Overview
overview
8Static
static
1curl-8.4.0...gw.zip
windows10-2004-x64
8curl-8.4.0...ME.url
windows10-2004-x64
8curl-8.4.0...rl.exe
windows10-2004-x64
8curl-8.4.0...64.dll
windows10-2004-x64
8curl-8.4.0...SE.url
windows10-2004-x64
8curl-8.4.0...LL.vbs
windows10-2004-x64
8curl-8.4.0...mon.js
windows10-2004-x64
8Analysis
-
max time kernel
735s -
max time network
719s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2023 06:47
Static task
static1
Behavioral task
behavioral1
Sample
curl-8.4.0_6-win64-mingw.zip
Resource
win10v2004-20231020-en
Behavioral task
behavioral2
Sample
curl-8.4.0_6-win64-mingw/BUILD-README.url
Resource
win10v2004-20231023-en
Behavioral task
behavioral3
Sample
curl-8.4.0_6-win64-mingw/bin/curl.exe
Resource
win10v2004-20231023-en
Behavioral task
behavioral4
Sample
curl-8.4.0_6-win64-mingw/bin/libcurl-x64.dll
Resource
win10v2004-20231020-en
Behavioral task
behavioral5
Sample
curl-8.4.0_6-win64-mingw/dep/cacert/LICENSE.url
Resource
win10v2004-20231025-en
Behavioral task
behavioral6
Sample
curl-8.4.0_6-win64-mingw/docs/INSTALL.vbs
Resource
win10v2004-20231020-en
Behavioral task
behavioral7
Sample
curl-8.4.0_6-win64-mingw/lib/libbrotlicommon.js
Resource
win10v2004-20231023-en
General
-
Target
curl-8.4.0_6-win64-mingw/bin/libcurl-x64.dll
-
Size
5.7MB
-
MD5
735e732457198bb2957c0af960871b59
-
SHA1
e823b2fe6a3de1d116d45e747a5f65f5eaf99152
-
SHA256
c24394ed346fcd77011b9719e61951a6b10530a51c4b266207c0e8178863f670
-
SHA512
f00b1964ee231ff457fe386511be1c7649898632ea259994a065ea0fd032c85dbbb2551cadecf937c5d89f6fde3c64881e447bc7328f6700ff3549dd37a25a32
-
SSDEEP
49152:wO76kdsn34H+O0O2T40aMYtVp+28/jNPwcM4HsdEuIgePGtlqS5kIU6iQA/sVwAp:D7yX404Vp+1jNYcM9EpA1+QVxLOFv+
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 115 3428 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 1256 ukraine.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ukraine_flag.jpg" powershell.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133430360463157279" chrome.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1036 chrome.exe 1036 chrome.exe 956 powershell.exe 956 powershell.exe 956 powershell.exe 4024 chrome.exe 4024 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1036 chrome.exe Token: SeCreatePagefilePrivilege 1036 chrome.exe Token: SeShutdownPrivilege 1036 chrome.exe Token: SeCreatePagefilePrivilege 1036 chrome.exe Token: SeShutdownPrivilege 1036 chrome.exe Token: SeCreatePagefilePrivilege 1036 chrome.exe Token: SeShutdownPrivilege 1036 chrome.exe Token: SeCreatePagefilePrivilege 1036 chrome.exe Token: SeShutdownPrivilege 1036 chrome.exe Token: SeCreatePagefilePrivilege 1036 chrome.exe Token: SeShutdownPrivilege 1036 chrome.exe Token: SeCreatePagefilePrivilege 1036 chrome.exe Token: SeShutdownPrivilege 1036 chrome.exe Token: SeCreatePagefilePrivilege 1036 chrome.exe Token: SeShutdownPrivilege 1036 chrome.exe Token: SeCreatePagefilePrivilege 1036 chrome.exe Token: SeShutdownPrivilege 1036 chrome.exe Token: SeCreatePagefilePrivilege 1036 chrome.exe Token: SeShutdownPrivilege 1036 chrome.exe Token: SeCreatePagefilePrivilege 1036 chrome.exe Token: SeShutdownPrivilege 1036 chrome.exe Token: SeCreatePagefilePrivilege 