-8.4.0_6-win64-mingw/BUILD-README.url
Size

62B
MD5

98d34b6a6f959ca1c81d4a047283f9d0
SHA1

2e4c74fb2d4eefed62d7d0570508d0f16a3228c8
SHA256

95e00d67d239c10169e7110091659daf50f3d4ae8dce30ac5eac529b09177800
SHA512

357fbcd38c834e26018eef1c239fa1f51a1d9abc3690e5b6df2c6bd3a96db5de9f5ceba66b0a3d63eefd92757cca9c1b2fdf17681bdc3266739f9954154a228e

Score

8^/10

ransomware spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
110	344	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4916	ukraine.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ukraine_flag.jpg"	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 529807.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2280	msedge.exe
2280	msedge.exe
4756	msedge.exe
4756	msedge.exe
2896	identity_helper.exe
2896	identity_helper.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
3952	msedge.exe
3952	msedge.exe
344	powershell.exe
344	powershell.exe
4844	powershell.exe
4844	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	344	powershell.exe
Token: SeDebugPrivilege	4844	powershell.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 4756	1060	rundll32.exe	86
PID 1060 wrote to memory of 4756	1060	rundll32.exe	86
PID 4756 wrote to memory of 3040	4756	msedge.exe	88
PID 4756 wrote to memory of 3040	4756	msedge.exe	88
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 4532	4756	msedge.exe	91
PID 4756 wrote to memory of 2280	4756	msedge.exe	90
PID 4756 wrote to memory of 2280	4756	msedge.exe	90
PID 4756 wrote to memory of 2576	4756	msedge.exe	92
PID 4756 wrote to memory of 2576	4756	msedge.exe	92
PID 4756 wrote to memory of 2576	4756	msedge.exe	92
PID 4756 wrote to memory of 2576	4756	msedge.exe	92
PID 4756 wrote to memory of 2576	4756	msedge.exe	92
PID 4756 wrote to memory of 2576	4756	msedge.exe	92
PID 4756 wrote to memory of 2576	4756	msedge.exe	92
PID 4756 wrote to memory of 2576	4756	msedge.exe	92
PID 4756 wrote to memory of 2576	4756	msedge.exe	92
PID 4756 wrote to memory of 2576	4756	msedge.exe	92
PID 4756 wrote to memory of 2576	4756	msedge.exe	92
PID 4756 wrote to memory of 2576	4756	msedge.exe	92
PID 4756 wrote to memory of 2576	4756	msedge.exe	92
PID 4756 wrote to memory of 2576	4756	msedge.exe	92
PID 4756 wrote to memory of 2576	4756	msedge.exe	92
PID 4756 wrote to memory of 2576	4756	msedge.exe	92
PID 4756 wrote to memory of 2576	4756	msedge.exe	92
PID 4756 wrote to memory of 2576	4756	msedge.exe	92

