badrabbit | f1bbcc5c678d174d858ae089f4494e3ea8bcfc418098d61804a15e437f08aff7

Target

Endermanch@RegistrySmart.exe
Size

1.0MB
MD5

0002dddba512e20c3f82aaab8bad8b4d
SHA1

493286b108822ba636cc0e53b8259e4f06ecf900
SHA256

2d68fe191ba9e97f57f07f7bd116e53800b983d267da99bf0a6e6624dd7e5cf7
SHA512

497954400ab463eb254abe895648c208a1cc951ecb231202362dadbe3ffb49d8d853b487589ce935c1dc8171f56d0df95093ffc655c684faa944c13bcfd87b8b

Score

10^/10

badrabbit bootkit discovery evasion persistence ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Deletes NTFS Change Journal 2 TTPs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
ransomware

Inhibit System Recovery
T1490

Data Destruction
T1485
Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070
Blacklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

360 1624 rundll32.exe
372 1624 rundll32.exe
Executes dropped EXE 5 IoCs

Processes:

is-C3CH1.tmpRegistrySmart.exeLauncher.exeRegistrySmart.exe9DBE.tmp

pid process

3872 is-C3CH1.tmp
1412 RegistrySmart.exe
1224 Launcher.exe
3124 RegistrySmart.exe
816 9DBE.tmp
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
ransomware bootkit

Winlogon Helper DLL
T1004

Modify Registry
T1112

Processes:

LogonUI.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

rundll32.exe

description ioc process

File opened for modification C:\Users\Admin\Pictures\RestoreClose.tiff rundll32.exe

flow	pid	process
360	1624	rundll32.exe
372	1624	rundll32.exe

pid	process
3872	is-C3CH1.tmp
1412	RegistrySmart.exe
1224	Launcher.exe
3124	RegistrySmart.exe
816	9DBE.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked	LogonUI.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\RestoreClose.tiff	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

is-C3CH1.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	is-C3CH1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RegistrySmart = "\"C:\\Program Files\\RegistrySmart\\RegistrySmart.exe\" -boot"	is-C3CH1.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 7 IoCs

Processes:

is-C3CH1.tmp

description	ioc	process
File created	C:\Program Files (x86)\RegistrySmart\is-56H0E.tmp	is-C3CH1.tmp
File created	C:\Program Files (x86)\RegistrySmart\is-K6R2K.tmp	is-C3CH1.tmp
File opened for modification	C:\Program Files (x86)\RegistrySmart\RegistrySmart.url	is-C3CH1.tmp
File opened for modification	C:\Program Files (x86)\RegistrySmart\unins000.dat	is-C3CH1.tmp
File created	C:\Program Files (x86)\RegistrySmart\unins000.dat	is-C3CH1.tmp
File created	C:\Program Files (x86)\RegistrySmart\is-MPR21.tmp	is-C3CH1.tmp
File created	C:\Program Files (x86)\RegistrySmart\is-B6UH2.tmp	is-C3CH1.tmp

Drops file in Windows directory 6 IoCs

Processes:

rundll32.exeRegistrySmart.exeRegistrySmart.exe

description	ioc	process
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\9DBE.tmp	rundll32.exe
File created	C:\Windows\Tasks\RegistrySmart Scheduled Scan.job	RegistrySmart.exe
File opened for modification	C:\Windows\Tasks\RegistrySmart Scheduled Scan.job	RegistrySmart.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3180 schtasks.exe
3316 schtasks.exe

pid	process
3180	schtasks.exe
3316	schtasks.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

rundll32.exe9DBE.tmp

pid	process
1624	rundll32.exe
1624	rundll32.exe
1624	rundll32.exe
1624	rundll32.exe
816	9DBE.tmp
816	9DBE.tmp
816	9DBE.tmp
816	9DBE.tmp
816	9DBE.tmp
816	9DBE.tmp
1624	rundll32.exe
1624	rundll32.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