1036 chrome.exe Token: SeShutdownPrivilege 1036 chrome.exe Token: SeCreatePagefilePrivilege 1036 chrome.exe Token: SeShutdownPrivilege 1036 chrome.exe Token: SeCreatePagefilePrivilege 1036 chrome.exe Token: SeShutdownPrivilege 1036 chrome.exe Token: SeCreatePagefilePrivilege 1036 chrome.exe Token: SeShutdownPrivilege 1036 chrome.exe Token: SeCreatePagefilePrivilege 1036 chrome.exe Token: SeShutdownPrivilege 1036 chrome.exe Token: SeCreatePagefilePrivilege 1036 chrome.exe Token: SeShutdownPrivilege 1036 chrome.exe Token: SeCreatePagefilePrivilege 1036 chrome.exe Token: SeShutdownPrivilege 1036 chrome.exe Token: SeCreatePagefilePrivilege 1036 chrome.exe Token: SeShutdownPrivilege 1036 chrome.exe Token: SeCreatePagefilePrivilege 1036 chrome.exe Token: SeShutdownPrivilege 1036 chrome.exe Token: SeCreatePagefilePrivilege 1036 chrome.exe Token: SeDebugPrivilege 956 powershell.exe Token: SeShutdownPrivilege 1036 chrome.exe Token: SeCreatePagefilePrivilege 1036 chrome.exe Token: SeShutdownPrivilege 1036 chrome.exe Token: SeCreatePagefilePrivilege 1036 chrome.exe Token: SeShutdownPrivilege 1036 chrome.exe Token: SeCreatePagefilePrivilege 1036 chrome.exe Token: SeShutdownPrivilege 1036 chrome.exe Token: SeCreatePagefilePrivilege 1036 chrome.exe Token: SeShutdownPrivilege 1036 chrome.exe Token: SeCreatePagefilePrivilege 1036 chrome.exe Token: SeShutdownPrivilege 1036 chrome.exe Token: SeCreatePagefilePrivilege 1036 chrome.exe Token: SeShutdownPrivilege 1036 chrome.exe Token: SeCreatePagefilePrivilege 1036 chrome.exe Token: SeShutdownPrivilege 1036 chrome.exe Token: SeCreatePagefilePrivilege 1036 chrome.exe Token: SeShutdownPrivilege 1036 chrome.exe Token: SeCreatePagefilePrivilege 1036 chrome.exe Token: SeShutdownPrivilege 1036 chrome.exe Token: SeCreatePagefilePrivilege 1036 chrome.exe Token: SeShutdownPrivilege 1036 chrome.exe Token: SeCreatePagefilePrivilege 1036 chrome.exe Token: SeShutdownPrivilege 1036 chrome.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1036 wrote to memory of 1488 1036 chrome.exe 110 PID 1036 wrote to memory of 1488 1036 chrome.exe 110 PID 1036 wrote to memory of 2000 1036 chrome.exe 112 PID 1036 wrote to memory of 2000 1036 chrome.exe 112 PID 1036 wrote to memory of 2000 1036 chrome.exe 112 PID 1036 wrote to memory of 2000 1036 chrome.exe 112 PID 1036 wrote to memory of 2000 1036 chrome.exe 112 PID 1036 wrote to memory of 2000 1036 chrome.exe 112 PID 1036 wrote to memory of 2000 1036 chrome.exe 112 PID 1036 wrote to memory of 2000 1036 chrome.exe 112 PID 1036 wrote to memory of 2000 1036 chrome.exe 112 PID 1036 wrote to memory of 2000 1036 chrome.exe 112 PID 1036 wrote to memory of 2000 1036 chrome.exe 112 PID 1036 wrote to memory of 2000 1036 chrome.exe 112 PID 1036 wrote to memory of 2000 1036 chrome.exe 112 PID 1036 wrote to memory of 2000 1036 chrome.exe 112 PID 1036 wrote to memory of 2000 1036 chrome.exe 112 PID 1036 wrote to memory of 2000 1036 chrome.exe 112 PID 1036 wrote to memory of 2000 1036 chrome.exe 112 PID 1036 wrote to memory of 2000 1036 chrome.exe 112 PID 1036 wrote to memory of 2000 1036 chrome.exe 112 PID 1036 wrote to memory of 2000 1036 chrome.exe 112 PID 1036 wrote to memory of 2000 1036 chrome.exe 112 PID 1036 wrote to memory of 2000 1036 chrome.exe 112 PID 1036 wrote to memory of 2000 1036 chrome.exe 112 PID 1036 wrote to memory of 2000 1036 chrome.exe 112 PID 1036 wrote to memory of 2000 1036 chrome.exe 112 PID 1036 wrote to memory of 2000 1036 chrome.exe 112 PID 1036 wrote to memory of 2000 1036 chrome.exe 112 PID 1036 wrote to memory of 2000 1036 chrome.exe 112 PID 1036 wrote to memory of 2000 1036 chrome.exe 112 PID 1036 wrote to memory of 2000 1036 chrome.exe 112 PID 1036 wrote to memory of 2000 1036 chrome.exe 112 PID 1036 wrote to memory of 2000 1036 chrome.exe 112 PID 1036 wrote to memory of 2000 1036 chrome.exe 112 PID 1036 wrote to memory of 2000 1036 chrome.exe 112 PID 1036 wrote to memory of 2000 1036 chrome.exe 112 PID 1036 wrote to memory of 2000 1036 chrome.exe 112 PID 1036 wrote to memory of 2000 1036 chrome.exe 112 PID 1036 wrote to memory of 2000 1036 chrome.exe 112 PID 1036 wrote to memory of 1988 1036 chrome.exe 113 PID 1036 wrote to memory of 1988 1036 chrome.exe 113 PID 1036 wrote to memory of 4848 1036 chrome.exe 114 PID 1036 wrote to memory of 4848 1036 chrome.exe 114 PID 1036 wrote to memory of 4848 1036 chrome.exe 114 PID 1036 wrote to memory of 4848 1036 chrome.exe 114 PID 1036 wrote to memory of 4848 1036 chrome.exe 114 PID 1036 wrote to memory of 4848 1036 chrome.exe 114 PID 1036 wrote to memory of 4848 1036 chrome.exe 114 PID 1036 wrote to memory of 4848 1036 chrome.exe 114 PID 1036 wrote to memory of 4848 1036 chrome.exe 114 PID 1036 wrote to memory of 4848 1036 chrome.exe 114 PID 1036 wrote to memory of 4848 1036 chrome.exe 114 PID 1036 wrote to memory of 4848 1036 chrome.exe 114 PID 1036 wrote to memory of 4848 1036 chrome.exe 114 PID 1036 wrote to memory of 4848 1036 chrome.exe 114 PID 1036 wrote to memory of 4848 1036 chrome.exe 114 PID 1036 wrote to memory of 4848 1036 chrome.exe 114 PID 1036 wrote to memory of 4848 1036 chrome.exe 114 PID 1036 wrote to memory of 4848 1036 chrome.exe 114 PID 1036 wrote to memory of 4848 1036 chrome.exe 114 PID 1036 wrote to memory of 4848 1036 chrome.exe 114 PID 1036 wrote to memory of 4848 1036 chrome.exe 114 PID 1036 wrote to memory of 4848 1036 chrome.exe 114
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\curl-8.4.0_6-win64-mingw\bin\libcurl-x64.dll,#11⤵PID:3848
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffb64bf9758,0x7ffb64bf9768,0x7ffb64bf97782⤵PID:1488
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=584,i,14066470960426803210,11161861361301085677,131072 /prefetch:22⤵PID:2000
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=584,i,14066470960426803210,11161861361301085677,131072 /prefetch:82⤵PID:1988
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2268 --field-trial-handle=584,i,14066470960426803210,11161861361301085677,131072 /prefetch:82⤵PID:4848
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2944 --field-trial-handle=584,i,14066470960426803210,11161861361301085677,131072 /prefetch:12⤵PID:3864
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2984 --field-trial-handle=584,i,14066470960426803210,11161861361301085677,131072 /prefetch:12⤵PID:1480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4604 --field-trial-handle=584,i,14066470960426803210,11161861361301085677,131072 /prefetch:12⤵PID:3152
