badrabbit | hxxp://malwarewatch[.]org

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/04/2023, 06:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://malwarewatch.org

Score

10^/10

badrabbit mimikatz discovery persistence ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000001da5b-394.dat	mimikatz
behavioral1/files/0x000700000001da5b-396.dat	mimikatz

Executes dropped EXE 3 IoCs

pid	Process
2092	564E.tmp
4076	ska2pwej.aeh.tmp
2648	walliant.exe

Loads dropped DLL 22 IoCs

pid	Process
2484	rundll32.exe
2648	walliant.exe
2648	walliant.exe
2648	walliant.exe
2648	walliant.exe
2648	walliant.exe
2648	walliant.exe
2648	walliant.exe
2648	walliant.exe
2648	walliant.exe
2648	walliant.exe
2648	walliant.exe
2648	walliant.exe
2648	walliant.exe
2648	walliant.exe
2648	walliant.exe
2648	walliant.exe
2648	walliant.exe
2648	walliant.exe
2648	walliant.exe
2648	walliant.exe
2648	walliant.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	ska2pwej.aeh.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Walliant = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Walliant\\walliant.exe"	ska2pwej.aeh.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\564E.tmp	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4692	schtasks.exe
4832	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133248036211309718"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-144354903-2550862337-1367551827-1000\{1407DBC1-833E-4350-B118-6A6D7D0139A2}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	chrome.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	walliant.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	walliant.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	walliant.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	walliant.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	walliant.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	walliant.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	walliant.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	walliant.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	221	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2156	chrome.exe
2156	chrome.exe
2484	rundll32.exe
2484	rundll32.exe
2484	rundll32.exe
2484	rundll32.exe
2092	564E.tmp
2092	564E.tmp
2092	564E.tmp
2092	564E.tmp
2092	564E.tmp
2092	564E.tmp
2092	564E.tmp
4076	ska2pwej.aeh.tmp
4076	ska2pwej.aeh.tmp
2144	chrome.exe
2144	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
4076	ska2pwej.aeh.tmp
2648	walliant.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2648	walliant.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2648	walliant.exe
2648	walliant.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 3364	2156	chrome.exe	84
PID 2156 wrote to memory of 3364	2156	chrome.exe	84
PID 2156 wrote to memory of 728	2156	chrome.exe	85
PID 2156 wrote to memory of 728	2156	chrome.exe	85
PID 2156 wrote to memory of 728	2156	chrome.exe	85
PID 2156 wrote to memory of 728	2156	chrome.exe	85
PID 2156 wrote to memory of 728	2156	chrome.exe	85
PID 2156 wrote to memory of 728	2156	chrome.exe	85
PID 2156 wrote to memory of 728	2156	chrome.exe	85
PID 2156 wrote to memory of 728	2156	chrome.exe	85
PID 2156 wrote to memory of 728	2156	chrome.exe	85
PID 2156 wrote to memory of 728	2156	chrome.exe	85
PID 2156 wrote to memory of 728	2156	chrome.exe	85
PID 2156 wrote to memory of 728	2156	chrome.exe	85
PID 2156 wrote to memory of 728	2156	chrome.exe	85
PID 2156 wrote to memory of 728	2156	chrome.exe	85
PID 2156 wrote to memory of 728	2156	chrome.exe	85
PID 2156 wrote to memory of 728	2156	chrome.exe	85
PID 2156 wrote to memory of 728	2156	chrome.exe	85
PID 2156 wrote to memory of 728	2156	chrome.exe	85
PID 2156 wrote to memory of 728	2156	chrome.exe	85
PID 2156 wrote to memory of 728	2156	chrome.exe	85
PID 2156 wrote to memory of 728	2156	chrome.exe	85
PID 2156 wrote to memory of 728	2156	chrome.exe	85
PID 2156 wrote to memory of 728	2156	chrome.exe	85
PID 2156 wrote to memory of 728	2156	chrome.exe	85
PID 2156 wrote to memory of 728	2156	chrome.exe	85
PID 2156 wrote to memory of 728	2156	chrome.exe	85
PID 2156 wrote to memory of 728	2156	chrome.exe	85
PID 2156 wrote to memory of 728	2156	chrome.exe	85
PID 2156 wrote to memory of 728	2156	chrome.exe	85
PID 2156 wrote to memory of 728	2156	chrome.exe	85
PID 2156 wrote to memory of 728	2156	chrome.exe	85
PID 2156 wrote to memory of 728	2156	chrome.exe	85
PID 2156 wrote to memory of 728	2156	chrome.exe	85
PID 2156 wrote to memory of 728	2156	chrome.exe	85
PID 2156 wrote to memory of 728	2156	chrome.exe	85
PID 2156 wrote to memory of 728	2156	chrome.exe	85
PID 2156 wrote to memory of 728	2156	chrome.exe	85
PID 2156 wrote to memory of 728	2156	chrome.exe	85
PID 2156 wrote to memory of 3724	2156	chrome.exe	86
PID 2156 wrote to memory of 3724	2156	chrome.exe	86
PID 2156 wrote to memory of 3164	2156	chrome.exe	88
PID 2156 wrote to memory of 3164	2156	chrome.exe	88
PID 2156 wrote to memory of 3164	2156	chrome.exe	88
PID 2156 wrote to memory of 3164	2156	chrome.exe	88
PID 2156 wrote to memory of 3164	2156	chrome.exe	88
PID 2156 wrote to memory of 3164	2156	chrome.exe	88
PID 2156 wrote to memory of 3164	2156	chrome.exe	88
PID 2156 wrote to memory of 3164	2156	chrome.exe	88
PID 2156 wrote to memory of 3164	2156	chrome.exe	88
PID 2156 wrote to memory of 3164	2156	chrome.exe	88
PID 2156 wrote to memory of 3164	2156	chrome.exe	88
PID 2156 wrote to memory of 3164	2156	chrome.exe	88
PID 2156 wrote to memory of 3164	2156	chrome.exe	88
PID 2156 wrote to memory of 3164	2156	chrome.exe	88
PID 2156 wrote to memory of 3164	2156	chrome.exe	88
PID 2156 wrote to memory of 3164	2156	chrome.exe	88
PID 2156 wrote to memory of 3164	2156	chrome.exe	88
PID 2156 wrote to memory of 3164	2156	chrome.exe	88
PID 2156 wrote to memory of 3164	2156	chrome.exe	88
PID 2156 wrote to memory of 3164	2156	chrome.exe	88
PID 2156 wrote to memory of 3164	2156	chrome.exe	88
PID 2156 wrote to memory of 3164	2156	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://malwarewatch.org
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc29d29758,0x7ffc29d29768,0x7ffc29d29778
  2⤵
  PID:3364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 --field-trial-handle=1800,i,13753927532480014330,9882807868971035952,131072 /prefetch:2
  2⤵
  PID:728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1800,i,13753927532480014330,9882807868971035952,131072 /prefetch:8
  2⤵
  PID:3724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1800,i,13753927532480014330,9882807868971035952,131072 /prefetch:8
  2⤵
  PID:3164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3168 --field-trial-handle=1800,i,13753927532480014330,9882807868971035952,131072 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3112 --field-trial-handle=1800,i,13753927532480014330,9882807868971035952,131072 /prefetch:1
  2⤵
  PID:3732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4420 --field-trial-handle=1800,i,13753927532480014330,9882807868971035952,131072 /prefetch:1
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4452 --field-trial-handle=1800,i,13753927532480014330,9882807868971035952,131072 /prefetch:1
  2⤵
  PID:4072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4840 --field-trial-handle=1800,i,13753927532480014330,9882807868971035952,131072 /prefetch:8
  2⤵
  PID:2716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 --field-trial-handle=1800,i,13753927532480014330,9882807868971035952,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:1336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3368 --field-trial-handle=1800,i,13753927532480014330,9882807868971035952,131072 /prefetch:8
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 --field-trial-handle=1800,i,13753927532480014330,9882807868971035952,131072 /prefetch:8
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3400 --field-trial-handle=1800,i,13753927532480014330,9882807868971035952,131072 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4460 --field-trial-handle=1800,i,13753927532480014330,9882807868971035952,131072 /prefetch:8
  2⤵
  PID:4668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4504 --field-trial-handle=1800,i,13753927532480014330,9882807868971035952,131072 /prefetch:8
  2⤵
  PID:1068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1772 --field-trial-handle=1800,i,13753927532480014330,9882807868971035952,131072 /prefetch:8
  2⤵
  PID:4304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1800,i,13753927532480014330,9882807868971035952,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2144

