badrabbit | hxxps://github[.]com/Endermanch/MalwareDatabase/raw/master/ransomwares/BadRabbit[.]zip

Analysis

max time kernel
133s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20230621-es
resource tags

arch:x64arch:x86image:win10v2004-20230621-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
30-06-2023 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase/raw/master/ransomwares/BadRabbit.zip

Score

10^/10

badrabbit mimikatz ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 2 IoCs

resource	yara_rule
behavioral1/files/0x000600000002322a-408.dat	mimikatz
behavioral1/files/0x000600000002322a-410.dat	mimikatz

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ResizeEnter.tiff	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\SkipSelect.tiff	rundll32.exe

Executes dropped EXE 5 IoCs

pid	Process
4664	[email protected]
3776	94BE.tmp
5232	[email protected]
4860	[email protected]
1348	[email protected]

Loads dropped DLL 4 IoCs

pid	Process
1536	rundll32.exe
612	rundll32.exe
5640	rundll32.exe
5732	rundll32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{4FF4A87F-0392-4590-9E05-8C6AC329D2B7}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{EDBC4BA3-7514-472E-BEE2-064170BD2B10}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{AA318229-A9CD-4245-A4D8-6A6F5377CBB9}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{534523E9-ECF8-4D62-B9B3-4CA4E10026D8}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{EEC9A166-5579-4591-A95E-887C2B9E3887}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{3378B7A4-F765-476D-A91E-3DFE65CE736D}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{0DBAD4AB-0549-4203-BBC0-7DF60810BFA4}.catalogItem	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230630051155.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\41a3a743-1fb3-490f-aa72-65fefd854219.tmp	setup.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\94BE.tmp	rundll32.exe
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	[email protected]
File created	C:\Windows\cscc.dat	rundll32.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3804	schtasks.exe
1964	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
336	powershell.exe
336	powershell.exe
100	msedge.exe
100	msedge.exe
3464	msedge.exe
3464	msedge.exe
5080	identity_helper.exe
5080	identity_helper.exe
1864	msedge.exe
1864	msedge.exe
1536	rundll32.exe
1536	rundll32.exe
1536	rundll32.exe
1536	rundll32.exe
3776	94BE.tmp
3776	94BE.tmp
3776	94BE.tmp
3776	94BE.tmp
3776	94BE.tmp
3776	94BE.tmp
3776	94BE.tmp
612	rundll32.exe
612	rundll32.exe
5640	rundll32.exe
5640	rundll32.exe
5732	rundll32.exe
5732	rundll32.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	336	powershell.exe
Token: SeRestorePrivilege	6076	7zG.exe
Token: 35	6076	7zG.exe
Token: SeSecurityPrivilege	6076	7zG.exe
Token: SeSecurityPrivilege	6076	7zG.exe
Token: SeShutdownPrivilege	1536	rundll32.exe
Token: SeDebugPrivilege	1536	rundll32.exe
Token: SeTcbPrivilege	1536	rundll32.exe
Token: SeDebugPrivilege	3776	94BE.tmp
Token: SeShutdownPrivilege	612	rundll32.exe
Token: SeDebugPrivilege	612	rundll32.exe
Token: SeTcbPrivilege	612	rundll32.exe
Token: SeShutdownPrivilege	5640	rundll32.exe
Token: SeDebugPrivilege	5640	rundll32.exe
Token: SeTcbPrivilege	5640	rundll32.exe
Token: SeShutdownPrivilege	5732	rundll32.exe
Token: SeDebugPrivilege	5732	rundll32.exe
Token: SeTcbPrivilege	5732	rundll32.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
6076	7zG.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3464 wrote to memory of 4452	3464	msedge.exe	84
PID 3464 wrote to memory of 4452	3464	msedge.exe	84
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 3596	3464	msedge.exe	85
PID 3464 wrote to memory of 100	3464	msedge.exe	86
PID 3464 wrote to memory of 100	3464	msedge.exe	86
PID 3464 wrote to memory of 4388	3464	msedge.exe	87
PID 3464 wrote to memory of 4388	3464	msedge.exe	87
PID 3464 wrote to memory of 4388	3464	msedge.exe	87
PID 3464 wrote to memory of 4388	3464	msedge.exe	87
PID 3464 wrote to memory of 4388	3464	msedge.exe	87
PID 3464 wrote to memory of 4388	3464	msedge.exe	87
PID 3464 wrote to memory of 4388	3464	msedge.exe	87
PID 3464 wrote to memory of 4388	3464	msedge.exe	87
PID 3464 wrote to memory of 4388	3464	msedge.exe	87
PID 3464 wrote to memory of 4388	3464	msedge.exe	87
PID 3464 wrote to memory of 4388	3464	msedge.exe	87
PID 3464 wrote to memory of 4388	3464	msedge.exe	87
PID 3464 wrote to memory of 4388	3464	msedge.exe	87
PID 3464 wrote to memory of 4388	3464	msedge.exe	87
PID 3464 wrote to memory of 4388	3464	msedge.exe	87
PID 3464 wrote to memory of 4388	3464	msedge.exe	87
PID 3464 wrote to memory of 4388	3464	msedge.exe	87
PID 3464 wrote to memory of 4388	3464	msedge.exe	87
PID 3464 wrote to memory of 4388	3464	msedge.exe	87
PID 3464 wrote to memory of 4388	3464	msedge.exe	87