rundll32.exe9DBE.tmpwevtutil.exewevtutil.exewevtutil.exewevtutil.exe

description	pid	process
Token: SeShutdownPrivilege	1624	rundll32.exe
Token: SeDebugPrivilege	1624	rundll32.exe
Token: SeTcbPrivilege	1624	rundll32.exe
Token: SeDebugPrivilege	816	9DBE.tmp
Token: SeSecurityPrivilege	3228	wevtutil.exe
Token: SeBackupPrivilege	3228	wevtutil.exe
Token: SeSecurityPrivilege	1424	wevtutil.exe
Token: SeBackupPrivilege	1424	wevtutil.exe
Token: SeSecurityPrivilege	8	wevtutil.exe
Token: SeBackupPrivilege	8	wevtutil.exe
Token: SeSecurityPrivilege	1740	wevtutil.exe
Token: SeBackupPrivilege	1740	wevtutil.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

RegistrySmart.exeRegistrySmart.exe

pid process

1412 RegistrySmart.exe
1412 RegistrySmart.exe
3124 RegistrySmart.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

RegistrySmart.exeRegistrySmart.exe

pid process

1412 RegistrySmart.exe
1412 RegistrySmart.exe
3124 RegistrySmart.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

RegistrySmart.exeLauncher.exeRegistrySmart.exeLogonUI.exe

pid process

1412 RegistrySmart.exe
1412 RegistrySmart.exe
1224 Launcher.exe
3124 RegistrySmart.exe
3124 RegistrySmart.exe
3124 RegistrySmart.exe
3408 LogonUI.exe

pid	process
1412	RegistrySmart.exe
1412	RegistrySmart.exe
3124	RegistrySmart.exe

pid	process
1412	RegistrySmart.exe
1412	RegistrySmart.exe
3124	RegistrySmart.exe

pid	process
1412	RegistrySmart.exe
1412	RegistrySmart.exe
1224	Launcher.exe
3124	RegistrySmart.exe
3124	RegistrySmart.exe
3124	RegistrySmart.exe
3408	LogonUI.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