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1140

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1456

C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\[email protected]"
1⤵
- Drops file in Windows directory
PID:1964
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    PID:3700
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      PID:668
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2876935277 && exit"
    3⤵
    PID:1564
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2876935277 && exit"
      4⤵
      Creates scheduled task(s)
      PID:4832
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 06:38:00
    3⤵
    PID:3628
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 06:38:00
      4⤵
      Creates scheduled task(s)
      PID:4692
- - C:\Windows\564E.tmp
    "C:\Windows\564E.tmp" \\.\pipe\{AE4CB14B-B544-4FD6-974B-9221C4F47CD2}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2092

C:\Users\Admin\AppData\Local\Temp\Temp1_Walliant.zip\ska2pwej.aeh.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Walliant.zip\ska2pwej.aeh.exe"
1⤵
PID:2584
- C:\Users\Admin\AppData\Local\Temp\is-HRHMK.tmp\ska2pwej.aeh.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-HRHMK.tmp\ska2pwej.aeh.tmp" /SL5="$7026C,4511977,830464,C:\Users\Admin\AppData\Local\Temp\Temp1_Walliant.zip\ska2pwej.aeh.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:4076
- - C:\Users\Admin\AppData\Local\Programs\Walliant\walliant.exe
    "C:\Users\Admin\AppData\Local\Programs\Walliant\walliant.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system certificate store
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
4440e7f891feda2cd451d278f2f067c8