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4948 --field-trial-handle=584,i,14066470960426803210,11161861361301085677,131072 /prefetch:82⤵PID:1244
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4820 --field-trial-handle=584,i,14066470960426803210,11161861361301085677,131072 /prefetch:82⤵PID:1340
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 --field-trial-handle=584,i,14066470960426803210,11161861361301085677,131072 /prefetch:82⤵PID:2068
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5188 --field-trial-handle=584,i,14066470960426803210,11161861361301085677,131072 /prefetch:82⤵PID:4880
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 --field-trial-handle=584,i,14066470960426803210,11161861361301085677,131072 /prefetch:82⤵PID:404
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level2⤵PID:1524
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x230,0x25c,0x234,0x260,0x7ff6700b7688,0x7ff6700b7698,0x7ff6700b76a83⤵PID:4996
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5200 --field-trial-handle=584,i,14066470960426803210,11161861361301085677,131072 /prefetch:12⤵PID:4912
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5388 --field-trial-handle=584,i,14066470960426803210,11161861361301085677,131072 /prefetch:12⤵PID:1964
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4116 --field-trial-handle=584,i,14066470960426803210,11161861361301085677,131072 /prefetch:82⤵PID:4164
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3316 --field-trial-handle=584,i,14066470960426803210,11161861361301085677,131072 /prefetch:82⤵PID:1492
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 --field-trial-handle=584,i,14066470960426803210,11161861361301085677,131072 /prefetch:82⤵PID:1900
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5768 --field-trial-handle=584,i,14066470960426803210,11161861361301085677,131072 /prefetch:82⤵PID:1772
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3344 --field-trial-handle=584,i,14066470960426803210,11161861361301085677,131072 /prefetch:82⤵PID:4348
-
-
C:\Users\Admin\Downloads\ukraine.exe"C:\Users\Admin\Downloads\ukraine.exe"2⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://upload.wikimedia.org/wikipedia/commons/thumb/5/58/Flag_of_Ukraine_2.svg/1280px-Flag_of_Ukraine_2.svg.png' -OutFile '%TEMP%\ukraine_flag.jpg'"3⤵PID:4880
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://upload.wikimedia.org/wikipedia/commons/thumb/5/58/Flag_of_Ukraine_2.svg/1280px-Flag_of_Ukraine_2.svg.png' -OutFile 'C:\Users\Admin\AppData\Local\Temp\ukraine_flag.jpg'"4⤵
- Blocklisted process makes network request
PID:3428
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class Wallpaper { [DllImport(\"user32.dll\", CharSet = CharSet.Auto)] public static extern int SystemParametersInfo(int uAction, int uParam, string lpvParam, int fuWinIni); }'; [Wallpaper]::SystemParametersInfo(20, 0, '%TEMP%\ukraine_flag.jpg', 3)"3⤵PID:1916