Endermanch@RegistrySmart.exeis-C3CH1.tmpRegistrySmart.exeLauncher.exerundll32.exerundll32.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 360 wrote to memory of 3872	360	Endermanch@RegistrySmart.exe	is-C3CH1.tmp
PID 360 wrote to memory of 3872	360	Endermanch@RegistrySmart.exe	is-C3CH1.tmp
PID 360 wrote to memory of 3872	360	Endermanch@RegistrySmart.exe	is-C3CH1.tmp
PID 3872 wrote to memory of 1412	3872	is-C3CH1.tmp	RegistrySmart.exe
PID 3872 wrote to memory of 1412	3872	is-C3CH1.tmp	RegistrySmart.exe
PID 3872 wrote to memory of 1412	3872	is-C3CH1.tmp	RegistrySmart.exe
PID 1412 wrote to memory of 1224	1412	RegistrySmart.exe	Launcher.exe
PID 1412 wrote to memory of 1224	1412	RegistrySmart.exe	Launcher.exe
PID 1412 wrote to memory of 1224	1412	RegistrySmart.exe	Launcher.exe
PID 1224 wrote to memory of 3124	1224	Launcher.exe	RegistrySmart.exe
PID 1224 wrote to memory of 3124	1224	Launcher.exe	RegistrySmart.exe
PID 1224 wrote to memory of 3124	1224	Launcher.exe	RegistrySmart.exe
PID 2496 wrote to memory of 1624	2496	rundll32.exe	rundll32.exe
PID 2496 wrote to memory of 1624	2496	rundll32.exe	rundll32.exe
PID 2496 wrote to memory of 1624	2496	rundll32.exe	rundll32.exe
PID 1624 wrote to memory of 4084	1624	rundll32.exe	cmd.exe
PID 1624 wrote to memory of 4084	1624	rundll32.exe	cmd.exe
PID 1624 wrote to memory of 4084	1624	rundll32.exe	cmd.exe
PID 4084 wrote to memory of 1344	4084	cmd.exe	schtasks.exe
PID 4084 wrote to memory of 1344	4084	cmd.exe	schtasks.exe
PID 4084 wrote to memory of 1344	4084	cmd.exe	schtasks.exe
PID 1624 wrote to memory of 4056	1624	rundll32.exe	cmd.exe
PID 1624 wrote to memory of 4056	1624	rundll32.exe	cmd.exe
PID 1624 wrote to memory of 4056	1624	rundll32.exe	cmd.exe
PID 1624 wrote to memory of 1964	1624	rundll32.exe	cmd.exe
PID 1624 wrote to memory of 1964	1624	rundll32.exe	cmd.exe
PID 1624 wrote to memory of 1964	1624	rundll32.exe	cmd.exe
PID 4056 wrote to memory of 3180	4056	cmd.exe	schtasks.exe
PID 4056 wrote to memory of 3180	4056	cmd.exe	schtasks.exe
PID 4056 wrote to memory of 3180	4056	cmd.exe	schtasks.exe
PID 1624 wrote to memory of 816	1624	rundll32.exe	9DBE.tmp
PID 1624 wrote to memory of 816	1624	rundll32.exe	9DBE.tmp
PID 1964 wrote to memory of 3316	1964	cmd.exe	schtasks.exe
PID 1964 wrote to memory of 3316	1964	cmd.exe	schtasks.exe
PID 1964 wrote to memory of 3316	1964	cmd.exe	schtasks.exe
PID 1624 wrote to memory of 1804	1624	rundll32.exe	cmd.exe
PID 1624 wrote to memory of 1804	1624	rundll32.exe	cmd.exe
PID 1624 wrote to memory of 1804	1624	rundll32.exe	cmd.exe
PID 1804 wrote to memory of 3228	1804	cmd.exe	wevtutil.exe
PID 1804 wrote to memory of 3228	1804	cmd.exe	wevtutil.exe
PID 1804 wrote to memory of 3228	1804	cmd.exe	wevtutil.exe
PID 1804 wrote to memory of 1424	1804	cmd.exe	wevtutil.exe
PID 1804 wrote to memory of 1424	1804	cmd.exe	wevtutil.exe
PID 1804 wrote to memory of 1424	1804	cmd.exe	wevtutil.exe
PID 1804 wrote to memory of 8	1804	cmd.exe	wevtutil.exe
PID 1804 wrote to memory of 8	1804	cmd.exe	wevtutil.exe
PID 1804 wrote to memory of 8	1804	cmd.exe	wevtutil.exe
PID 1804 wrote to memory of 1740	1804	cmd.exe	wevtutil.exe
PID 1804 wrote to memory of 1740	1804	cmd.exe	wevtutil.exe
PID 1804 wrote to memory of 1740	1804	cmd.exe	wevtutil.exe
PID 1804 wrote to memory of 2264	1804	cmd.exe	fsutil.exe
PID 1804 wrote to memory of 2264	1804	cmd.exe	fsutil.exe
PID 1804 wrote to memory of 2264	1804	cmd.exe	fsutil.exe
PID 1624 wrote to memory of 296	1624	rundll32.exe	cmd.exe
PID 1624 wrote to memory of 296	1624	rundll32.exe	cmd.exe
PID 1624 wrote to memory of 296	1624	rundll32.exe	cmd.exe
PID 296 wrote to memory of 2968	296	cmd.exe	schtasks.exe
PID 296 wrote to memory of 2968	296	cmd.exe	schtasks.exe
PID 296 wrote to memory of 2968	296	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Endermanch@RegistrySmart.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@RegistrySmart.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:360

C:\Users\Admin\AppData\Local\Temp\is-ITHO4.tmp\is-C3CH1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ITHO4.tmp\is-C3CH1.tmp" /SL4 $20118 "C:\Users\Admin\AppData\Local\Temp\Endermanch@RegistrySmart.exe" 779923 55808
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3872

C:\Program Files (x86)\RegistrySmart\RegistrySmart.exe
"C:\Program Files (x86)\RegistrySmart\RegistrySmart.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1412

C:\Program Files (x86)\RegistrySmart\Launcher.exe
"C:\Program Files (x86)\RegistrySmart\Launcher.exe" 0:
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1224

C:\Program Files (x86)\RegistrySmart\RegistrySmart.exe
"C:\Program Files (x86)\RegistrySmart\RegistrySmart.exe" launch
5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3124