SHA1
2d96acd0f496a2824eeb3350e69f27034d090751

SHA256
ab472502d2f34f878f8b9971f221be9765ac592f65a8756b9f89a06e66f8d0a9

SHA512
d05a612f2dff53511732919dc74c7f42707882d8260a4066925e89f353c5cf36c0c5caf4b0490e0601007cd9814380dd823c04c0110e5e2ddc7435996645453d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
826a4d612ecb86f1050b11b533086c1d

SHA1
44b3b2742a664e4c21396c1599fe50ac6510a050

SHA256
43e786bc9194d60413a1d9b8b04f807a6aad4fdcd3b7131c9ce9d8905124a625

SHA512
2edd2d974572d5a23d1f9785358f261788f64feafb77694a04d005b948557b323c9a580c9c9628747c99d6db611b28e764ce5a3d5fa1b6077b4f44e99cc01f00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
4f93158fce9596cdecb014ee2764a81b

SHA1
e1b5ee066166a941a177e3f4c22c6edb0d863a9a

SHA256
546ae4feec23cb5edcb77623f97d9ac413f8ade5cfba3e79301454fd924705b0

SHA512
8d65a3f6fe37f61b1173a0a2af1be5d3a1887a0499d6a4b38bf18c3475307f29cefc234b157963f5a0ea74314157c68169413f4fd9e7ff6a068cf5161ec0472b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
967b25a961dd732321bcdbb73655cb70

SHA1
88ee99521a04865a4e073ddf40f45a3655b1c0dd

SHA256
b2a051bb603838ac3418d713b5101fbe16520042d2f90e76600c57bcdb98151f

SHA512
dc0002ee6f3a52a2e4da071194ecb5c94b871338ed844e76858ea89c7695ec69d54ea44d1ee61af3b9d56c78850fe64e2acf2d901737bb05c1a5eacc5028cbb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f92d7050a7a1cf726cf61fb5e271c0b0

SHA1
97c960abae40e806a389a166db49bc4d8456e2ef

SHA256
fb8559f741724055d24e7b6708417470e99386984a07afa8719210c98053157f

SHA512
8b71dd20f80c04a425dd16daac1aa9737b25179eb296af5f9f1b9b2acf0db921c5f2b852195d4c7eb8af2a983976ad1b3eb1252fac6d067f569cc0e7ee98c8a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
01e50286786120433dfc8ce211c92e3e

SHA1
b9d4a1ae2f5a3992df44439ce26bb1267dfe7d32

SHA256
1da264e4de2ee820be5fb85aca7bc0f41cbf81096dade8b4cdd8e1ad9aa33f95

SHA512
2b8c21adf08cfd716f72696caa32a99ce034444fb8b9d36d258e351d939fc4bb77b83f2b71ec6498cdb88067619abdb2e657f9def07f5dad56b54817705712ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
024d194154eec168830ecdc8d102736b

SHA1
22ab53baad7f818e90b7eb8633fc316f2cdfcc69

SHA256
9bc5e7d3504a841ee65a2d4c65fca13578e62b594372d8f8f580046abf77b839

SHA512
e2743524ed0e5e145450262cc00965d2d83749429d715fc173cdef9f7ad81cbe5811a05c310a42e6c58a85add1e7c55d99941a3a119f0b02a6898d9d4ae19fad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a95aa397f92690490bb4e7163d5856a2

SHA1
a00b1af79b4824e9cafffd6ff5a4099a1356feb7

SHA256
c87fb1c69751a3e532aab5276de562df098500a58a9b3d4a19b01611f2f8ae63

SHA512
961a98828689b10aa3f214a2577c2c70929c0150e4e911f100d2371a5fa0da5fbaf2a3e2c010cbdfbd6ef4e67c62342410e7806eebf549061c0e4cdda9f38a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7cd19a146d56649e805b2522fd772e13

SHA1
9a0f4c4c20204c5031b17225ba7f7ec3fa728063

SHA256
8ab3ed2d3077a438f0ec1406801afa1507414daa408afabbe796c7b313214e3a

SHA512
fc512c2287630c3bf8a4a7c68dd8426e6b193587efe02a266056ff93f952e37a940cd94c045b1bf556da025e72ccfb9ba2a598c71df0ad77799fc935501753ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1005d9210782081467d4e39256d7764e

SHA1
f19b34542eb120ff08310f8c89d95ae13b6265a1

SHA256
62e5edca09dabaa587bda7ed62ff2ee58e243ee049311ca25a3e28abc478f13a

SHA512
b57e7dde03558b12876ce9380b7f3070e597f5e92f71bcedab97606b89d5a99638c2a1b62564d89780fa55a245c67d245e81edac5815069196a33a977e38f01e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
220454ebb02ea7b05b7ff085c0643d51

SHA1
dba4cf2c940d3c4b1c012ab26ea3ac5ace88f071

SHA256
7caf44043da09393700e6932002010ea2ca1e0126baa69d23ea4ac3b0ddcc38e

SHA512
b020f0d2e08926137c591eaffd27ea0dd8d29662de2ff903d0d1f552c78749a6ec7f6b2c055a61f3eca2115b9a830625f0f7abd6bf88bd4473e0fd997997847a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8e957baf176bf44b7fe141ff47daa589

