Analysis

  • max time kernel
    735s
  • max time network
    719s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-10-2023 06:47

General

  • Target

    curl-8.4.0_6-win64-mingw/bin/libcurl-x64.dll

  • Size

    5.7MB

  • MD5

    735e732457198bb2957c0af960871b59

  • SHA1

    e823b2fe6a3de1d116d45e747a5f65f5eaf99152

  • SHA256

    c24394ed346fcd77011b9719e61951a6b10530a51c4b266207c0e8178863f670

  • SHA512

    f00b1964ee231ff457fe386511be1c7649898632ea259994a065ea0fd032c85dbbb2551cadecf937c5d89f6fde3c64881e447bc7328f6700ff3549dd37a25a32

  • SSDEEP

    49152:wO76kdsn34H+O0O2T40aMYtVp+28/jNPwcM4HsdEuIgePGtlqS5kIU6iQA/sVwAp:D7yX404Vp+1jNYcM9EpA1+QVxLOFv+

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\curl-8.4.0_6-win64-mingw\bin\libcurl-x64.dll,#1
    1⤵
      PID:3848
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe"
      1⤵
      • Enumerates system info in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1036
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffb64bf9758,0x7ffb64bf9768,0x7ffb64bf9778
        2⤵
          PID:1488
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=584,i,14066470960426803210,11161861361301085677,131072 /prefetch:2
          2⤵
            PID:2000
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=584,i,14066470960426803210,11161861361301085677,131072 /prefetch:8
            2⤵
              PID:1988
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2268 --field-trial-handle=584,i,14066470960426803210,11161861361301085677,131072 /prefetch:8
              2⤵
                PID:4848
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2944 --field-trial-handle=584,i,14066470960426803210,11161861361301085677,131072 /prefetch:1
                2⤵
                  PID:3864
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2984 --field-trial-handle=584,i,14066470960426803210,11161861361301085677,131072 /prefetch:1
                  2⤵
                    PID:1480
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4604 --field-trial-handle=584,i,14066470960426803210,11161861361301085677,131072 /prefetch:1
                    2⤵
                      PID:3152
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4948 --field-trial-handle=584,i,14066470960426803210,11161861361301085677,131072 /prefetch:8
                      2⤵
                        PID:1244
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4820 --field-trial-handle=584,i,14066470960426803210,11161861361301085677,131072 /prefetch:8
                        2⤵
                          PID:1340
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 --field-trial-handle=584,i,14066470960426803210,11161861361301085677,131072 /prefetch:8
                          2⤵
                            PID:2068
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5188 --field-trial-handle=584,i,14066470960426803210,11161861361301085677,131072 /prefetch:8
                            2⤵
                              PID:4880
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 --field-trial-handle=584,i,14066470960426803210,11161861361301085677,131072 /prefetch:8
                              2⤵
                                PID:404
                              • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
                                "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
                                2⤵
                                  PID:1524
                                  • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
                                    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x230,0x25c,0x234,0x260,0x7ff6700b7688,0x7ff6700b7698,0x7ff6700b76a8
                                    3⤵
                                      PID:4996
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5200 --field-trial-handle=584,i,14066470960426803210,11161861361301085677,131072 /prefetch:1
                                    2⤵
                                      PID:4912
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5388 --field-trial-handle=584,i,14066470960426803210,11161861361301085677,131072 /prefetch:1
                                      2⤵
                                        PID:1964
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4116 --field-trial-handle=584,i,14066470960426803210,11161861361301085677,131072 /prefetch:8
                                        2⤵
                                          PID:4164
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3316 --field-trial-handle=584,i,14066470960426803210,11161861361301085677,131072 /prefetch:8
                                          2⤵
                                            PID:1492
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 --field-trial-handle=584,i,14066470960426803210,11161861361301085677,131072 /prefetch:8
                                            2⤵
                                              PID:1900
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5768 --field-trial-handle=584,i,14066470960426803210,11161861361301085677,131072 /prefetch:8
                                              2⤵
                                                PID:1772
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3344 --field-trial-handle=584,i,14066470960426803210,11161861361301085677,131072 /prefetch:8
                                                2⤵
                                                  PID:4348
                                                • C:\Users\Admin\Downloads\ukraine.exe
                                                  "C:\Users\Admin\Downloads\ukraine.exe"
                                                  2⤵
                                                  • Executes dropped EXE
                                                  PID:1256
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://upload.wikimedia.org/wikipedia/commons/thumb/5/58/Flag_of_Ukraine_2.svg/1280px-Flag_of_Ukraine_2.svg.png' -OutFile '%TEMP%\ukraine_flag.jpg'"
                                                    3⤵
                                                      PID:4880
                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        powershell -Command "Invoke-WebRequest -Uri 'https://upload.wikimedia.org/wikipedia/commons/thumb/5/58/Flag_of_Ukraine_2.svg/1280px-Flag_of_Ukraine_2.svg.png' -OutFile 'C:\Users\Admin\AppData\Local\Temp\ukraine_flag.jpg'"
                                                        4⤵
                                                        • Blocklisted process makes network request
                                                        PID:3428
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class Wallpaper { [DllImport(\"user32.dll\", CharSet = CharSet.Auto)] public static extern int SystemParametersInfo(int uAction, int uParam, string lpvParam, int fuWinIni); }'; [Wallpaper]::SystemParametersInfo(20, 0, '%TEMP%\ukraine_flag.jpg', 3)"
                                                      3⤵
                                                        PID:1916
                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class Wallpaper { [DllImport(\"user32.dll\", CharSet = CharSet.Auto)] public static extern int SystemParametersInfo(int uAction, int uParam, string lpvParam, int fuWinIni); }'; [Wallpaper]::SystemParametersInfo(20, 0, 'C:\Users\Admin\AppData\Local\Temp\ukraine_flag.jpg', 3)"
                                                          4⤵
                                                          • Sets desktop wallpaper using registry
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:956
                                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ebukshbg\ebukshbg.cmdline"
                                                            5⤵
                                                              PID:2296
                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C8C.tmp" "c:\Users\Admin\AppData\Local\Temp\ebukshbg\CSC814CC5E2CDC04B6DBC9D79F1D11081EB.TMP"
                                                                6⤵
                                                                  PID:3624
                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3820 --field-trial-handle=584,i,14066470960426803210,11161861361301085677,131072 /prefetch:2
                                                          2⤵
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          PID:4024
                                                      • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                                        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                                        1⤵
                                                          PID:1888