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\infpub.dat",#2 15
1⤵
- Suspicious use of WriteProcessMemory
PID:2496

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Delete /F /TN rhaegal
3⤵
- Suspicious use of WriteProcessMemory
PID:4084

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /F /TN rhaegal
4⤵
PID:1344

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3986010080 && exit"
3⤵
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3986010080 && exit"
4⤵
- Creates scheduled task(s)
PID:3180

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 07:02:00
3⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 07:02:00
4⤵
- Creates scheduled task(s)
PID:3316

C:\Windows\9DBE.tmp
"C:\Windows\9DBE.tmp" \\.\pipe\{EB320252-F393-4574-A51C-EA9681B5F958}
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Windows\SysWOW64\cmd.exe
/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
3⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\wevtutil.exe
wevtutil cl Setup
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3228

C:\Windows\SysWOW64\wevtutil.exe
wevtutil cl System
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\SysWOW64\wevtutil.exe
wevtutil cl Security
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Windows\SysWOW64\wevtutil.exe
wevtutil cl Application
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\SysWOW64\fsutil.exe
fsutil usn deletejournal /D C:
4⤵
PID:2264

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Delete /F /TN drogon
3⤵
- Suspicious use of WriteProcessMemory
PID:296

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /F /TN drogon
4⤵
PID:2968

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ad7855 /state1:0x41c64e6d
1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3408

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Indicator Removal on Host

T1070

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Data Destruction

T1485

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\RegistrySmart\Launcher.exe
MD5
412a943768c74c06db9955d8cba40ed4

SHA1
e75a8b91bc28187edfb847c46a3d763bdb89b2cf

SHA256
8537ad8b3b76f4852c3402592e7b5b7b6d39f3477e9bc5fbe7d8af3c94d3865c

SHA512
c924dff545961ddcbd4e5ca56af1a6862e5e9f596c1f830edc2c022947cecc5c59ce72f60b7a38c3f3d32503ae349565419daa5164bd2e96d13f19736b17c4b4

Download Submit
C:\Program Files (x86)\RegistrySmart\Launcher.exe
MD5
412a943768c74c06db9955d8cba40ed4

SHA1
e75a8b91bc28187edfb847c46a3d763bdb89b2cf

SHA256
8537ad8b3b76f4852c3402592e7b5b7b6d39f3477e9bc5fbe7d8af3c94d3865c

SHA512
c924dff545961ddcbd4e5ca56af1a6862e5e9f596c1f830edc2c022947cecc5c59ce72f60b7a38c3f3d32503ae349565419daa5164bd2e96d13f19736b17c4b4

Download Submit
C:\Program Files (x86)\RegistrySmart\RegistrySmart.exe
MD5
b13f9d8e3d5c88f0ddad896d7fe33a88

SHA1
e6d7dd65a85a4f97baa56ae8eb810918ff4d84fd

SHA256
6d6bd6a03387c3f3900b4b5fc1264c73b362698bf42b668b99d0e9b65f1d7663

SHA512
3319c68b7eebe4fe5d4e385cd91226c827668d87751c5b94a2f1aac24b588e83390a349185fc9d430d1eea2e356fbcaa6543b4a5f8e25d875da7deec30c56164

Download Submit
C:\Program Files (x86)\RegistrySmart\RegistrySmart.exe
MD5
b13f9d8e3d5c88f0ddad896d7fe33a88

SHA1
e6d7dd65a85a4f97baa56ae8eb810918ff4d84fd

SHA256
6d6bd6a03387c3f3900b4b5fc1264c73b362698bf42b668b99d0e9b65f1d7663

SHA512
3319c68b7eebe4fe5d4e385cd91226c827668d87751c5b94a2f1aac24b588e83390a349185fc9d430d1eea2e356fbcaa6543b4a5f8e25d875da7deec30c56164

Download Submit
C:\Program Files (x86)\RegistrySmart\RegistrySmart.exe
MD5
b13f9d8e3d5c88f0ddad896d7fe33a88

