Malware Analysis Report

2025-03-15 00:03

Sample ID 241008-ehg3ba1hkh
Target 2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk
SHA256 33a32609cb5acf54abeef9eed08d24a03dfd138ddd4b6132c8add72d8232b43a
Tags
hackbrowserdata discovery execution infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

33a32609cb5acf54abeef9eed08d24a03dfd138ddd4b6132c8add72d8232b43a

Threat Level: Known bad

The file 2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk was found to be: Known bad.

Malicious Activity Summary

hackbrowserdata discovery execution infostealer spyware stealer

An open source browser data exporter written in golang.

HackBrowserData

Blocklisted process makes network request

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Unsigned PE

Browser Information Discovery

Enumerates physical storage devices

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-08 03:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-08 03:56

Reported

2024-10-08 06:24

Platform

win7-20240903-en

Max time kernel

122s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe"

Signatures

An open source browser data exporter written in golang.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

HackBrowserData

infostealer hackbrowserdata

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\toboot\hack-browser-data.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2260 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe C:\Windows\System32\WScript.exe
PID 2260 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe C:\Windows\System32\WScript.exe
PID 2260 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe C:\Windows\System32\WScript.exe
PID 2364 wrote to memory of 2264 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2364 wrote to memory of 2264 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2364 wrote to memory of 2264 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 1056 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2264 wrote to memory of 1056 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2264 wrote to memory of 1056 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1056 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\toboot\hack-browser-data.exe
PID 1056 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\toboot\hack-browser-data.exe
PID 1056 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\toboot\hack-browser-data.exe
PID 2264 wrote to memory of 464 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2264 wrote to memory of 464 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2264 wrote to memory of 464 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2264 wrote to memory of 1852 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 1852 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 1852 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 2892 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 2892 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 2892 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 2648 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2264 wrote to memory of 2648 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2264 wrote to memory of 2648 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\hideCMD.vbs"

C:\Windows\System32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ha.bat" "

C:\Windows\system32\cmd.exe

cmd /c "start "" .\toboot\hack-browser-data.exe -f json --dir res --zip"

C:\Users\Admin\AppData\Local\Temp\toboot\hack-browser-data.exe

.\toboot\hack-browser-data.exe -f json --dir res --zip

C:\Windows\system32\timeout.exe

timeout /t 4

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Compress-Archive -Path ".\res" -DestinationPath .\res.zip -CompressionLevel Fastest -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -file "HBDSend.ps1"

C:\Windows\system32\timeout.exe

timeout /t 4

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\.git\logs\refs\remotes\origin\HEAD

MD5 161010715d0c362173bf20c28c2fd9b7
SHA1 f80849d90d3a9843a658e5560f000f97fc4d8d01
SHA256 de309dabda86493c2e3260c1e17dd794211789121ffbd93a291909d48a5697e7
SHA512 c7599a1d21226e3fb73e669a9451b14dfc6d0d9ce6866bc382e32c645f79671f6457b15cf5e377006bc14f3cd8dd7754a5ff1e4496c1bb4129d7d271ff2293c4

C:\Users\Admin\AppData\Local\Temp\hideCMD.vbs

MD5 8cb717954c207bc5d1866f0b91f3705b
SHA1 bb2eb348bbaae1c03f0e8a69fe632acf3654906d
SHA256 5098540013c04d7a204e5ccd000d0342e2724b2a5747c6cde3423c33670e7125
SHA512 28671621ebc6b0e2ef08d910770463935f484b3a2bbf2f2d902436856ca63dfefb1d4c5c57bb0eb84d973295bf7dccf4767a72ed26b62f9b7476c5ac51b858bd

C:\Users\Admin\AppData\Local\Temp\ha.bat

MD5 fddf7e3115d866f57c8ee7c39faba7c7
SHA1 380fd6c70888e59b3e6422b482bd993a1c6f4092
SHA256 58eba8234f52ee4f5cb65bcc38f612fcd0025fbfaaa092f994aa0af02c2623cd
SHA512 3efc29aab85d86e83f533baadd275b4692eef50cf1cd600fc6bd27f110bfc0494353ed99679e9e93e3cdc119ea05161cb35906855ad8dedcf6f2324f87041d55

\Users\Admin\AppData\Local\Temp\toboot\hack-browser-data.exe

MD5 6c66514d0e3b4cf5a2e4c2844efcb1f3
SHA1 682d46485ce44e719309f80483221d82011c3779
SHA256 7374c9b387000b813be75e10c2b988bf8d892985de63eb7446e11ceb225312e8
SHA512 4ca2657b47f145db2b162428ed057b52260a0db6758bf21803d75c6451914918f6392a4f8eb4216929e9feac1da70c161bd5ff61878d328863c9267c798c81a5