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\curl-8.4.0_6-win64-mingw\BUILD-README.url
1⤵
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/curl/curl-for-win
  2⤵
  - Enumerates system info in registry
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffe425446f8,0x7ffe42544708,0x7ffe42544718
    3⤵
    PID:3040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2260,16633787564660396756,10644860135506166248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2260,16633787564660396756,10644860135506166248,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2268 /prefetch:2
    3⤵
    PID:4532
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2260,16633787564660396756,10644860135506166248,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
    3⤵
    PID:2576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,16633787564660396756,10644860135506166248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
    3⤵
    PID:1432
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,16633787564660396756,10644860135506166248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
    3⤵
    PID:1032
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2260,16633787564660396756,10644860135506166248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8
    3⤵
    PID:1204
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2260,16633787564660396756,10644860135506166248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2896
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,16633787564660396756,10644860135506166248,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
    3⤵
    PID:4592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,16633787564660396756,10644860135506166248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
    3⤵
    PID:4804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,16633787564660396756,10644860135506166248,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
    3⤵
    PID:4936
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,16633787564660396756,10644860135506166248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
    3⤵
    PID:4416
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2260,16633787564660396756,10644860135506166248,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,16633787564660396756,10644860135506166248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
    3⤵
    PID:2348
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,16633787564660396756,10644860135506166248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
    3⤵
    PID:4660
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,16633787564660396756,10644860135506166248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
    3⤵
    PID:3924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2260,16633787564660396756,10644860135506166248,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3536 /prefetch:8
    3⤵
    PID:4328
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2260,16633787564660396756,10644860135506166248,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6184 /prefetch:8
    3⤵
    PID:3960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,16633787564660396756,10644860135506166248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1284 /prefetch:1
    3⤵
    PID:4300
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2260,16633787564660396756,10644860135506166248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3952 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3952
- - C:\Users\Admin\Downloads\ukraine.exe
    "C:\Users\Admin\Downloads\ukraine.exe"
    3⤵
    - Executes dropped EXE
    PID:4916
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://upload.wikimedia.org/wikipedia/commons/thumb/5/58/Flag_of_Ukraine_2.svg/1280px-Flag_of_Ukraine_2.svg.png' -OutFile '%TEMP%\ukraine_flag.jpg'"
      4⤵
      PID:1872
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Invoke-WebRequest -Uri 'https://upload.wikimedia.org/wikipedia/commons/thumb/5/58/Flag_of_Ukraine_2.svg/1280px-Flag_of_Ukraine_2.svg.png' -OutFile 'C:\Users\Admin\AppData\Local\Temp\ukraine_flag.jpg'"
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:344
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class Wallpaper { [DllImport(\"user32.dll\", CharSet = CharSet.Auto)] public static extern int SystemParametersInfo(int uAction, int uParam, string lpvParam, int fuWinIni); }'; [Wallpaper]::SystemParametersInfo(20, 0, '%TEMP%\ukraine_flag.jpg', 3)"
      4⤵
      PID:3776
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class Wallpaper { [DllImport(\"user32.dll\", CharSet = CharSet.Auto)] public static extern int SystemParametersInfo(int uAction, int uParam, string lpvParam, int fuWinIni); }'; [Wallpaper]::SystemParametersInfo(20, 0, 'C:\Users\Admin\AppData\Local\Temp\ukraine_flag.jpg', 3)"
        5⤵
        Sets desktop wallpaper using registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4844
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0p4wq22x\0p4wq22x.cmdline"
        6⤵
        
        PID:2848
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA4.tmp" "c:\Users\Admin\AppData\Local\Temp\0p4wq22x\CSCF4C446F2AB6F4BFBB7ABB13A5988F9.TMP"
        7⤵
        
        PID:5068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3608

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
95201d9e44c732d9b261b4b334505d6b

SHA1
d5f3f499ef27920d8a614152191a7e0c2f9c0264

SHA256
baa9a89717f4013b2799bd06490c738246759ecdf7a3200406fad5a443e83669

SHA512
15ddf637b642144dca99e2794cb4ca4d1dfa9d682e7eb42075d9b269dd5a479b5ea86017db142b599a3f022ebb695baf3691305ab17009060b4f64ddd7254282

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
84df16093540d8d88a327b849dd35f8c

SHA1
c6207d32a8e44863142213697984de5e238ce644

SHA256
220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c

SHA512
3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
d91e4ec932e4cf30fd2cd2657b546192

SHA1
4f58ea7b97f3fa6b4b1927580bb1b65d2c30cbac

SHA256
9eb8138409e200dd710dc6bc3b2576d1e571432cebeb6faffea4cfebd431b8a2

SHA512
e59f956b11e6fc984186e23a8f47e007f0364397a6a483069ddbc536c8908216771efd0327a5882e63733b4fedf4f2300a3ccbbada7ca9888ec1b62dd355d15c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
cf8b99d152a03560541e2a20f9b59f13

SHA1
feb761cbf891edfa22044ff5f79d6efcc4420e73

SHA256
e0485a106b1fc9c4fdb7162095b622f9b5c2eafa4c0f15b735c626009f4be98a

SHA512
31c036a533447a4a2a2478eec8c9b735a1e48902762d394a56979bb9f7983e74e036c12d0199b1a5729c1cdedbe85476cd6d8a1c3fde9fa34dfab2dc77503c37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
aadae93b8d636d034aee972c3635d7b5

SHA1
d8c1119ed585b5403056f37515b98d32d3275ab9

SHA256
baf498aa585a836559bfdfeba511aa8392d8fac7d57e594062dbad9bbd5c8327

SHA512
0a27888dc32f54cf0f1dff75e1f38813c60a0e0d04c16eb2f0a6bd898455f31f0008aa550b1e36f342527d777e71d9ef3e7e88788366f6b64cfdf8ece6e7bd81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
657B

MD5
3bd738dc5bb3e8054c5dcffd767f1a0b

SHA1
304fb52374e968c70988fa67f3c5a76d53ac96f3

SHA256
59b030cbdadd2cd6ff9fbab7c37a063d609e9520c72ae88148e0cd4626b1d946

SHA512
5b9375375b904a96765a0352805fc7778f6594c6772f29fa1481d192a2ddd219c2f426e5bcf9136d49956516150b1cf23736dfe1b6742933972b30f937eedc8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
746bb2805f9c4b5f4e974167b4280ca7

SHA1
53f4591236c088e9732e22e1477e247be92a692e

SHA256
ed07eac420d1343d4954fdaf7d41e9016b09359278a89e36343671473c7dc150

SHA512
970f8844bebab120f347dae58226225083a9f8a8c1931a15a1f611f064927ed3aabcdb1fff29a16bef02967d911aad28e5b818ddd4f6d32119218f5972a70f52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7930ec8cc50ae593443c2e2466641f3b

SHA1
6898fd9a03db0575deda3249b8d6cf96b492aa6d

SHA256
f8bebee2200241845ee51b7c15ab5dcaf085bbad9b4348f7f7014f16d296fe1b

SHA512
97592f72c51771a367e6dae92a0331ea49c7d8805c8b72a7e035e84cd588c99adb4fbf364cafc5b0cad7d00422b5d12012f829bd1503191f795be1f214358919

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
96e616d7072aaa6331544840f0b1de5b

SHA1
cd7b61419083faa2d10228a662cf049c412d40bd

SHA256
4eef32699902c566b01afa41a3417abc8fb5c362e88f6427381576c65df2f715

SHA512
eca45ae4bb718e0260d211d779cc21ac6beac0d95c550b49de8a233f4012b5aa8044c85fde0f566e9ad0e73589fa6f2745bad50ef6b29e24cd9da49af7867e0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
90c71d23ad09def9e58036eab5931adf

SHA1
ca0ddfc5d5c3e7dc0cb10ed8e844718613373742

SHA256
f3f9934d68db8a62a1990051b28ed195dc4552253b1ca49c6b3d5f462f28325b

SHA512
dbe47b5507fb4b5a9dd8d5fdcff791c73785ef3225ac6524cbe578fefcd34a966bfd0eaa6175ea9f092251ff4d5d73dbaa894974801a951398d24edf8ebed0b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
918ecd7940dcab6b9f4b8bdd4d3772b2

SHA1
7c0c6962a6cd37d91c2ebf3ad542b3876dc466e4

SHA256
3123072fba0ea8e8f960dd213659a0c96ce2b58683593b8ea84efac772b25175

SHA512
c96044501a0a6a65140bc7710a81d29dac35fc6a6fd18fbb4fa5d584e9dc79a059e51cbe063ca496d72558e459ffa6c2913f3893f0a3c0f8002bbca1d1b98ea2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
37272ca7a196326ff4fc4c134e96213b

SHA1
242cc16879d013e019de26bc4a635d01a38eebd8

SHA256
f03c9462fbbfb02847a1cbbe87793f3f72163559abe2bbb4aa6e8d2153ee69c0

SHA512
2fdf50aec7060dfc04e32981f37b3c5e1f0292a3e4e9881040196a691063412816ab4c302ce5f4f58a5eaaa26d55c664c907c4db45e62749c23a004fe7ec8786