                                                        Network

                                                        MITRE ATT&CK Enterprise v15

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                          Filesize

                                                          72B

                                                          MD5

                                                          c3458f1e615034b321b90113b87375b1

                                                          SHA1

                                                          c2b55d9a595af8abad6300e99fd60c737b38b89d

                                                          SHA256

                                                          89405afb86fb70d69e656b0f8754dbdee3d384b7d4f91d0de96bae93af869e4a

                                                          SHA512

                                                          f927574dd9ab870ced2a120281c83c9e58f5c08712a0b65b70c6b2765f19362e87573162c72085a1edb297c473549cf7ee331845a3fd9ce560625b2e5bbd0497

                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                          Filesize

                                                          1KB

                                                          MD5

                                                          34588b2ff04d17dbbbd2f86f09983bd9

                                                          SHA1

                                                          60dbf0ce64bf1c77ed83aced90d13701f0732048

                                                          SHA256

                                                          5a088acaec3006b94b8fb0f5ae74282c9648f060615b3e651f388402bfe74564

                                                          SHA512

                                                          7a5b992155dd83f8f7137accc1f26c2ffc0711edc0415acc8c4c46da65d6e7e0f1958b342113a673408e16931bd00d151107a8caa189971ea41e330217a55e75

                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                          Filesize

                                                          2KB

                                                          MD5

                                                          beb9bbd44bf0d94df73ce2905b424ecc

                                                          SHA1

                                                          e0a3a93d99acfa27f88547f17309ff27fd2cdd5a

                                                          SHA256

                                                          2c3b1b23badb9c47157a644458c6c7d786978e0577ac8e9c33487b57675c0a56

                                                          SHA512

                                                          d0e27597568f5e8271b564f0d3d94a4a081eca8858d929b90fa9ff2df08b4f3d414cb329be22318aed21dc3608774b7e3f77cd316a1904b31e44d57f1c60100b

                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                          Filesize