SHA1
61a5c03369f97be5e83a91645a93fa18f1b271aa

SHA256
385a6caf25a63adca2303429581df2e2b06fa9765174a57ebb252bb8bd8c628c

SHA512
22f6be99388ba80fd84ddf34595bedb41e54baac72ca87af339d958fdcba303bfc9de0022f942c2deeb5da133036a85612adf6fbea94e5e8f52ea13e9f9f4505

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
407541ac131675915dbec39de596425c

SHA1
3db9778f4ed828a52f61d7e426fcfb2534f182a9

SHA256
85f8ecad80397d5a82d2170d5c76992facbcaf79a3247bdf139a2168be61758e

SHA512
a019e4419ef67f1d8aecd5b09e866e81dbccdca74cb8ee015eda3e5d7a73240055fc61a1facd8c11099796ea648e60130dc566b524ba383e429fb06551bf81cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
22e25e2815220130189b7c43ddf505fc

SHA1
0e012a2243ca284f7d6d0cbb1d10a8e0a9fb111c

SHA256
d80692b2d5dfe2f10113f0fe7493ac26ce5c68f1eaa53e3caaae78f18c3236b2

SHA512
cd4d6f4112cb1680bc79b1dd74113b70a4c64b13296d6da34b0a0968de79830e525a8934c0438c99c2cf6ca4154f3a564689ccf54714cac768b1f3d1693847bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d28174b2b90a1d1331d783384d83e451

SHA1
d4ed03535657d640bc3a4aa685f94b3e44663541

SHA256
5301a8df50ed6740735b2e058c4ce20cfe0195f534c4d2f975d871f224ae7551

SHA512
909717f01c16b07c83077a2d5d7a5e5108ed4a74b7627cd73d5f76eb5a4809fb2fdc666b1d3a1309a0584f4298c36fe7fee4acdb8ca182fa56a901c64eb500d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
56B

MD5
ae1bccd6831ebfe5ad03b482ee266e4f

SHA1
01f4179f48f1af383b275d7ee338dd160b6f558a

SHA256
1b11047e738f76c94c9d15ee981ec46b286a54def1a7852ca1ade7f908988649

SHA512
baf7ff6747f30e542c254f46a9678b9dbf42312933962c391b79eca6fcb615e4ba9283c00f554d6021e594f18c087899bc9b5362c41c0d6f862bba7fb9f83038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe56c132.TMP

Filesize
120B

MD5
fda2e57d8f287563f1a93f0c54f09c22

SHA1
60dac9bd83ad32aac459c98b28c3165f8717bd43

SHA256
c35caf25fdf42ad687b95e431fab43c58cfb16bb6d3d0aceb7fbd14d18e503d8

SHA512
ed1e9dfdd9c3596eb579b1ecfd086b550c13e645932b1c182109b195cc0543975b918ddcb3ad7728968104d2b9e6b6856a09f0cf14e04b44a78877ef54ccab5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
173KB

MD5
8b5d69f8c342d1c168dfa428c106b375

SHA1
d0a9fcae6eb189336ecbd9efc418f23b61524436

SHA256
41e28b85df45917923e7fb1d56dcfcd88c8f63d5cd582855ff53f4a69c4e707e

SHA512
4a85e5a859cb0d38b2dd4b7a7e091b4d0bfc8cbec05557eccf949e32db697de23205127e1a663d6d7109d95e894c6398e0b52831294f8de203a710aa72db36c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
105KB

MD5
198b868ecff3474e1ef779ad2fd168de

SHA1
94f32f011a9e6bf5d7f28cb45c0b205361ea5b79

SHA256
4f3558fd85e0b070d4d1b38eeb515add6ef3cec5033f069a2e26066d32bfd778

SHA512
d3f5a3703a0260399b5f9047dfec280f20fd9f221a1595426e85a017fc35693c224d7186d9fefcf481e1f50d1a05726c1bd0016a18ea19bc2a7f58572f02dc43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe573aa7.TMP

Filesize
96KB

MD5
cc59aab1670197b2ac65c1fd12291481

SHA1
5bd4fec64a4904aea7c011af778c74e410a8d2ad

SHA256
5763aba636c2e8cad379a5c03dab4975a323b6f3e133cbf9cd94004d5f348693

SHA512
68f2142760e9b47e36b8ce31877c819da3262160d638216c70e53c2d62d1c4cb552c735ac66c66daefab39d93cd0dd8c6ddf78fa4aa85f17fa1ef57dbb7d607d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\AsyncBridge.Net35.dll

Filesize
23KB

MD5
35cbdbe6987b9951d3467dda2f318f3c

SHA1
c0c7bc36c2fb710938f7666858324b141bc5ff22

SHA256
e4915f18fd6713ee84f27a06ed1f6f555cdbebe1522792cf4b4961664550cf83

SHA512
e1f456f0b4db885f8475d2837f32f31c09f4b303c118f59be4786cf4303a31a2d3004656a3fcfbbf354326ed404afcb4d60966bca04a5e5de8fb8feaf581bce7