C:\Users\Admin\AppData\Local\Temp\chromiumKey

MD5 068616c682ecf110e197df944c8e91a5
SHA1 34e6742941f8c169e0748d24a1b250bdaebc8fe3
SHA256 c26e61d6f32eba06f51d8bf7dc51fa8b5092d95141696e0d38909ae611675cc0
SHA512 7b352babd9abd73c7b9857b08a245d4971cda801e6fb0e215cb5f1b588a42573faf526bfa750a18430c329bc517d61c0deec42ff0dd88022b32bd6b20cd3a30f

memory/1496-216-0x000000013F2C0000-0x000000014074E000-memory.dmp

memory/1852-221-0x000000001B380000-0x000000001B662000-memory.dmp

memory/1852-222-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 f43d80a30a7b0b576b1a75b79451ba6d
SHA1 2bdc955a39946779f0c40e1c86d7416565f0f3a6
SHA256 97081cd1ff330ea118f919e4a6fa81ff8cf82ea1d0ec69ee8c0928a3702210b8
SHA512 3ca728b8047fad191cb126c8249200ac9c92299675d2d5c04f5754baf56b41e332bbfb751062f45e8d882bbee9451d4d84ecd73fcc5e5346ad235d5178968484

memory/2892-228-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

memory/2892-229-0x00000000022A0000-0x00000000022A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HBDSend.ps1

MD5 4802a57c6fccba23e67bc66c31356d4f
SHA1 fc030aa0f325b17643f58c2659c0742890d9f3d7
SHA256 5578ae9942d3aeba7898924a489752dd6c209d4b22cbbdb2eb5f946c61d0df35
SHA512 9c2843455b90f14393ff1f6e7b0736607ba16a0e89eef4a9f0d6b7affd3430b2b6dcf87d588758f99d3ae29fcb365e584e40d760024dd1ea2108b3d9190d0b0a

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-08 03:56

Reported

2024-10-08 10:55

Platform

win10v2004-20241007-en

Max time kernel

96s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe"

Signatures

An open source browser data exporter written in golang.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

HackBrowserData

infostealer hackbrowserdata

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\toboot\hack-browser-data.exe N/A

Reads user/profile data of web browsers

spyware stealer

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 960 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe C:\Windows\System32\WScript.exe
PID 960 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe C:\Windows\System32\WScript.exe
PID 2700 wrote to memory of 1596 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 2700 wrote to memory of 1596 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 1596 wrote to memory of 1348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1596 wrote to memory of 1348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1348 wrote to memory of 1264 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\toboot\hack-browser-data.exe
PID 1348 wrote to memory of 1264 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\toboot\hack-browser-data.exe
PID 1596 wrote to memory of 3000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1596 wrote to memory of 3000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1596 wrote to memory of 4256 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1596 wrote to memory of 4256 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1596 wrote to memory of 1260 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1596 wrote to memory of 1260 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1596 wrote to memory of 2180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1596 wrote to memory of 2180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\hideCMD.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ha.bat" "

C:\Windows\system32\cmd.exe

cmd /c "start "" .\toboot\hack-browser-data.exe -f json --dir res --zip"

C:\Users\Admin\AppData\Local\Temp\toboot\hack-browser-data.exe

.\toboot\hack-browser-data.exe -f json --dir res --zip

C:\Windows\system32\timeout.exe

timeout /t 4

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Compress-Archive -Path ".\res" -DestinationPath .\res.zip -CompressionLevel Fastest -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -file "HBDSend.ps1"

C:\Windows\system32\timeout.exe

timeout /t 4

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 smtp.mail.ru udp
RU 94.100.180.160:587 smtp.mail.ru tcp
US 8.8.8.8:53 160.180.100.94.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\.git\logs\refs\remotes\origin\HEAD

MD5 161010715d0c362173bf20c28c2fd9b7
SHA1 f80849d90d3a9843a658e5560f000f97fc4d8d01
SHA256 de309dabda86493c2e3260c1e17dd794211789121ffbd93a291909d48a5697e7
SHA512 c7599a1d21226e3fb73e669a9451b14dfc6d0d9ce6866bc382e32c645f79671f6457b15cf5e377006bc14f3cd8dd7754a5ff1e4496c1bb4129d7d271ff2293c4

C:\Users\Admin\AppData\Local\Temp\hideCMD.vbs

MD5 8cb717954c207bc5d1866f0b91f3705b
SHA1 bb2eb348bbaae1c03f0e8a69fe632acf3654906d
SHA256 5098540013c04d7a204e5ccd000d0342e2724b2a5747c6cde3423c33670e7125
SHA512 28671621ebc6b0e2ef08d910770463935f484b3a2bbf2f2d902436856ca63dfefb1d4c5c57bb0eb84d973295bf7dccf4767a72ed26b62f9b7476c5ac51b858bd