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5bb86f.TMP

Filesize
1KB

MD5
7073df71649703d95f6b1832e4139e0e

SHA1
1ed24c186262743510249a6cf35002f9ad7acd5a

SHA256
477b5387038b02cb5d4f6bba27b7fdf13637eed11372a418d9e448329749ef2d

SHA512
b169adb2831ce83f3c9ceee72071b4fcde8035bfbd9e6a64e242619740d9a3ff0f77ced0372880ba6fdefd4f7c09569a444adc432722e1e964a8dfb4af110402

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
378544f71af6ffcaa30d73dd41d4c2e7

SHA1
e7264ab784ef996dd8941128432fac477593a976

SHA256
b50938d2a155903651594a9566a6c2a08ac3d43ff804ce56bb56d15d5da7a131

SHA512
1757c068eb73f7a1a55d7f23f553c3113f7f7f10586cb9f418e7c0c1b826c4032a45821ad2438aab00c26c485572aeee66bca984c5fb2f015d7ee3476246511a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
acdbcf5ad9abd297cda9fc01395c9871

SHA1
654c775b0f61d534d93f734ae22976389b3088d1

SHA256
d517248b8e99df985f2e2e2ebbc1c50b41b9bfed1a99ec10f65d973698b3db4e

SHA512
19ce7cf4a239a7ffc5ae0b291c361a4e0ae11aa29ad67cd1c1bcd83fe7445ce561236791d4d3b87dcb5d1301b943289a5b721ee9fb6d347398a4a1d66ecb082b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
07eec981945b3c25d0410dd913259aab

SHA1
99ac97c882d74c377169ecb32103f40cbbd5eb85

SHA256
f588d010d516d91aa1d295f281c0754a753577bda58cf508bc430cbb5daca0fe

SHA512
ce1d3edfe910ba8a1b956b9d33b9c8187656ca0d4826e758f9c0bac344cf3a33e68ab243f56b8d42d8f551a353913cb5dc7c73b1d0758d37736d1f010a1b4f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\0p4wq22x\0p4wq22x.dll

Filesize
3KB

MD5
011269b56127e3c76a81c293901f1b17

SHA1
69bba71645b57432b3a18b40450257e4743a8a56

SHA256
84b121bf54dd8ec7f3c39e227fde2935b6c4babed5c58c3fa401e77fc570cd7a

SHA512
956bed6b82cae93cabbd75708f5796082761de3b2f60e716005ff682c8633ef89e2a51bb6a538ecc7592618cb00dda0ae3de9377355eff84a6883cf9105205ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA4.tmp

Filesize
1KB

MD5
17c1d865a437526403ad5e619f74eabc

SHA1
8892731f203d0e31ad752fa84de10c5fd3985a09

SHA256
54040edb98015ce3c8db8d3c2d2f5cbb961a1b91d30bb3961c1266cc8e6f22c3

SHA512
bac5a5ab00131146f9120c04e96b7e4b220c6cb96c27e4b77db5c3259eec3153a78fe3f436c7651ab991e7d27d8c4cf331fe0f5a8998cace179c104c2913f731

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_agrgr4uh.0zj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 529807.crdownload

Filesize
91KB

MD5
7834280ba27c5b1ddc9659ad7089816a

SHA1
f7bed8501aa73d6d46dad54dd70590d00b75ab62

SHA256
8b17f33b1a75951807db7e3671a49ce5ec7373a9187346374951b04c1cdc946e

SHA512
e0bc1702650bc3e2b24ccc29eefb38bda26c5f230b65ee8e8fc22dea95ed55a23366785d7e98e19eace39c5f529a64c9e41cc0e6854438993051c92c0fb49e74

Download Submit
C:\Users\Admin\Downloads\ukraine.exe

Filesize
91KB

MD5
7834280ba27c5b1ddc9659ad7089816a

SHA1
f7bed8501aa73d6d46dad54dd70590d00b75ab62

SHA256
8b17f33b1a75951807db7e3671a49ce5ec7373a9187346374951b04c1cdc946e

SHA512
e0bc1702650bc3e2b24ccc29eefb38bda26c5f230b65ee8e8fc22dea95ed55a23366785d7e98e19eace39c5f529a64c9e41cc0e6854438993051c92c0fb49e74