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\AsyncBridge.Net35.dll

Filesize
23KB

MD5
35cbdbe6987b9951d3467dda2f318f3c

SHA1
c0c7bc36c2fb710938f7666858324b141bc5ff22

SHA256
e4915f18fd6713ee84f27a06ed1f6f555cdbebe1522792cf4b4961664550cf83

SHA512
e1f456f0b4db885f8475d2837f32f31c09f4b303c118f59be4786cf4303a31a2d3004656a3fcfbbf354326ed404afcb4d60966bca04a5e5de8fb8feaf581bce7

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\AsyncBridge.Net35.dll

Filesize
23KB

MD5
35cbdbe6987b9951d3467dda2f318f3c

SHA1
c0c7bc36c2fb710938f7666858324b141bc5ff22

SHA256
e4915f18fd6713ee84f27a06ed1f6f555cdbebe1522792cf4b4961664550cf83

SHA512
e1f456f0b4db885f8475d2837f32f31c09f4b303c118f59be4786cf4303a31a2d3004656a3fcfbbf354326ed404afcb4d60966bca04a5e5de8fb8feaf581bce7

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\AsyncBridge.Net35.dll

Filesize
23KB

MD5
35cbdbe6987b9951d3467dda2f318f3c

SHA1
c0c7bc36c2fb710938f7666858324b141bc5ff22

SHA256
e4915f18fd6713ee84f27a06ed1f6f555cdbebe1522792cf4b4961664550cf83

SHA512
e1f456f0b4db885f8475d2837f32f31c09f4b303c118f59be4786cf4303a31a2d3004656a3fcfbbf354326ed404afcb4d60966bca04a5e5de8fb8feaf581bce7

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\AsyncBridge.Net35.dll

Filesize
23KB

MD5
35cbdbe6987b9951d3467dda2f318f3c

SHA1
c0c7bc36c2fb710938f7666858324b141bc5ff22

SHA256
e4915f18fd6713ee84f27a06ed1f6f555cdbebe1522792cf4b4961664550cf83

SHA512
e1f456f0b4db885f8475d2837f32f31c09f4b303c118f59be4786cf4303a31a2d3004656a3fcfbbf354326ed404afcb4d60966bca04a5e5de8fb8feaf581bce7

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\Countly.dll

Filesize
114KB

MD5
bf6a0f5d2d5f54ceb5b899a2172a335b

SHA1
e8992a9d4aeb39647b262d36c1e28ac14702c83e

SHA256
32ef07a1a2954a40436d625814d0ce0e04f4a45e711beebc7e159d4c1b2556b6

SHA512
49a093345160b645209f4fc806ae67a55ff35e50f54c9fa7ec49d153743e448db9c2fafae61659165d0082fabc473c3e7d47573a481161ddb4c9b5fdd079fc90

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\Countly.dll

Filesize
114KB

MD5
bf6a0f5d2d5f54ceb5b899a2172a335b

SHA1
e8992a9d4aeb39647b262d36c1e28ac14702c83e

SHA256
32ef07a1a2954a40436d625814d0ce0e04f4a45e711beebc7e159d4c1b2556b6

SHA512
49a093345160b645209f4fc806ae67a55ff35e50f54c9fa7ec49d153743e448db9c2fafae61659165d0082fabc473c3e7d47573a481161ddb4c9b5fdd079fc90

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\Countly.dll

Filesize
114KB

MD5
bf6a0f5d2d5f54ceb5b899a2172a335b

SHA1
e8992a9d4aeb39647b262d36c1e28ac14702c83e

SHA256
32ef07a1a2954a40436d625814d0ce0e04f4a45e711beebc7e159d4c1b2556b6

SHA512
49a093345160b645209f4fc806ae67a55ff35e50f54c9fa7ec49d153743e448db9c2fafae61659165d0082fabc473c3e7d47573a481161ddb4c9b5fdd079fc90

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\Countly.dll

Filesize
114KB

MD5
bf6a0f5d2d5f54ceb5b899a2172a335b

SHA1
e8992a9d4aeb39647b262d36c1e28ac14702c83e

SHA256
32ef07a1a2954a40436d625814d0ce0e04f4a45e711beebc7e159d4c1b2556b6

SHA512
49a093345160b645209f4fc806ae67a55ff35e50f54c9fa7ec49d153743e448db9c2fafae61659165d0082fabc473c3e7d47573a481161ddb4c9b5fdd079fc90

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\Countly.dll

Filesize
114KB

MD5
bf6a0f5d2d5f54ceb5b899a2172a335b

SHA1
e8992a9d4aeb39647b262d36c1e28ac14702c83e

SHA256
32ef07a1a2954a40436d625814d0ce0e04f4a45e711beebc7e159d4c1b2556b6

SHA512
49a093345160b645209f4fc806ae67a55ff35e50f54c9fa7ec49d153743e448db9c2fafae61659165d0082fabc473c3e7d47573a481161ddb4c9b5fdd079fc90

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\Newtonsoft.Json.dll

Filesize
495KB

MD5
283544d7f0173e6b5bfbfbc23d1c2fb0

SHA1
3e33b2ef50dac60b7411a84779d61bdb0ed9d673

SHA256
9165e595b3a0de91ac91a38e742597e12ebb2a5a8fa53058d964a06ceaef7735

SHA512
150b45cd43dc5cf191c85524c15dea09fbb48766ad802851270eaacfd73f3d097fef8dcf0ea042184220e7bc71413677d88a206d8bbe60374986e4789054040b

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\Newtonsoft.Json.dll

Filesize
495KB

MD5
283544d7f0173e6b5bfbfbc23d1c2fb0

SHA1
3e33b2ef50dac60b7411a84779d61bdb0ed9d673

SHA256
9165e595b3a0de91ac91a38e742597e12ebb2a5a8fa53058d964a06ceaef7735

SHA512
150b45cd43dc5cf191c85524c15dea09fbb48766ad802851270eaacfd73f3d097fef8dcf0ea042184220e7bc71413677d88a206d8bbe60374986e4789054040b

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\Newtonsoft.Json.dll

Filesize
495KB

MD5
283544d7f0173e6b5bfbfbc23d1c2fb0

SHA1
3e33b2ef50dac60b7411a84779d61bdb0ed9d673

SHA256
9165e595b3a0de91ac91a38e742597e12ebb2a5a8fa53058d964a06ceaef7735

SHA512
150b45cd43dc5cf191c85524c15dea09fbb48766ad802851270eaacfd73f3d097fef8dcf0ea042184220e7bc71413677d88a206d8bbe60374986e4789054040b

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\Newtonsoft.Json.dll

Filesize
495KB

MD5
283544d7f0173e6b5bfbfbc23d1c2fb0

SHA1
3e33b2ef50dac60b7411a84779d61bdb0ed9d673

SHA256
9165e595b3a0de91ac91a38e742597e12ebb2a5a8fa53058d964a06ceaef7735

SHA512
150b45cd43dc5cf191c85524c15dea09fbb48766ad802851270eaacfd73f3d097fef8dcf0ea042184220e7bc71413677d88a206d8bbe60374986e4789054040b

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\Newtonsoft.Json.dll

Filesize
495KB

MD5
283544d7f0173e6b5bfbfbc23d1c2fb0

SHA1
3e33b2ef50dac60b7411a84779d61bdb0ed9d673

SHA256
9165e595b3a0de91ac91a38e742597e12ebb2a5a8fa53058d964a06ceaef7735

SHA512
150b45cd43dc5cf191c85524c15dea09fbb48766ad802851270eaacfd73f3d097fef8dcf0ea042184220e7bc71413677d88a206d8bbe60374986e4789054040b

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\SharpRaven.dll

Filesize
72KB

MD5
c1a31ab7394444fd8aa2e8fe3c7c5094

SHA1
649a0915f4e063314e3f04d284fea8656f6eb62b

SHA256
64b7231eda298844697d38dd3539bd97fe995d88ae0c5e0c09d63a908f7336c4

SHA512
3514a69552dd1e1b63a235d7e3a1e982a72a9741ade4a931fc8d8e61f402228ad3243be9321d87fdefdfe137fc357925a931966266ec58c19296adb210be9b0e

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\SharpRaven.dll

Filesize
72KB

MD5
c1a31ab7394444fd8aa2e8fe3c7c5094

SHA1
649a0915f4e063314e3f04d284fea8656f6eb62b

SHA256
64b7231eda298844697d38dd3539bd97fe995d88ae0c5e0c09d63a908f7336c4

SHA512
3514a69552dd1e1b63a235d7e3a1e982a72a9741ade4a931fc8d8e61f402228ad3243be9321d87fdefdfe137fc357925a931966266ec58c19296adb210be9b0e

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\SharpRaven.dll

Filesize
72KB

MD5
c1a31ab7394444fd8aa2e8fe3c7c5094

SHA1
649a0915f4e063314e3f04d284fea8656f6eb62b

SHA256
64b7231eda298844697d38dd3539bd97fe995d88ae0c5e0c09d63a908f7336c4

SHA512
3514a69552dd1e1b63a235d7e3a1e982a72a9741ade4a931fc8d8e61f402228ad3243be9321d87fdefdfe137fc357925a931966266ec58c19296adb210be9b0e

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\SharpRaven.dll

Filesize
72KB

MD5
c1a31ab7394444fd8aa2e8fe3c7c5094

SHA1
649a0915f4e063314e3f04d284fea8656f6eb62b

SHA256
64b7231eda298844697d38dd3539bd97fe995d88ae0c5e0c09d63a908f7336c4

SHA512
3514a69552dd1e1b63a235d7e3a1e982a72a9741ade4a931fc8d8e61f402228ad3243be9321d87fdefdfe137fc357925a931966266ec58c19296adb210be9b0e

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\SharpRaven.dll

Filesize
72KB

MD5
c1a31ab7394444fd8aa2e8fe3c7c5094

SHA1
649a0915f4e063314e3f04d284fea8656f6eb62b

SHA256
64b7231eda298844697d38dd3539bd97fe995d88ae0c5e0c09d63a908f7336c4

SHA512
3514a69552dd1e1b63a235d7e3a1e982a72a9741ade4a931fc8d8e61f402228ad3243be9321d87fdefdfe137fc357925a931966266ec58c19296adb210be9b0e

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\System.Threading.dll

Filesize
378KB

MD5
f5ee17938d7c545bf62ad955803661c7

SHA1
dd0647d250539f1ec580737de102e2515558f422

SHA256
8a791af9e3861e231662b657098a823b21a084cbb6a4901d6ccf363405849a78

SHA512
669a89ad811cda4f3ff4aa318aa03e26e4cb41ea22bc321bad02a671273d867cbd223a64bb30da592a5484a9f1cec77c96f5bf63b1fe586b6d3688b8c9da530c

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\System.Threading.dll

Filesize
378KB

MD5
f5ee17938d7c545bf62ad955803661c7

SHA1
dd0647d250539f1ec580737de102e2515558f422

SHA256
8a791af9e3861e231662b657098a823b21a084cbb6a4901d6ccf363405849a78

SHA512
669a89ad811cda4f3ff4aa318aa03e26e4cb41ea22bc321bad02a671273d867cbd223a64bb30da592a5484a9f1cec77c96f5bf63b1fe586b6d3688b8c9da530c

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\System.Threading.dll

Filesize
378KB

MD5
f5ee17938d7c545bf62ad955803661c7

SHA1
dd0647d250539f1ec580737de102e2515558f422

SHA256
8a791af9e3861e231662b657098a823b21a084cbb6a4901d6ccf363405849a78

SHA512
669a89ad811cda4f3ff4aa318aa03e26e4cb41ea22bc321bad02a671273d867cbd223a64bb30da592a5484a9f1cec77c96f5bf63b1fe586b6d3688b8c9da530c

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\System.Threading.dll

Filesize
378KB

MD5
f5ee17938d7c545bf62ad955803661c7

SHA1
dd0647d250539f1ec580737de102e2515558f422

SHA256
8a791af9e3861e231662b657098a823b21a084cbb6a4901d6ccf363405849a78

SHA512
669a89ad811cda4f3ff4aa318aa03e26e4cb41ea22bc321bad02a671273d867cbd223a64bb30da592a5484a9f1cec77c96f5bf63b1fe586b6d3688b8c9da530c

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\System.Threading.dll

Filesize
378KB

MD5
f5ee17938d7c545bf62ad955803661c7

SHA1
dd0647d250539f1ec580737de102e2515558f422

SHA256
8a791af9e3861e231662b657098a823b21a084cbb6a4901d6ccf363405849a78

SHA512
669a89ad811cda4f3ff4aa318aa03e26e4cb41ea22bc321bad02a671273d867cbd223a64bb30da592a5484a9f1cec77c96f5bf63b1fe586b6d3688b8c9da530c

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\sdk.dll

Filesize
11.3MB

MD5
fddc7534f3281feb4419da7404d89b4c

SHA1
19bdefc2c9e0abd03fe5ee4fad9c813a837f844f

SHA256
f13da9813fa11b81ee4180794cbad2b280422716a080bf4c0791996be7f7908e

SHA512
c5428179dc222366234125bd78f63a9350c9329e4d46646bb3361de143974d261bd7a8df6155bc7ef46ad3725302837f4769a26459b8b4b5b5304a810303b1ea

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\sdk.dll

Filesize
11.3MB

MD5
fddc7534f3281feb4419da7404d89b4c

SHA1
19bdefc2c9e0abd03fe5ee4fad9c813a837f844f

SHA256
f13da9813fa11b81ee4180794cbad2b280422716a080bf4c0791996be7f7908e

SHA512
c5428179dc222366234125bd78f63a9350c9329e4d46646bb3361de143974d261bd7a8df6155bc7ef46ad3725302837f4769a26459b8b4b5b5304a810303b1ea

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\walliant.exe

Filesize
257KB

MD5
60d3737a1f84758238483d865a3056dc

SHA1
17b13048c1db4e56120fed53abc4056ecb4c56ed

SHA256
3436c29dec2c7f633f4766acaf334f6c395d70ea6180c0ea7c1610591d5d89b9

SHA512
d34f42b59349f3be1ac39a57207f616a44f56a6c74157be8116fff5df75275928065065a89f10bd79849e58b14d1e5e0ea156be5996ff8ca4f5d854e107c96fe

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\walliant.exe

Filesize
257KB

MD5
60d3737a1f84758238483d865a3056dc

SHA1
17b13048c1db4e56120fed53abc4056ecb4c56ed

SHA256
3436c29dec2c7f633f4766acaf334f6c395d70ea6180c0ea7c1610591d5d89b9

SHA512
d34f42b59349f3be1ac39a57207f616a44f56a6c74157be8116fff5df75275928065065a89f10bd79849e58b14d1e5e0ea156be5996ff8ca4f5d854e107c96fe