                                                          1KB

                                                          MD5

                                                          44d5595e52bec8771af23ad806cd3c9d

                                                          SHA1

                                                          bf763298751d29caf77c8302454cb2e2c5e3de78

                                                          SHA256

                                                          b9ca8036255b7b995e90576e8de01a869b0f224f23da522046c5c7a07ec15499

                                                          SHA512

                                                          daa3e37d4da27a129d3bfc19192199e2f5f76d083e305c7c6a3ba75505ae313a20d70d49593ca918c5ef06cdb0c67d90b8586c3b499fe95a507f21527929191e

                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                          Filesize

                                                          371B

                                                          MD5

                                                          a9e2867440da32bcab8abc400e9bc04b

                                                          SHA1

                                                          81a23476b3e4fcaa20aaee2b3b639de27311f6b3

                                                          SHA256

                                                          44d1be73fc2e6f5cb61ceb97f116cdc87c35935585188332d4c5b37b15076f58

                                                          SHA512

                                                          191892d6d72c38b5f1f06f6c640cc61f8682277df771470036544fa3bfe858247926e566e639510ee25eae4de73f8831b534e37b9c7239501403c79151c0e658

                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                          Filesize

                                                          6KB

                                                          MD5

                                                          2337573a78e3a4acf558175e8c797c30

                                                          SHA1

                                                          ed63ccd114a450e32fa82ce9df69ae6f8406c328

                                                          SHA256

                                                          b5f07646e808f49852033c87af48d74a066ad1fd9f0d7068e5e52227b08b0176

                                                          SHA512

                                                          c0f510537fbcbf429f6625835b4cba2b59b4b51edcb3b5c4523923d20fe5bc26c3f2915e57a14f09fdc88b19b6c971d57268f1e383215a79dd88d643b5e18939

                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                          Filesize

                                                          6KB

                                                          MD5

                                                          66d78123e6bbc15e2db91fe9575eacfb

                                                          SHA1

                                                          c951ca6228d60a1868b20cf98db97c7b0578b10f

                                                          SHA256

                                                          c7b524f702e5814dec0748311d5505c807ff518123e2e753e7561db004bedaa6

                                                          SHA512

                                                          c0572b8861be197bb833898479ad96ba7a19c4ba2c9273a5a8355cdc0171f89089f3873e6a652b860e6443181a78f6f1d4098ea509c3ab3553e04e23b0630fb0

                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                                          Filesize

                                                          15KB

                                                          MD5

                                                          0aa79d3bd8ee79a4106a626b86f4a129

                                                          SHA1

                                                          b514dc3d4358eb55dc9be023c45fae7421627e19

                                                          SHA256

                                                          7e1762b9ae08eab569c5b356dd48e482b9a06d06547180fb0d4365c1a334bd5c

                                                          SHA512

                                                          99de9e95bff2a26f05c5954c00cd777ce5203c19e8c131607f124a5330a3efcce0255010d9c339efd5bf48a0c80dfb800bf80760a7c9fdffe543ddb4842b66fc

                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                          Filesize

                                                          217KB

                                                          MD5

                                                          61795c4daeddf9d07982670fdc806267

                                                          SHA1

                                                          cd90edb8ae16a3e2834ea8e4ce493984f8e939ca

                                                          SHA256

                                                          cc3df98a2f54d3e9a4225015f892395fb6616379f94842c6cc7393f9ebe131a6

                                                          SHA512

                                                          b4cbdd8184de22b505b845520f222f88b579919cd6e2bdb93eec7db91894f05c8046a80b2a4e7767a2ab35cc88a479fef791015687541a06a7fb74e3b8859266

                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

                                                          Filesize

                                                          2B

                                                          MD5

                                                          99914b932bd37a50b983c5e7c90ae93b

                                                          SHA1

                                                          bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                                                          SHA256

                                                          44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                                                          SHA512

                                                          27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                                                          Filesize

                                                          2KB

                                                          MD5

                                                          95201d9e44c732d9b261b4b334505d6b

                                                          SHA1

                                                          d5f3f499ef27920d8a614152191a7e0c2f9c0264

                                                          SHA256

                                                          baa9a89717f4013b2799bd06490c738246759ecdf7a3200406fad5a443e83669

                                                          SHA512

                                                          15ddf637b642144dca99e2794cb4ca4d1dfa9d682e7eb42075d9b269dd5a479b5ea86017db142b599a3f022ebb695baf3691305ab17009060b4f64ddd7254282