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class Wallpaper { [DllImport(\"user32.dll\", CharSet = CharSet.Auto)] public static extern int SystemParametersInfo(int uAction, int uParam, string lpvParam, int fuWinIni); }'; [Wallpaper]::SystemParametersInfo(20, 0, 'C:\Users\Admin\AppData\Local\Temp\ukraine_flag.jpg', 3)"4⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:956 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ebukshbg\ebukshbg.cmdline"5⤵PID:2296
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C8C.tmp" "c:\Users\Admin\AppData\Local\Temp\ebukshbg\CSC814CC5E2CDC04B6DBC9D79F1D11081EB.TMP"6⤵PID:3624
-
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3820 --field-trial-handle=584,i,14066470960426803210,11161861361301085677,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4024
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1888
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72B
MD5c3458f1e615034b321b90113b87375b1
SHA1c2b55d9a595af8abad6300e99fd60c737b38b89d
SHA25689405afb86fb70d69e656b0f8754dbdee3d384b7d4f91d0de96bae93af869e4a
SHA512f927574dd9ab870ced2a120281c83c9e58f5c08712a0b65b70c6b2765f19362e87573162c72085a1edb297c473549cf7ee331845a3fd9ce560625b2e5bbd0497
-
Filesize
1KB
MD534588b2ff04d17dbbbd2f86f09983bd9
SHA160dbf0ce64bf1c77ed83aced90d13701f0732048
SHA2565a088acaec3006b94b8fb0f5ae74282c9648f060615b3e651f388402bfe74564
SHA5127a5b992155dd83f8f7137accc1f26c2ffc0711edc0415acc8c4c46da65d6e7e0f1958b342113a673408e16931bd00d151107a8caa189971ea41e330217a55e75
-
Filesize
2KB
MD5beb9bbd44bf0d94df73ce2905b424ecc
SHA1e0a3a93d99acfa27f88547f17309ff27fd2cdd5a
SHA2562c3b1b23badb9c47157a644458c6c7d786978e0577ac8e9c33487b57675c0a56
SHA512d0e27597568f5e8271b564f0d3d94a4a081eca8858d929b90fa9ff2df08b4f3d414cb329be22318aed21dc3608774b7e3f77cd316a1904b31e44d57f1c60100b
-
Filesize
1KB
MD544d5595e52bec8771af23ad806cd3c9d
SHA1bf763298751d29caf77c8302454cb2e2c5e3de78
SHA256b9ca8036255b7b995e90576e8de01a869b0f224f23da522046c5c7a07ec15499
SHA512daa3e37d4da27a129d3bfc19192199e2f5f76d083e305c7c6a3ba75505ae313a20d70d49593ca918c5ef06cdb0c67d90b8586c3b499fe95a507f21527929191e
-
Filesize
371B
MD5a9e2867440da32bcab8abc400e9bc04b
SHA181a23476b3e4fcaa20aaee2b3b639de27311f6b3
SHA25644d1be73fc2e6f5cb61ceb97f116cdc87c35935585188332d4c5b37b15076f58
SHA512191892d6d72c38b5f1f06f6c640cc61f8682277df771470036544fa3bfe858247926e566e639510ee25eae4de73f8831b534e37b9c7239501403c79151c0e658
-
Filesize
6KB
MD52337573a78e3a4acf558175e8c797c30
SHA1ed63ccd114a450e32fa82ce9df69ae6f8406c328
SHA256b5f07646e808f49852033c87af48d74a066ad1fd9f0d7068e5e52227b08b0176
SHA512c0f510537fbcbf429f6625835b4cba2b59b4b51edcb3b5c4523923d20fe5bc26c3f2915e57a14f09fdc88b19b6c971d57268f1e383215a79dd88d643b5e18939
-
Filesize
6KB
MD566d78123e6bbc15e2db91fe9575eacfb
SHA1c951ca6228d60a1868b20cf98db97c7b0578b10f
SHA256c7b524f702e5814dec0748311d5505c807ff518123e2e753e7561db004bedaa6
SHA512c0572b8861be197bb833898479ad96ba7a19c4ba2c9273a5a8355cdc0171f89089f3873e6a652b860e6443181a78f6f1d4098ea509c3ab3553e04e23b0630fb0
-
Filesize
15KB
MD50aa79d3bd8ee79a4106a626b86f4a129
SHA1b514dc3d4358eb55dc9be023c45fae7421627e19
SHA2567e1762b9ae08eab569c5b356dd48e482b9a06d06547180fb0d4365c1a334bd5c