C:\Users\Admin\AppData\Local\Temp\ha.bat

MD5 fddf7e3115d866f57c8ee7c39faba7c7
SHA1 380fd6c70888e59b3e6422b482bd993a1c6f4092
SHA256 58eba8234f52ee4f5cb65bcc38f612fcd0025fbfaaa092f994aa0af02c2623cd
SHA512 3efc29aab85d86e83f533baadd275b4692eef50cf1cd600fc6bd27f110bfc0494353ed99679e9e93e3cdc119ea05161cb35906855ad8dedcf6f2324f87041d55

C:\Users\Admin\AppData\Local\Temp\toboot\hack-browser-data.exe

MD5 6c66514d0e3b4cf5a2e4c2844efcb1f3
SHA1 682d46485ce44e719309f80483221d82011c3779
SHA256 7374c9b387000b813be75e10c2b988bf8d892985de63eb7446e11ceb225312e8
SHA512 4ca2657b47f145db2b162428ed057b52260a0db6758bf21803d75c6451914918f6392a4f8eb4216929e9feac1da70c161bd5ff61878d328863c9267c798c81a5

C:\Users\Admin\AppData\Local\Temp\chromiumKey

MD5 958a1ff72044f30f68af82e585733974
SHA1 9ac41e433578b0e8aaa2f4b8ca7cb228d9d412f3
SHA256 d53a7c0b594df00f6c490776af5e2f4697c585a470eb9d2c5d77292722756eaf
SHA512 de9d693a3c8ae4c6814427120bb163737e7714bec98d5c2a825e163addfd497818a9ba9c55b5ca2bddf5b4b2f1ba9588586b2a96405ee443b8babf2433d98256

C:\Users\Admin\AppData\Local\Temp\localStorage\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

memory/1264-262-0x00007FF70BCD0000-0x00007FF70D15E000-memory.dmp

memory/4256-268-0x00000223589B0000-0x00000223589D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ssqlpobn.fq3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4256-273-0x0000022358A50000-0x0000022358A62000-memory.dmp

memory/4256-274-0x00000223589F0000-0x00000223589FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\res\firefox_42vejdix_default_release_bookmark.json

MD5 be3ef38a5549839f142b69e300d32859
SHA1 0d5f559740bbdafbb8ba682ce3c36ad5ad2d9729
SHA256 2cf82dab7376ec4da21b96f13cc93f485ca648d39be003774f7a77ca130e0a58
SHA512 ea9734b74c666ef127d28358c72b6fb79fccc5bb59d81a52b15865fd2760101e91b958944d95b02818859b4d4b608748e4a68160dfe2a729b038803606b4242a

C:\Users\Admin\AppData\Local\Temp\res\firefox_42vejdix_default_release_extension.json

MD5 c69904bff2d0e3fdae0d5fcda30ef19d
SHA1 fead75d0019382bfe4250c1c05c69f8845cb1f77
SHA256 0151f2d1ed4d991e25f8e657eced0406b0fe4011a34013dbe5eff7809e80061d
SHA512 406733f0f5f0b8f9d3e898b28b1f89be35e48a86391ed317b0f9e60aebdd1f9581acf3863c8490c3dcb72ed989aed5b33458e5553944968ce318e5ac850c3c77

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 fe3aab3ae544a134b68e881b82b70169
SHA1 926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6
SHA256 bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b
SHA512 3fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c86ee90124c6374bc4c440a308eceb38
SHA1 b2075096ffa0abb9ba5abb0348e921e03fdf97b1
SHA256 99412b05f5ff937533a9c7dfc5ae65a4626c8f7f8b985c0b3a1e0ab5933863c8
SHA512 3dfadcd144a269cdf379aeb7f911642823e0426cda40cd231d90360f2aef7f6e49e68e0eaf742327ea3422a373128fb9652f8a361caa6ba99b8623eef1c6b8de

C:\Users\Admin\AppData\Local\Temp\HBDSend.ps1

MD5 4802a57c6fccba23e67bc66c31356d4f
SHA1 fc030aa0f325b17643f58c2659c0742890d9f3d7
SHA256 5578ae9942d3aeba7898924a489752dd6c209d4b22cbbdb2eb5f946c61d0df35
SHA512 9c2843455b90f14393ff1f6e7b0736607ba16a0e89eef4a9f0d6b7affd3430b2b6dcf87d588758f99d3ae29fcb365e584e40d760024dd1ea2108b3d9190d0b0a

C:\Users\Admin\AppData\Local\Temp\res.zip

MD5 da4955f00150bd6659d9fede22cdb031
SHA1 b62d735d547383fc8cd99a39ec8b09373dd0aee7
SHA256 7b2ca17aef33a27c0a304a1db291d62510e6bac8470354d8a20508ad5827dccd
SHA512 aa657169a85d1ac7c5691a7c3eed6cad19bd6c6671f246045bcc3c94df7338a5bd4a0a382588d98539b6c106ec38997a24ea14f25c67b2d564c1197e54e86e09