                                                        • C:\Users\Admin\AppData\Local\Temp\RES4C8C.tmp

                                                          Filesize

                                                          1KB

                                                          MD5

                                                          004801111fd9d48a4ff6fe588549f39c

                                                          SHA1

                                                          704ec5cebe6eb10066268b1ddd02c7762dd2624b

                                                          SHA256

                                                          89ffeb38953714263bcd6829af67b32d078aa3e024a6a8b2caf9fd3b3a929000

                                                          SHA512

                                                          47eec96a7bc21e2863a84ab5850665aaba156b8b3a1a153fa3349cef10f1c4c2fab6d976cd07527bf38f7119ea760ac75b9da518e8402fb177cbf88587b4d1f2

                                                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wfh2xubq.hni.ps1

                                                          Filesize

                                                          60B

                                                          MD5

                                                          d17fe0a3f47be24a6453e9ef58c94641

                                                          SHA1

                                                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                          SHA256

                                                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                          SHA512

                                                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                        • C:\Users\Admin\AppData\Local\Temp\ebukshbg\ebukshbg.dll

                                                          Filesize

                                                          3KB

                                                          MD5

                                                          a5a887f68af3e2bc0c05b4db8e162861

                                                          SHA1

                                                          70443688dc6746fd5fd10f380d95ab97ac6fdc07

                                                          SHA256

                                                          5be0d72c6bb18a55e68e7bf45ad3b2152a3d1bdf70622e254f015315ed87a3c2

                                                          SHA512

                                                          85c56c0b1b0d90676236ae2749a495975c7e226ee9b1c592a54c9e0595120a4c45b9005ea86b182c109e418f78eaad53cbbe2aad720e5016b95c4a0af357f468

                                                        • C:\Users\Admin\Downloads\ukraine.exe

                                                          Filesize

                                                          91KB

                                                          MD5

                                                          7834280ba27c5b1ddc9659ad7089816a

                                                          SHA1

                                                          f7bed8501aa73d6d46dad54dd70590d00b75ab62

                                                          SHA256

                                                          8b17f33b1a75951807db7e3671a49ce5ec7373a9187346374951b04c1cdc946e

                                                          SHA512

                                                          e0bc1702650bc3e2b24ccc29eefb38bda26c5f230b65ee8e8fc22dea95ed55a23366785d7e98e19eace39c5f529a64c9e41cc0e6854438993051c92c0fb49e74

                                                        • C:\Users\Admin\Downloads\ukraine.exe

                                                          Filesize

                                                          91KB

                                                          MD5

                                                          7834280ba27c5b1ddc9659ad7089816a

                                                          SHA1

                                                          f7bed8501aa73d6d46dad54dd70590d00b75ab62

                                                          SHA256

                                                          8b17f33b1a75951807db7e3671a49ce5ec7373a9187346374951b04c1cdc946e

                                                          SHA512

                                                          e0bc1702650bc3e2b24ccc29eefb38bda26c5f230b65ee8e8fc22dea95ed55a23366785d7e98e19eace39c5f529a64c9e41cc0e6854438993051c92c0fb49e74

                                                        • C:\Users\Admin\Downloads\ukraine.exe

                                                          Filesize

                                                          91KB

                                                          MD5

                                                          7834280ba27c5b1ddc9659ad7089816a

                                                          SHA1

                                                          f7bed8501aa73d6d46dad54dd70590d00b75ab62

                                                          SHA256

                                                          8b17f33b1a75951807db7e3671a49ce5ec7373a9187346374951b04c1cdc946e

                                                          SHA512

                                                          e0bc1702650bc3e2b24ccc29eefb38bda26c5f230b65ee8e8fc22dea95ed55a23366785d7e98e19eace39c5f529a64c9e41cc0e6854438993051c92c0fb49e74

                                                        • \??\c:\Users\Admin\AppData\Local\Temp\ebukshbg\CSC814CC5E2CDC04B6DBC9D79F1D11081EB.TMP