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start shell:Appsfolder\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge https://github.com/Endermanch/MalwareDatabase/raw/master/ransomwares/BadRabbit.zip
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-redirect=Windows.Launch https://github.com/Endermanch/MalwareDatabase/raw/master/ransomwares/BadRabbit.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xdc,0xd4,0x100,0xd8,0x104,0x7ffca5f346f8,0x7ffca5f34708,0x7ffca5f34718
  2⤵
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,4543013513254961707,4470159440131230360,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,4543013513254961707,4470159440131230360,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,4543013513254961707,4470159440131230360,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
  2⤵
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4543013513254961707,4470159440131230360,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
  2⤵
  PID:796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4543013513254961707,4470159440131230360,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:1
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4543013513254961707,4470159440131230360,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4543013513254961707,4470159440131230360,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,4543013513254961707,4470159440131230360,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=3680 /prefetch:8
  2⤵
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:1216
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ff7c6805460,0x7ff7c6805470,0x7ff7c6805480
    3⤵
    PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,4543013513254961707,4470159440131230360,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=3680 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,4543013513254961707,4470159440131230360,131072 --lang=es --service-sandbox-type=collections --mojo-platform-channel-handle=3704 /prefetch:8
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4543013513254961707,4470159440131230360,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4543013513254961707,4470159440131230360,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4543013513254961707,4470159440131230360,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,4543013513254961707,4470159440131230360,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=3972 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,4543013513254961707,4470159440131230360,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3180 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4824

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5720

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\BadRabbit\" -spe -an -ai#7zMap25583:80:7zEvent2272
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:3492

C:\Users\Admin\Downloads\BadRabbit\[email protected]
"C:\Users\Admin\Downloads\BadRabbit\[email protected]"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4664
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Modifies extensions of user files
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    PID:5888
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      PID:5960
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3869427543 && exit"
    3⤵
    PID:5856
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3869427543 && exit"
      4⤵
      Creates scheduled task(s)
      PID:3804
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 05:31:00
    3⤵
    PID:4900
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 05:31:00
      4⤵
      Creates scheduled task(s)
      PID:1964
- - C:\Windows\94BE.tmp
    "C:\Windows\94BE.tmp" \\.\pipe\{CC2AB57F-CFC2-4264-A881-86D6D242AF24}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3776

C:\Users\Admin\Downloads\BadRabbit\[email protected]
"C:\Users\Admin\Downloads\BadRabbit\[email protected]"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5232
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:612

C:\Users\Admin\Downloads\BadRabbit\[email protected]
"C:\Users\Admin\Downloads\BadRabbit\[email protected]"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4860
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5640

C:\Users\Admin\Downloads\BadRabbit\[email protected]
"C:\Users\Admin\Downloads\BadRabbit\[email protected]"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1348
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5a9f76dde5876d055fc0a4a821de6d02

SHA1
3cb30f2ff875cff6a4e4be0c7506254e076ad4df

SHA256
323204c96cf3ed35bb893c2f20a444cd0c7aa0b44749174b7b22ab351b2edf1a

SHA512
b805309fbbc622f2e47c9d4397662713b37879d0ea0602675c0894e655b9dcd34d483a02c6bdb73b5c6ce084ca7523e038104bce428a5bc7be3569c0d18b9091

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6abe43658387f0826ca6d505ba2a9b0c