SHA51299de9e95bff2a26f05c5954c00cd777ce5203c19e8c131607f124a5330a3efcce0255010d9c339efd5bf48a0c80dfb800bf80760a7c9fdffe543ddb4842b66fc
-
Filesize
217KB
MD561795c4daeddf9d07982670fdc806267
SHA1cd90edb8ae16a3e2834ea8e4ce493984f8e939ca
SHA256cc3df98a2f54d3e9a4225015f892395fb6616379f94842c6cc7393f9ebe131a6
SHA512b4cbdd8184de22b505b845520f222f88b579919cd6e2bdb93eec7db91894f05c8046a80b2a4e7767a2ab35cc88a479fef791015687541a06a7fb74e3b8859266
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
2KB
MD595201d9e44c732d9b261b4b334505d6b
SHA1d5f3f499ef27920d8a614152191a7e0c2f9c0264
SHA256baa9a89717f4013b2799bd06490c738246759ecdf7a3200406fad5a443e83669
SHA51215ddf637b642144dca99e2794cb4ca4d1dfa9d682e7eb42075d9b269dd5a479b5ea86017db142b599a3f022ebb695baf3691305ab17009060b4f64ddd7254282
-
Filesize
1KB
MD5004801111fd9d48a4ff6fe588549f39c
SHA1704ec5cebe6eb10066268b1ddd02c7762dd2624b
SHA25689ffeb38953714263bcd6829af67b32d078aa3e024a6a8b2caf9fd3b3a929000
SHA51247eec96a7bc21e2863a84ab5850665aaba156b8b3a1a153fa3349cef10f1c4c2fab6d976cd07527bf38f7119ea760ac75b9da518e8402fb177cbf88587b4d1f2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD5a5a887f68af3e2bc0c05b4db8e162861
SHA170443688dc6746fd5fd10f380d95ab97ac6fdc07
SHA2565be0d72c6bb18a55e68e7bf45ad3b2152a3d1bdf70622e254f015315ed87a3c2
SHA51285c56c0b1b0d90676236ae2749a495975c7e226ee9b1c592a54c9e0595120a4c45b9005ea86b182c109e418f78eaad53cbbe2aad720e5016b95c4a0af357f468
-
Filesize
91KB
MD57834280ba27c5b1ddc9659ad7089816a
SHA1f7bed8501aa73d6d46dad54dd70590d00b75ab62
SHA2568b17f33b1a75951807db7e3671a49ce5ec7373a9187346374951b04c1cdc946e
SHA512e0bc1702650bc3e2b24ccc29eefb38bda26c5f230b65ee8e8fc22dea95ed55a23366785d7e98e19eace39c5f529a64c9e41cc0e6854438993051c92c0fb49e74
-
Filesize
91KB
MD57834280ba27c5b1ddc9659ad7089816a
SHA1f7bed8501aa73d6d46dad54dd70590d00b75ab62
SHA2568b17f33b1a75951807db7e3671a49ce5ec7373a9187346374951b04c1cdc946e
SHA512e0bc1702650bc3e2b24ccc29eefb38bda26c5f230b65ee8e8fc22dea95ed55a23366785d7e98e19eace39c5f529a64c9e41cc0e6854438993051c92c0fb49e74
-
Filesize
91KB
MD57834280ba27c5b1ddc9659ad7089816a
SHA1f7bed8501aa73d6d46dad54dd70590d00b75ab62
SHA2568b17f33b1a75951807db7e3671a49ce5ec7373a9187346374951b04c1cdc946e
SHA512e0bc1702650bc3e2b24ccc29eefb38bda26c5f230b65ee8e8fc22dea95ed55a23366785d7e98e19eace39c5f529a64c9e41cc0e6854438993051c92c0fb49e74
-
Filesize
652B
MD51b4f335369855057048c48418171a327
SHA11fe83691a51ccec4b363b9839a721b4815ae6a1f
SHA2568d448484abfbb6284d16500bc3e0581423fa6574abd1283ed700d0fa90e1160a
SHA512b5fa7ffa09e23c75093df8b306954e8002f1b385048700c80a2932597c493ecd6ed974d1e80f695285ea0ecd21b7c6bf6fb99e55955696957fb77b496e23e117
-
Filesize
234B
MD5b5bc6f9136dce704041d49aebb0b4fa1
SHA19b2966bebcbd68d70a40f85682f148d5c6bbb8bb
SHA256d17a04b258a3f4d6c07a25e77ca59c310f7030062eceec328eea1f0d2047f024
SHA512e828bc3fae857240e623fd28c2524b56c8d294ac2bf45a24869dc6786a7cd2d5bd2299546a2a9b4b286f96b91e48c2d8f185a3d508808edf06a4da0e54b02c6a
-
Filesize
369B
MD5bcb9003c759c5f07798cd6fb519dc063
SHA17d87d53d719c5b05d1d5fbc8de39b672e8af2b32
SHA2567fa585ad40cc24d94a54d9fc4c4e0648575d8dc469ddc18ac7a9811e06796cac
SHA512800d8651e74a6edb208700b6629c2a98d0a45d501518aabd8d9b13fe992631d935a0492eb73a31e0fec991c00d91b5b161963787c2ceefbfcd36215bb0953e47