                                                          Filesize

                                                          652B

                                                          MD5

                                                          1b4f335369855057048c48418171a327

                                                          SHA1

                                                          1fe83691a51ccec4b363b9839a721b4815ae6a1f

                                                          SHA256

                                                          8d448484abfbb6284d16500bc3e0581423fa6574abd1283ed700d0fa90e1160a

                                                          SHA512

                                                          b5fa7ffa09e23c75093df8b306954e8002f1b385048700c80a2932597c493ecd6ed974d1e80f695285ea0ecd21b7c6bf6fb99e55955696957fb77b496e23e117

                                                        • \??\c:\Users\Admin\AppData\Local\Temp\ebukshbg\ebukshbg.0.cs

                                                          Filesize

                                                          234B

                                                          MD5

                                                          b5bc6f9136dce704041d49aebb0b4fa1

                                                          SHA1

                                                          9b2966bebcbd68d70a40f85682f148d5c6bbb8bb

                                                          SHA256

                                                          d17a04b258a3f4d6c07a25e77ca59c310f7030062eceec328eea1f0d2047f024

                                                          SHA512

                                                          e828bc3fae857240e623fd28c2524b56c8d294ac2bf45a24869dc6786a7cd2d5bd2299546a2a9b4b286f96b91e48c2d8f185a3d508808edf06a4da0e54b02c6a

                                                        • \??\c:\Users\Admin\AppData\Local\Temp\ebukshbg\ebukshbg.cmdline

                                                          Filesize

                                                          369B

                                                          MD5

                                                          bcb9003c759c5f07798cd6fb519dc063

                                                          SHA1

                                                          7d87d53d719c5b05d1d5fbc8de39b672e8af2b32

                                                          SHA256

                                                          7fa585ad40cc24d94a54d9fc4c4e0648575d8dc469ddc18ac7a9811e06796cac

                                                          SHA512

                                                          800d8651e74a6edb208700b6629c2a98d0a45d501518aabd8d9b13fe992631d935a0492eb73a31e0fec991c00d91b5b161963787c2ceefbfcd36215bb0953e47

                                                        • memory/956-129-0x0000000005BD0000-0x0000000005F24000-memory.dmp

                                                          Filesize

                                                          3.3MB

                                                        • memory/956-117-0x00000000057F0000-0x0000000005812000-memory.dmp

                                                          Filesize

                                                          136KB

                                                        • memory/956-142-0x0000000007850000-0x0000000007ECA000-memory.dmp

                                                          Filesize

                                                          6.5MB

                                                        • memory/956-143-0x0000000006540000-0x000000000655A000-memory.dmp

                                                          Filesize

                                                          104KB

                                                        • memory/956-131-0x0000000006080000-0x00000000060CC000-memory.dmp

                                                          Filesize

                                                          304KB

                                                        • memory/956-130-0x0000000006040000-0x000000000605E000-memory.dmp

                                                          Filesize

                                                          120KB

                                                        • memory/956-113-0x0000000004A10000-0x0000000004A46000-memory.dmp

                                                          Filesize

                                                          216KB

                                                        • memory/956-128-0x0000000005B60000-0x0000000005BC6000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/956-123-0x0000000005890000-0x00000000058F6000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/956-141-0x0000000004B80000-0x0000000004B90000-memory.dmp

                                                          Filesize

                                                          64KB

                                                        • memory/956-159-0x0000000004CE0000-0x0000000004CE8000-memory.dmp

                                                          Filesize

                                                          32KB

                                                        • memory/956-162-0x0000000074B10000-0x00000000752C0000-memory.dmp

                                                          Filesize

                                                          7.7MB

                                                        • memory/956-116-0x0000000004B80000-0x0000000004B90000-memory.dmp

                                                          Filesize

                                                          64KB

                                                        • memory/956-115-0x00000000051C0000-0x00000000057E8000-memory.dmp

                                                          Filesize

                                                          6.2MB

                                                        • memory/956-114-0x0000000074B10000-0x00000000752C0000-memory.dmp

                                                          Filesize

                                                          7.7MB

                                                        • memory/1256-168-0x0000000000400000-0x000000000041D000-memory.dmp

                                                          Filesize

                                                          116KB

                                                        • memory/1256-151-0x0000000000400000-0x000000000041D000-memory.dmp

                                                          Filesize

                                                          116KB