SHA1
ba777e01296195063af3aef86ad61289215991b6

SHA256
2683def01b6ee96268c1ee356bee3d8540683e6c830f6860a903cffc07f345e7

SHA512
2ca9e4ef89bc9d518a08ead9420610b2c24574f474f03545a65d589a8ee01a926b7da3d344e227a7f056a004766344bbb57d37f2d0cc3dd0078ddd9eedc87b56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
d52dcfa600cb9e880afc35cab9da969e

SHA1
bdd5eee3e9fe5056b8a0f605667374c3bae809bf

SHA256
0a8413d47fa3179109dda28fffb2fc711fa8967c12b6e40ae320ed33aad91682

SHA512
d3950dae8c8cee3ded6d73b9bc682c7021183a9315d5d395af057333415df652aafce633243d2ddf530d9c59cd704b60b9cc8ca107455f5fbb2ef7d3a3eb4e43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
261B

MD5
2c2e6472d05e3832905f0ad4a04d21c3

SHA1
007edbf35759af62a5b847ab09055e7d9b86ffcc

SHA256
283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03

SHA512
8c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
35dea698bf95bd2a1ad55018ea13fcb4

SHA1
928eeb7bb40d59079fd28483d9810cbce41be442

SHA256
f18b1af793dea9ab3f4be96d201416a29c3be2bee6b897b8c21aefdf63de004b

SHA512
0608c707e1d3f2fcbcb0651508596a82299c1531739b415c072f330f61ddd68e404599cad4f0ee0ec71bacf518396ee296bac98603d27910b4e8ecad34839cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
88752ac7a376e618907ef40993bf9625

SHA1
76d4c5921734ca04c3fdbe2b0a4c7d3692b8615e

SHA256
518f81e619fcc35fc00bc36cec17507e9cb7ad6a48b3fce1d2e6bf5d5fae697d

SHA512
9920185012690df0c66ba0ecb4b45dc179eef8e0a7e4320eadd7543c241b71762907e11238c2799b5ccb2f77586c3375bcb3ae60e4cfab87ab842dd526a22626

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2296ddf495462e17c40c08f9e23c60e5

SHA1
01034a40369579d45e9e6a2c00e6798347e40deb

SHA256
43030d7103a634bc1879c1f99020b137d6172e65c5f9976f6b9880bc5995f6a2

SHA512
7c78125c1536fed3960c70fb687f82d65b616beaaa46ed1ab41a8f8fa1a2644620bf1e354e28d5c648433d2f4d998b5788a0500f39db040474721ea1bb29a85b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
b359167b3568d1b4953adefdef0deb24

SHA1
98405d3ec52edeed62f8a42bfe766ecf395a95b6

SHA256
177289a899357233597b059fde47b7e54aba35ca95e2a2201fd8d3ca68273578

SHA512
28efc3e9bb0350c2229ffdfc0578c0ebc8276405849480c1762c75d616998f6ff654f7ffde3cf0676b62b583b5ec207e514040de1a809b465bb9e734e29c96b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
3922931a21a66290ecb769f2d79cc417

SHA1
d72bc5af3b2da078125ce71512249f67765624c3

SHA256
0eb33cdbc3b30f2dd68d3e4de912b61c6f29f3ddbf17b8e83948e9243763b8d4

SHA512
e4b1c22b64afa2120c2ae1385374747b04ea4b509fef1a27384755d57cfd4a86008cbf9af7095a1955c9934148b38cf7aa32b036d08702cbaa0ec9f5f59c3987

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2e817c7b76fcd03e0a893263e4c2cfda

SHA1
24432d715fc3db81508c16ca956c5f34048464f8

SHA256
aaeeb2eca9ecdeba60b9346a01666b9bface7b496266c70f75025fd41129f2f2

SHA512
4512e59030701abefdc75fb70300dd80925d4e4886741d2dd90ddc51ffe61478b6b709485cd5bd603c6028ac6a280ba58b17d9e9562a9fdb2e1ad274a0d73721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
13KB

MD5
687cd188c3600d8128ac29e0d684c677

SHA1
ae99df7e7ba5bfb15974c870c88aac6dfaa03666

SHA256
8f05ffb60a2ab058e60fdf343736313b092713417b4b89cfebab90eeace5e014

SHA512
d77d914a4e05fab38bc8d07cb538ecccb90d827a5795c3dbf53c073eb066ea78b6e8631db50c1dd626b219d7da0ed02d0dfe25bff2e5c7f6c2295ae71d78a8ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tbhxcb54.gtv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
7f97e9aecb31a20bb229581321a12208