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\walliant.exe

Filesize
257KB

MD5
60d3737a1f84758238483d865a3056dc

SHA1
17b13048c1db4e56120fed53abc4056ecb4c56ed

SHA256
3436c29dec2c7f633f4766acaf334f6c395d70ea6180c0ea7c1610591d5d89b9

SHA512
d34f42b59349f3be1ac39a57207f616a44f56a6c74157be8116fff5df75275928065065a89f10bd79849e58b14d1e5e0ea156be5996ff8ca4f5d854e107c96fe

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\walliant.exe.config

Filesize
1KB

MD5
b492287271363085810ef581a1be0fa3

SHA1
4b27b7d87e2fdbdda530afcda73784877cc1a691

SHA256
a5fcca5b80f200e9a3ff358d9cac56a0ffabb6f26d97da7f850de14f0fb2709e

SHA512
859fa454d8a72771038dc2ff9e7ec3905f83a6a828cc4fc78107b309bdcd45724c749357011af978163f93e7096eb9e9419e3258ea9bd6b652154fe6dd01d036

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HRHMK.tmp\ska2pwej.aeh.tmp

Filesize
2.5MB

MD5
62e5dbc52010c304c82ada0ac564eff9

SHA1
d911cb02fdaf79e7c35b863699d21ee7a0514116

SHA256
bd54ad7a25594dc823572d9b23a3490ff6b8b1742a75e368d110421ab08909b2

SHA512
b5d863ea38816c18f7778ef12ea4168ceb0dae67704c0d1d4a60b0237ca6e758c1dfc5c28d4fc9679b0159de25e56d5dfff8addacd7a9c52572674d90c424946

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HRHMK.tmp\ska2pwej.aeh.tmp

Filesize
2.5MB

MD5
62e5dbc52010c304c82ada0ac564eff9

SHA1
d911cb02fdaf79e7c35b863699d21ee7a0514116

SHA256
bd54ad7a25594dc823572d9b23a3490ff6b8b1742a75e368d110421ab08909b2

SHA512
b5d863ea38816c18f7778ef12ea4168ceb0dae67704c0d1d4a60b0237ca6e758c1dfc5c28d4fc9679b0159de25e56d5dfff8addacd7a9c52572674d90c424946

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip

Filesize
393KB

MD5
61da9939db42e2c3007ece3f163e2d06

SHA1
4bd7e9098de61adecc1bdbd1a01490994d1905fb

SHA256
ea8ccb8b5ec36195af831001b3cc46caedfc61a6194e2568901e7685c57ceefa

SHA512
14d0bc14a10e5bd8022e7ab4a80f98600f84754c2c80e22a8e3d9f9555dde5bad056d925576b29fc1a37e73c6ebca693687b47317a469a7dfdc4ab0f3d97a63e

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip

Filesize
393KB

MD5
0b7ffd0c948b1cd74702a44d92acabe0

SHA1
f5a36b265acb1315ff10f24934125119a028ace4

SHA256
5c237d048dd7cc30d9caff67c1d6a3d2231b453f1c3d1eaa3fb4cb41fc0f6636

SHA512
c06d44ddf0c029f09c1a7d705a34aec562ba76308965b0c21a5d20dc333d61fff175d9187968fa6b707a235990a2261856c92cbb20ed6969130d4d337d47f3e3

Download Submit
C:\Windows\564E.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\564E.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/2484-376-0x0000000002950000-0x00000000029B8000-memory.dmp

Filesize
416KB

Download
memory/2484-384-0x0000000002950000-0x00000000029B8000-memory.dmp

Filesize
416KB

Download
memory/2484-387-0x0000000002950000-0x00000000029B8000-memory.dmp

Filesize
416KB

Download
memory/2584-512-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2584-531-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2648-622-0x0000000001720000-0x0000000001730000-memory.dmp

Filesize
64KB

Download
memory/2648-629-0x0000000001720000-0x0000000001730000-memory.dmp

Filesize
64KB

Download
memory/2648-566-0x0000000001720000-0x0000000001730000-memory.dmp

Filesize
64KB

Download
memory/2648-615-0x0000000001720000-0x0000000001730000-memory.dmp

Filesize
64KB

Download
memory/2648-616-0x0000000001720000-0x0000000001730000-memory.dmp

Filesize
64KB

Download
memory/2648-617-0x0000000001720000-0x0000000001730000-memory.dmp

Filesize
64KB

Download
memory/2648-643-0x0000000001720000-0x0000000001730000-memory.dmp

Filesize
64KB

Download
memory/2648-618-0x0000000001720000-0x0000000001730000-memory.dmp

Filesize
64KB

Download
memory/2648-628-0x0000000001720000-0x0000000001730000-memory.dmp

Filesize
64KB

Download
memory/2648-641-0x0000000001720000-0x0000000001730000-memory.dmp

Filesize
64KB

Download
memory/2648-640-0x0000000001720000-0x0000000001730000-memory.dmp

Filesize
64KB

Download
memory/2648-639-0x0000000001720000-0x0000000001730000-memory.dmp

Filesize
64KB

Download
memory/4076-542-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/4076-576-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/4076-519-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/4076-543-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download