Download Submit
C:\Users\Admin\Downloads\ukraine.exe

Filesize
91KB

MD5
7834280ba27c5b1ddc9659ad7089816a

SHA1
f7bed8501aa73d6d46dad54dd70590d00b75ab62

SHA256
8b17f33b1a75951807db7e3671a49ce5ec7373a9187346374951b04c1cdc946e

SHA512
e0bc1702650bc3e2b24ccc29eefb38bda26c5f230b65ee8e8fc22dea95ed55a23366785d7e98e19eace39c5f529a64c9e41cc0e6854438993051c92c0fb49e74

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0p4wq22x\0p4wq22x.0.cs

Filesize
234B

MD5
b5bc6f9136dce704041d49aebb0b4fa1

SHA1
9b2966bebcbd68d70a40f85682f148d5c6bbb8bb

SHA256
d17a04b258a3f4d6c07a25e77ca59c310f7030062eceec328eea1f0d2047f024

SHA512
e828bc3fae857240e623fd28c2524b56c8d294ac2bf45a24869dc6786a7cd2d5bd2299546a2a9b4b286f96b91e48c2d8f185a3d508808edf06a4da0e54b02c6a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0p4wq22x\0p4wq22x.cmdline

Filesize
369B

MD5
4d7203fca2835ace7aa7fb4dbc06ce2c

SHA1
ce8da3932162ada2f83b8318b300a418e5b75454

SHA256
81d35e8b505c3141241b490c227273e417fcf9133833275b617f19f139010eb8

SHA512
5493247ef63decc7eb83da20a47814bbf95c7821b4912840f8ed2b44243eb9dea3f835d8714a809fe2dfd3861093622ca901444bbf727f83e231ce2b4bdaaf67

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0p4wq22x\CSCF4C446F2AB6F4BFBB7ABB13A5988F9.TMP

Filesize
652B

MD5
b57e36f41b1d911f74f6800d7a2ba46d

SHA1
f7382ff365635e5a2499dcd34a40f92b660f1902

SHA256
ac93e9f418307389d4b49260877d870807be9048150a03ab254c17c461822690

SHA512
5e50794318c375d8e029ca6c5c00c4a051c10b29130cddbc36154c9fa9042097cda368e497e0442c2a5b0cdfe2974dc4ed3b40e71484cccdba8aa9c5a8576918

Download Submit
memory/344-329-0x0000000004D00000-0x0000000004D66000-memory.dmp

Filesize
408KB

Download
memory/344-340-0x0000000005580000-0x00000000058D4000-memory.dmp

Filesize
3.3MB

Download
memory/344-352-0x0000000004830000-0x0000000004840000-memory.dmp

Filesize
64KB

Download
memory/344-350-0x0000000005B40000-0x0000000005B5E000-memory.dmp

Filesize
120KB

Download
memory/344-362-0x0000000007190000-0x000000000780A000-memory.dmp

Filesize
6.5MB

Download
memory/344-363-0x0000000006050000-0x000000000606A000-memory.dmp

Filesize
104KB

Download
memory/344-366-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download
memory/344-316-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download
memory/344-315-0x0000000002540000-0x0000000002576000-memory.dmp

Filesize
216KB

Download
memory/344-317-0x0000000004830000-0x0000000004840000-memory.dmp

Filesize
64KB

Download
memory/344-327-0x0000000004E70000-0x0000000005498000-memory.dmp

Filesize
6.2MB

Download
memory/344-351-0x0000000005B90000-0x0000000005BDC000-memory.dmp

Filesize
304KB

Download
memory/344-328-0x0000000004B60000-0x0000000004B82000-memory.dmp

Filesize
136KB

Download
memory/344-330-0x0000000005510000-0x0000000005576000-memory.dmp

Filesize
408KB

Download
memory/4844-382-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/4844-379-0x0000000005E70000-0x00000000061C4000-memory.dmp

Filesize
3.3MB

Download
memory/4844-369-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/4844-368-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/4844-395-0x0000000004FD0000-0x0000000004FD8000-memory.dmp

Filesize
32KB

Download
memory/4844-398-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download
memory/4844-367-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download
memory/4916-381-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4916-417-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download