SHA1
e029c984d8908a3bdd2f48382735d3cfd0393ee6

SHA256
493eb02df2a7202ce988f3fca2ec2729995daebeb9da9d6a8b7ed8f44222fa72

SHA512
25808ccb35fbdff3081f66b782fa041ce3818700a28eefb24b55950c3f0e60e5f41ae292c4c02bd04eb4179a3451deab3a730a154dd87a0982df8c8586b7ddb1

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip

Filesize
393KB

MD5
61da9939db42e2c3007ece3f163e2d06

SHA1
4bd7e9098de61adecc1bdbd1a01490994d1905fb

SHA256
ea8ccb8b5ec36195af831001b3cc46caedfc61a6194e2568901e7685c57ceefa

SHA512
14d0bc14a10e5bd8022e7ab4a80f98600f84754c2c80e22a8e3d9f9555dde5bad056d925576b29fc1a37e73c6ebca693687b47317a469a7dfdc4ab0f3d97a63e

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip

Filesize
393KB

MD5
61da9939db42e2c3007ece3f163e2d06

SHA1
4bd7e9098de61adecc1bdbd1a01490994d1905fb

SHA256
ea8ccb8b5ec36195af831001b3cc46caedfc61a6194e2568901e7685c57ceefa

SHA512
14d0bc14a10e5bd8022e7ab4a80f98600f84754c2c80e22a8e3d9f9555dde5bad056d925576b29fc1a37e73c6ebca693687b47317a469a7dfdc4ab0f3d97a63e

Download Submit
C:\Users\Admin\Downloads\BadRabbit\[email protected]

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\Downloads\BadRabbit\[email protected]

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\Downloads\BadRabbit\[email protected]

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\Downloads\BadRabbit\[email protected]

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\Downloads\BadRabbit\[email protected]

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Windows\94BE.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\94BE.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
c4f26ed277b51ef45fa180be597d96e8

SHA1
e9efc622924fb965d4a14bdb6223834d9a9007e7

SHA256
14d82a676b63ab046ae94fa5e41f9f69a65dc7946826cb3d74cea6c030c2f958

SHA512
afc2a8466f106e81d423065b07aed2529cbf690ab4c3e019334f1bedfb42dc0e0957be83d860a84b7285bd49285503bfe95a1cf571a678dbc9bdb07789da928e

Download Submit
memory/336-144-0x0000014E6D3E0000-0x0000014E6D3F0000-memory.dmp

Filesize
64KB

Download
memory/336-147-0x0000014E6D410000-0x0000014E6D420000-memory.dmp

Filesize
64KB

Download
memory/336-145-0x0000014E6F8C0000-0x0000014E6F9C2000-memory.dmp

Filesize
1.0MB

Download
memory/336-139-0x0000014E6F4C0000-0x0000014E6F4E2000-memory.dmp

Filesize
136KB

Download
memory/336-133-0x0000014E6F520000-0x0000014E6F5A2000-memory.dmp

Filesize
520KB

Download
memory/336-146-0x0000014E6D410000-0x0000014E6D420000-memory.dmp

Filesize
64KB

Download
memory/336-148-0x0000014E6D410000-0x0000014E6D420000-memory.dmp

Filesize
64KB

Download
memory/612-462-0x0000000001F60000-0x0000000001FC8000-memory.dmp

Filesize
416KB

Download
memory/612-454-0x0000000001F60000-0x0000000001FC8000-memory.dmp

Filesize
416KB

Download
memory/1536-392-0x00000000029A0000-0x0000000002A08000-memory.dmp

Filesize
416KB

Download
memory/1536-381-0x00000000029A0000-0x0000000002A08000-memory.dmp

Filesize
416KB

Download
memory/1536-389-0x00000000029A0000-0x0000000002A08000-memory.dmp

Filesize
416KB

Download
memory/5640-468-0x00000000024C0000-0x0000000002528000-memory.dmp

Filesize
416KB

Download
memory/5640-476-0x00000000024C0000-0x0000000002528000-memory.dmp

Filesize
416KB

Download
memory/5732-481-0x0000000002B00000-0x0000000002B68000-memory.dmp

Filesize
416KB

Download
memory/5732-489-0x0000000002B00000-0x0000000002B68000-memory.dmp

Filesize
416KB

Download