SHA1
e6d7dd65a85a4f97baa56ae8eb810918ff4d84fd

SHA256
6d6bd6a03387c3f3900b4b5fc1264c73b362698bf42b668b99d0e9b65f1d7663

SHA512
3319c68b7eebe4fe5d4e385cd91226c827668d87751c5b94a2f1aac24b588e83390a349185fc9d430d1eea2e356fbcaa6543b4a5f8e25d875da7deec30c56164

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ITHO4.tmp\is-C3CH1.tmp
MD5
19672882daf21174647509b74a406a8c

SHA1
e3313b8741bd9bbe212fe53fcc55b342af5ae849

SHA256
34e6fea583cf1f995cf24e841da2060e0777405ac228094722f17f2e337ccea8

SHA512
eceddd4f1bbaf84dde72642f022b86033ba5a8b5105c573adcc49946d172e26e2512edce6f99e78dd3a2b0f8a23fa6138cca995a824e5f53a6ba925de434fa8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ITHO4.tmp\is-C3CH1.tmp
MD5
19672882daf21174647509b74a406a8c

SHA1
e3313b8741bd9bbe212fe53fcc55b342af5ae849

SHA256
34e6fea583cf1f995cf24e841da2060e0777405ac228094722f17f2e337ccea8

SHA512
eceddd4f1bbaf84dde72642f022b86033ba5a8b5105c573adcc49946d172e26e2512edce6f99e78dd3a2b0f8a23fa6138cca995a824e5f53a6ba925de434fa8f

Download Submit
C:\Users\Admin\Desktop\RegistrySmart.lnk
MD5
059b0b4c4ac280106d72221719fd4cb7

SHA1
98c5b1835ff24aab11d84bdbb17d5df4f60abdd8

SHA256
26e37bb3732bb02dcaaeb827f8ec024b9f3059bf2a9c3299f625ef14a7ebbb63

SHA512
fe3a57639ca46f4580d896806900d39ce51a4e260cc6b1c5f833791a289359b63d4bad1b027f04f2685299f7751944fe23a854472a4f7a8addd61731cb45dab3

Download Submit
C:\Windows\9DBE.tmp
MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\9DBE.tmp
MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\Tasks\RegistrySmart Scheduled Scan.job
MD5
065a35daf548fe1dd57bd18a978d967c

SHA1
f3815eab9d1880951c2e7038f2ab75397549177f

SHA256
ba5c875ee1bfb71b9ba7c195b7d3fc02e02b8e7f4b6927636b503fe58e08d46e

SHA512
efe07ce2adfcf0fedd76dd4695b95f359df72945b7f1dac4adb97ae209d8278efb39a3273490cfe5b20c477f48af1cd32460e125dfb3acd7a9aecb1ea134a59c

Download Submit
memory/8-27-0x0000000000000000-mapping.dmp

Download
memory/296-30-0x0000000000000000-mapping.dmp

Download
memory/816-19-0x0000000000000000-mapping.dmp

Download
memory/1224-7-0x0000000000000000-mapping.dmp

Download
memory/1344-15-0x0000000000000000-mapping.dmp

Download
memory/1412-3-0x0000000000000000-mapping.dmp

Download
memory/1424-26-0x0000000000000000-mapping.dmp

Download
memory/1624-12-0x0000000000000000-mapping.dmp

Download
memory/1624-13-0x0000000003A80000-0x0000000003AE8000-memory.dmp

Filesize
416KB

Download
memory/1740-28-0x0000000000000000-mapping.dmp

Download
memory/1804-24-0x0000000000000000-mapping.dmp

Download
memory/1964-17-0x0000000000000000-mapping.dmp

Download
memory/2264-29-0x0000000000000000-mapping.dmp

Download
memory/2968-31-0x0000000000000000-mapping.dmp

Download
memory/3124-9-0x0000000000000000-mapping.dmp

Download
memory/3180-18-0x0000000000000000-mapping.dmp

Download
memory/3228-25-0x0000000000000000-mapping.dmp

Download
memory/3316-22-0x0000000000000000-mapping.dmp

Download
memory/3872-0-0x0000000000000000-mapping.dmp

Download
memory/4056-16-0x0000000000000000-mapping.dmp

Download
memory/4084-14-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads