badrabbit | hxxps://github[.]com/Endermanch/MalwareDatabase

Analysis

max time kernel
184s
max time network
189s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
27-09-2023 09:08

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

10^/10

badrabbit mimikatz bootkit persistence ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000001af93-335.dat	mimikatz
behavioral1/files/0x000700000001af93-338.dat	mimikatz

Executes dropped EXE 2 IoCs

pid	Process
3096	BFA2.tmp
2328	sys3.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	[email protected]
File opened for modification	\??\PHYSICALDRIVE0	sys3.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\BFA2.tmp	rundll32.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3240	schtasks.exe
2716	schtasks.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 33 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133402793406449959"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4172	chrome.exe
4172	chrome.exe
4272	rundll32.exe
4272	rundll32.exe
4272	rundll32.exe
4272	rundll32.exe
3096	BFA2.tmp
3096	BFA2.tmp
3096	BFA2.tmp
3096	BFA2.tmp
3096	BFA2.tmp
3096	BFA2.tmp
2760	rundll32.exe
2760	rundll32.exe
3556	chrome.exe
3556	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4172	chrome.exe
4172	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3532	LogonUI.exe
2980	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 4988	4172	chrome.exe	70
PID 4172 wrote to memory of 4988	4172	chrome.exe	70
PID 4172 wrote to memory of 3524	4172	chrome.exe	72
PID 4172 wrote to memory of 3524	4172	chrome.exe	72
PID 4172 wrote to memory of 3524	4172	chrome.exe	72
PID 4172 wrote to memory of 3524	4172	chrome.exe	72
PID 4172 wrote to memory of 3524	4172	chrome.exe	72
PID 4172 wrote to memory of 3524	4172	chrome.exe	72
PID 4172 wrote to memory of 3524	4172	chrome.exe	72
PID 4172 wrote to memory of 3524	4172	chrome.exe	72
PID 4172 wrote to memory of 3524	4172	chrome.exe	72
PID 4172 wrote to memory of 3524	4172	chrome.exe	72
PID 4172 wrote to memory of 3524	4172	chrome.exe	72
PID 4172 wrote to memory of 3524	4172	chrome.exe	72
PID 4172 wrote to memory of 3524	4172	chrome.exe	72
PID 4172 wrote to memory of 3524	4172	chrome.exe	72
PID 4172 wrote to memory of 3524	4172	chrome.exe	72
PID 4172 wrote to memory of 3524	4172	chrome.exe	72
PID 4172 wrote to memory of 3524	4172	chrome.exe	72
PID 4172 wrote to memory of 3524	4172	chrome.exe	72
PID 4172 wrote to memory of 3524	4172	chrome.exe	72
PID 4172 wrote to memory of 3524	4172	chrome.exe	72
PID 4172 wrote to memory of 3524	4172	chrome.exe	72
PID 4172 wrote to memory of 3524	4172	chrome.exe	72
PID 4172 wrote to memory of 3524	4172	chrome.exe	72
PID 4172 wrote to memory of 3524	4172	chrome.exe	72
PID 4172 wrote to memory of 3524	4172	chrome.exe	72
PID 4172 wrote to memory of 3524	4172	chrome.exe	72
PID 4172 wrote to memory of 3524	4172	chrome.exe	72
PID 4172 wrote to memory of 3524	4172	chrome.exe	72
PID 4172 wrote to memory of 3524	4172	chrome.exe	72
PID 4172 wrote to memory of 3524	4172	chrome.exe	72
PID 4172 wrote to memory of 3524	4172	chrome.exe	72
PID 4172 wrote to memory of 3524	4172	chrome.exe	72
PID 4172 wrote to memory of 3524	4172	chrome.exe	72
PID 4172 wrote to memory of 3524	4172	chrome.exe	72
PID 4172 wrote to memory of 3524	4172	chrome.exe	72
PID 4172 wrote to memory of 3524	4172	chrome.exe	72
PID 4172 wrote to memory of 3524	4172	chrome.exe	72
PID 4172 wrote to memory of 3524	4172	chrome.exe	72
PID 4172 wrote to memory of 4068	4172	chrome.exe	73
PID 4172 wrote to memory of 4068	4172	chrome.exe	73
PID 4172 wrote to memory of 5032	4172	chrome.exe	74
PID 4172 wrote to memory of 5032	4172	chrome.exe	74
PID 4172 wrote to memory of 5032	4172	chrome.exe	74
PID 4172 wrote to memory of 5032	4172	chrome.exe	74
PID 4172 wrote to memory of 5032	4172	chrome.exe	74
PID 4172 wrote to memory of 5032	4172	chrome.exe	74
PID 4172 wrote to memory of 5032	4172	chrome.exe	74
PID 4172 wrote to memory of 5032	4172	chrome.exe	74
PID 4172 wrote to memory of 5032	4172	chrome.exe	74
PID 4172 wrote to memory of 5032	4172	chrome.exe	74
PID 4172 wrote to memory of 5032	4172	chrome.exe	74
PID 4172 wrote to memory of 5032	4172	chrome.exe	74
PID 4172 wrote to memory of 5032	4172	chrome.exe	74
PID 4172 wrote to memory of 5032	4172	chrome.exe	74
PID 4172 wrote to memory of 5032	4172	chrome.exe	74
PID 4172 wrote to memory of 5032	4172	chrome.exe	74
PID 4172 wrote to memory of 5032	4172	chrome.exe	74
PID 4172 wrote to memory of 5032	4172	chrome.exe	74
PID 4172 wrote to memory of 5032	4172	chrome.exe	74
PID 4172 wrote to memory of 5032	4172	chrome.exe	74
PID 4172 wrote to memory of 5032	4172	chrome.exe	74
PID 4172 wrote to memory of 5032	4172	chrome.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Endermanch/MalwareDatabase
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff93d279758,0x7ff93d279768,0x7ff93d279778
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1536 --field-trial-handle=1696,i,2965575636976956394,4218496809402212759,131072 /prefetch:2
  2⤵
  PID:3524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1944 --field-trial-handle=1696,i,2965575636976956394,4218496809402212759,131072 /prefetch:8
  2⤵
  PID:4068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2108 --field-trial-handle=1696,i,2965575636976956394,4218496809402212759,131072 /prefetch:8
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2832 --field-trial-handle=1696,i,2965575636976956394,4218496809402212759,131072 /prefetch:1
  2⤵
  PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2824 --field-trial-handle=1696,i,2965575636976956394,4218496809402212759,131072 /prefetch:1
  2⤵
  PID:4200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 --field-trial-handle=1696,i,2965575636976956394,4218496809402212759,131072 /prefetch:8
  2⤵
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4584 --field-trial-handle=1696,i,2965575636976956394,4218496809402212759,131072 /prefetch:8
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4488 --field-trial-handle=1696,i,2965575636976956394,4218496809402212759,131072 /prefetch:8
  2⤵
  PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3828 --field-trial-handle=1696,i,2965575636976956394,4218496809402212759,131072 /prefetch:8
  2⤵
  PID:3252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3696 --field-trial-handle=1696,i,2965575636976956394,4218496809402212759,131072 /prefetch:8
  2⤵
  PID:4092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 --field-trial-handle=1696,i,2965575636976956394,4218496809402212759,131072 /prefetch:8
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1696,i,2965575636976956394,4218496809402212759,131072 /prefetch:8
  2⤵
  PID:2140

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3296

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4648

C:\Users\Admin\Downloads\BadRabbit\[email protected]
"C:\Users\Admin\Downloads\BadRabbit\[email protected]"
1⤵
- Drops file in Windows directory
PID:508
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4272
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    PID:2584
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      PID:3112
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2555709043 && exit"
    3⤵
    PID:3252
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2555709043 && exit"
      4⤵
      Creates scheduled task(s)
      PID:3240
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 09:28:00
    3⤵
    PID:2776
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 09:28:00
      4⤵
      Creates scheduled task(s)
      PID:2716
- - C:\Windows\BFA2.tmp
    "C:\Windows\BFA2.tmp" \\.\pipe\{C231623A-C078-40A3-8411-8D516F2D17D1}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3096
- - C:\Windows\SysWOW64\cmd.exe
    /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
    3⤵
    PID:4508
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN drogon
    3⤵
    PID:2176
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN drogon
      4⤵
      PID:3988

C:\Users\Admin\Downloads\BadRabbit\[email protected]
"C:\Users\Admin\Downloads\BadRabbit\[email protected]"
1⤵
- Drops file in Windows directory
PID:4680
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xac,0xd8,0x7ff93d279758,0x7ff93d279768,0x7ff93d279778
  2⤵
  PID:4348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1528 --field-trial-handle=1776,i,17057843141037764976,2741151173324903602,131072 /prefetch:2
  2⤵
  PID:1728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=1776,i,17057843141037764976,2741151173324903602,131072 /prefetch:8
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4452 --field-trial-handle=1776,i,17057843141037764976,2741151173324903602,131072 /prefetch:1
  2⤵
  PID:744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4448 --field-trial-handle=1776,i,17057843141037764976,2741151173324903602,131072 /prefetch:8
  2⤵
  PID:3024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4580 --field-trial-handle=1776,i,17057843141037764976,2741151173324903602,131072 /prefetch:8
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4892 --field-trial-handle=1776,i,17057843141037764976,2741151173324903602,131072 /prefetch:8
  2⤵
  PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2924 --field-trial-handle=1776,i,17057843141037764976,2741151173324903602,131072 /prefetch:1
  2⤵
  PID:4276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2916 --field-trial-handle=1776,i,17057843141037764976,2741151173324903602,131072 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2104 --field-trial-handle=1776,i,17057843141037764976,2741151173324903602,131072 /prefetch:8
  2⤵
  PID:1004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5044 --field-trial-handle=1776,i,17057843141037764976,2741151173324903602,131072 /prefetch:8
  2⤵
  PID:4208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4616 --field-trial-handle=1776,i,17057843141037764976,2741151173324903602,131072 /prefetch:8
  2⤵
  PID:864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 --field-trial-handle=1776,i,17057843141037764976,2741151173324903602,131072 /prefetch:8
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5164 --field-trial-handle=1776,i,17057843141037764976,2741151173324903602,131072 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 --field-trial-handle=1776,i,17057843141037764976,2741151173324903602,131072 /prefetch:8
  2⤵
  PID:3228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 --field-trial-handle=1776,i,17057843141037764976,2741151173324903602,131072 /prefetch:8
  2⤵
  PID:1588

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3280

C:\Users\Admin\Downloads\PowerPoint\[email protected]
"C:\Users\Admin\Downloads\PowerPoint\[email protected]"
1⤵
- Writes to the Master Boot Record (MBR)
PID:1056
- C:\Users\Admin\AppData\Local\Temp\sys3.exe
  C:\Users\Admin\AppData\Local\Temp\\sys3.exe
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  PID:2328

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ae8055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3532

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:4528

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:2432

\??\c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:3856

\??\c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2204

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aea055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma

Filesize
1024KB

MD5
d9a49a7d6d5ca840cf0f0e937007e278

SHA1
90197e483cc1bf8970cb6012997b1968f43d8e78

SHA256
183acf4a52e283da352ac2e3d51d43dbdd1534325f4585b6763a4ef38151b876

SHA512
142acbf150500db5f703b3e56c42895cb4374927f6e26adb02f090cf18e9797b8f4e34b7e621de6daf03093cc0a7df73cb4328525ac7a1a4f36e2b61dfde0642

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
c9ebf8b9df37ea82170dd0e5b2cf8fb8

SHA1
8a59e9840d3a9eca3cf7153e3966294122d21617

SHA256
21b6d112895d45a7c64f538ea37a57350e1eac1ef0a0de38a254f8519c317774

SHA512
7d6c72c4025447395287af6df4d0f5c33023b88a246b0334338af5437364a1c4765348b33527d5986097996c754823e05b86b49fc75f557fa75d74f464562589

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
c9ebf8b9df37ea82170dd0e5b2cf8fb8

SHA1
8a59e9840d3a9eca3cf7153e3966294122d21617

SHA256
21b6d112895d45a7c64f538ea37a57350e1eac1ef0a0de38a254f8519c317774

SHA512
7d6c72c4025447395287af6df4d0f5c33023b88a246b0334338af5437364a1c4765348b33527d5986097996c754823e05b86b49fc75f557fa75d74f464562589

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
9f9df3fbd9a75ba32abbd03b1a7367af

SHA1
3afc1dc93533bad2a8368f96219c152a7fe92515

SHA256
53b10963c16168c4a4a27e01759765fbcb0739cf4b77465ba84db49a1cce1b49

SHA512
d303be03ea9a0a1d7c95267aaa9526e1bf007eef55a1736e5d427e3e0c5f3d87a05b6dd414d7bbe38aa7deab1b5a98ffd3b1506b054167be0edf8345b4904286

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
5fb14816336ddf29e59bd706e7c22c7b

SHA1
29969f80969a5b946100c182a8da39e9441ea25b

SHA256
fe362c4d8b93423c320ab34f75886f943776846b05fe46914838f9921c37a018

SHA512
63e90acfa76534ea6db0311126f5613bdb3fff8cf49939c0866b46eff1ae039ceaf9248e8b9e83b552b84e5fce3f18bcbcbf047d521f76504c93271934ee8465

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_2

Filesize
1.0MB

MD5
eaab892f7fd42a74beb8eace58b18219

SHA1
2522fe7181701d7a213471817ef8c0c1fda91858

SHA256
24c2f51d0cb91eb859cfc94d9a24926bfa8862fc1df5e9dc27c2e74b3eb89e2a

SHA512
5a0eeb6f5d006e1e6a332dfd17fa50c251c8f4b9c0d211746a76707d0da09dd405f0cfb23c1bef1cc64b5f2a443d506c880400c5fef57d10d0e946d62eee902e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

Filesize
4.0MB

MD5
f661b082f0fbae3ee6e9e32895b42049

SHA1
e5b3440cce64490a5437233fc72bc097dd2d61ce

SHA256
8a5af7797b8e4429ef9d713a728c3156f1e9e6d8c634dd9d4a8ed1b6971e8fc1

SHA512
b8c20eb5d48df12c7bdfcb13fbed42fcb295435f6f9be1a271485dd736390a7fb5e66c97c231b3b74b88b61c376cdc3b9cafa8e9cd2ca9e84e2ab56032e0d318

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7c5fb8511ba31d595c2c0f5c196ce423

SHA1
184404f6a0108b80cd6c2cdc70d11b0e1d93a2ec

SHA256
72d1e5af4e77dd4556a756a6d5683a8e6d652f4441d678e9cffd58696bda707b

SHA512
2bbf72baa4838e3ce7e7ef559b0153719c0820941d3ff82f77a7aea5e3c1b2e6c4d456fae15761a6f46d0f76bf4f9d876cc2598d565cb55e36abd3ba37da12f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7c5fb8511ba31d595c2c0f5c196ce423

SHA1
184404f6a0108b80cd6c2cdc70d11b0e1d93a2ec

SHA256
72d1e5af4e77dd4556a756a6d5683a8e6d652f4441d678e9cffd58696bda707b

SHA512
2bbf72baa4838e3ce7e7ef559b0153719c0820941d3ff82f77a7aea5e3c1b2e6c4d456fae15761a6f46d0f76bf4f9d876cc2598d565cb55e36abd3ba37da12f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
51b68014330d96ef380d329c7c5b390c

SHA1
586df1f512de4feb23b3ed5ea4e078b4f6e81e87

SHA256
000f592b5f7c7cbc3acc8d7f2b1ba9164d41601b375c03523bf10a30e622ce18

SHA512
a8b520919e6069492ab13040f1e118a0bd6f368b510926075cf722346c7467bd23693018beb76e29296116e51a9e0dd60913702518b95567c0eb3ffb4a76dca9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
b0affd4bf0a40e003f02bb41167d56b8

SHA1
1842796bab75ba26353a50594e09f3d81a3edf75

SHA256
842a3997b4e3b05b1f741e0b879a5692d8bdcc0000b702a9cf96a28d815a67ea

SHA512
8ff1b7510e94c4fe3a43787eb839b59c7da01e4b4a0c33f134ea302c582024d823625f01dcb0ab8957218ac1f1a895b5190ec637d528ed4bebc7761d8317bb69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
d18ec51632f21c617720315cadfa9487

SHA1
0adc67f2f7495a323c614551593ca813776246a9

SHA256
350f5d5ba4ed580221c2814a39752c1dbe5f5275c67467016370ca6a463c7c02

SHA512
456464da272144ef82ced871d7d85512f3655c5905196501a351bfd9acadddf3de791b5dc1077c8e96cf6f19e7f23524898544af29ca303a9fad66ef45a7450c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG

Filesize
320B

MD5
4e85c40206847504b77e4dd410dc5766

SHA1
4921c02c6d3b8d034d0b40508bffe5cc3bd9fd59

SHA256
aaae93e8e9df708b75411511b40ca95a20a7cce2c63aef4d59c29b9727509488

SHA512
555d18bde63bafd24099eb4284c430b259623c8164857f3d672ff795bb3bf7e06951019f8b63c666f127dcf5ad63d3f6eb6d89ab575e9f454a05d6c4f520baf2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Favicons

Filesize
20KB

MD5
bccb0d93eb1350ee35fd5311f97c6795

SHA1
22d66cdf65ada3d0388bc067d112db719d867894

SHA256
dc5b3a33cce6c363a5164c17df7d4ce562ed9c56b482004bfcfa7a952a3bcfad

SHA512
1f6853ec8f398c136d9653e3f7893eee00a022ff1963cdb952e3dfb9e77f32bc64fadb10522f940045153aa54a70bf428492060e3272c29e9d3c7a77ed7cd306

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
d18ec51632f21c617720315cadfa9487

SHA1
0adc67f2f7495a323c614551593ca813776246a9

SHA256
350f5d5ba4ed580221c2814a39752c1dbe5f5275c67467016370ca6a463c7c02

SHA512
456464da272144ef82ced871d7d85512f3655c5905196501a351bfd9acadddf3de791b5dc1077c8e96cf6f19e7f23524898544af29ca303a9fad66ef45a7450c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
d18ec51632f21c617720315cadfa9487

SHA1
0adc67f2f7495a323c614551593ca813776246a9

SHA256
350f5d5ba4ed580221c2814a39752c1dbe5f5275c67467016370ca6a463c7c02

SHA512
456464da272144ef82ced871d7d85512f3655c5905196501a351bfd9acadddf3de791b5dc1077c8e96cf6f19e7f23524898544af29ca303a9fad66ef45a7450c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
148KB

MD5
479e3c6015f0a13ae4031d1726cb27c6

SHA1
f04b23add3fcdb6614fc0028f7381f26397121df

SHA256
ecf94aaa8ae667af1ff7e79d55e018f9738f3651eb055c78a9c4474e6cc85158

SHA512
e8409df3e90cc5ff0afc8976d63faecb5bf4d1572ac34a451b3081b4a6caa875aaa7c829669b3803c532bc130a07b256e80a1c69a09ff28ae4e1dbbca1f887fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log

Filesize
9KB

MD5
e77553b1909c883f810c300e6f901691

SHA1
d8196911201036c56c91be518287c184c09b515e

SHA256
1bcb1ef45b5e6c9523389321f9baadda574f530564d4183571d6b4aad45c2664

SHA512
07667936715af1e11f9ed3d4a84d095d977c46956bf99544f6ba4c03118a700d9507f7b67f6939934b819ae0c6abf0f7a8669350fd55cad7092b3010e751df44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

Filesize
329B

MD5
af9dd9e8da20a467e080503458572400

SHA1
93b4246c40083bb563d43cb42868aa64c7b9b5ee

SHA256
44b6fbd1a4da48f6bc2b2684fd170be5994a41658d28a869911a2b7023493176

SHA512
69da05177180c0d824e6a188703e95669c75956625a8b50f797fe9deeb5c5c93b5bc493108e05611b7d902c9a667d86d2310aa96f83fc41a04b60842d79c97f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
6eb872ef5dd12f2fc53feac0d4ca33a9

SHA1
0e5ef919d50eb1d99844045218101dad16bedd39

SHA256
21ecff51fe9f9e959422aa4ed03d3e9a5a66e58e676178079fde87bad14928d8

SHA512
4de85de82006bd128261a37afcf05f0f85f6d0f21a9810a4fb1a2c811b39d6ff759af31b823a169ce751be34eb1b47727d01bf0a466e3300520d636dfc70e9ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
e8a5f4d3c7111028a7918b083b868b47

SHA1
b8189441d65ac01663d5d98db6509ea3e8139e02

SHA256
c2b5ec83b2401f91c7c80f6c6cd23857f1aaf901e9b0cb50f694fe6347e9a1d5

SHA512
e6a04f006086111113d1162497f12b84507ad9a984afb367998006737061041dd18eb5d48945a62f63d88c41394df523dd9a89f140beeb2ac8fd9a972cf43669

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
96d69148d43c873d5d5b41ee4e8669ed

SHA1
7c744bdf7187f4d3c5a1a0a804a25c00332fe659

SHA256
19a139058074202098099d54c911c1378a6bf13f453a7f913d04fc85ad2e06cf

SHA512
d3d92836c7b9c537482315590b56084d65e95e7ae17d8bfebc9714fa4ca26b29ff624b426445d7408744f0ec32e94fd14fc1de66328104e271b3332ba6362398

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8031828d6d62b4797fb202b098ddfb1d

SHA1
81bba93fec99d1420d31db541c1101694632fe6b

SHA256
02f350653d82e5b8d9ca7735d328142186130057a9714fab4901f422656a4340

SHA512
98e1646a92aac62b689744c15d0c21af576e742b2e3fc5ffdde68214a94b978a1f65fac111d9dd23b5721dbf95dd424dc33fc2ff22450bd5ada579299aa69c4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
cd17703a6ed7b71500d2c2ee8a03d4f9

SHA1
35265a1abb2bdedf4d5871c07b5b2089aefae969

SHA256
564bde57a0a0f8c97074de504db952308b1c0440ff3997e0ebe33a8aa0db458e

SHA512
85677e3949eacd617d46f28088442bc3721bb812a399d473ecc2c49769bec25d91632611d2848bbd4cafbc35fbcbd76ce4a86561336a5ab681968210df606d74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
049f970171dd4d16b9f86689ac43b25d

SHA1
c091b635b7edb800d08181a11d2acccdf55dda24

SHA256
a366fdab2a823a2678fe673906643ae721b4b63bca94ab03acf4c6c9ba03cb21

SHA512
c55bff9a398f3dc9a6115e361f5d1abd93e7047de599789e0231ae707a99a45752679a0cb72e070efda5ef92e52dac63805751c56e73fedaa4e7e2a37ec14378

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b9f6d2b769cb47bbe61c2b0011142b31

SHA1
9b8e810540edbea9b0070501049822514a01457b

SHA256
2d67fab87fcce034c9a5e180f159ba66ee26c4226a5cb1ac16e9b31207362c26

SHA512
0bb4c4608f7846b14c6922dc40e2ff93c0c38ccce2692a02cdfeac2e075b7809b7b66d22cd661567e3085f5f439cdc11cfb2a9a5938fe40cffda213b58c6b5b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c98cdbcdd7b36afa08af9ec96dbbe4e5

SHA1
a3ebdfe8674fe4eaf7cb535508cd83a2a5361e63

SHA256
3ba6909b8e24a933c64e978926bf4f26df8b64954b00b59b884a97d55965f834

SHA512
92e81536e191d37a9e653dfa953667862c0ce20a241bcecae2ea202d35bc021f8adfb995681e1a27b2ca8f0fa94606c1b390552df480c662fed4148606957c33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
25a24a708b70fdeaa3120fff378412b3

SHA1
bb815c2e6cc8313971c24e5db0125ac3d6bbc378

SHA256
0d49ed7aba47685a9df7af59b5521aad2ac360ae74f0dca6c6577198fa8138ec

SHA512
3b479ea126ced8362fdeb43bc8aa11a34a9dbf24188752a4ffe85253cdc27ec858a9dfc2d845807520e1d9a8bc50cd89ee271ee76fb29e600a913eee1d1d60fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
25a24a708b70fdeaa3120fff378412b3

SHA1
bb815c2e6cc8313971c24e5db0125ac3d6bbc378

SHA256
0d49ed7aba47685a9df7af59b5521aad2ac360ae74f0dca6c6577198fa8138ec

SHA512
3b479ea126ced8362fdeb43bc8aa11a34a9dbf24188752a4ffe85253cdc27ec858a9dfc2d845807520e1d9a8bc50cd89ee271ee76fb29e600a913eee1d1d60fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
4bafc62f46498290f3dd4ce522b5f119

SHA1
c5630d7f16025cfc7eb858dbf06f03a66fe203da

SHA256
2d6294ae7e7400a3d8a72f82bfb0fbe3a508336594967bb0991f4c6613a9b1f2

SHA512
1c36a96703d42fc50adbaa806448431d76ecc0cd27a2182d0109957334d4791dcb20e23735c58e96b51a6b4e25508042b5a70cf79025dd75c1726489b23079dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2139358cd462b481ffed9ba919da4ffa

SHA1
12f435a81f2aca7da06d5207b23c15538aea6ad4

SHA256
cbb46c86184e0e960f67ca3f94de32ddbd8fe9d62d052b99c85f03d65788f57e

SHA512
29dc6fa28ded7742b6a86d624a6e2552433cb07bac79366235cc8b97362ed96f614221ecb5e13498449546546c03fddf0603bceefd5a17d6ee62026045653ce7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c2fbfa4d61763e31135db36af434e34c

SHA1
982fb942f532fca32f1686104b98a009ce8ea914

SHA256
5788314a2ad0a6c2db35fca87c9e9a7256d2bb1ef58ca0952250ce690de4ff1f

SHA512
caa80c5d6975e78ad4de79348907bc6fd4af01b3fe87e157f1222083f6ae5e3ddb0b7c11022c95ed3a545e5701030a87c57eeac6aaf11a27f4d49c8371dafcfc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log

Filesize
809B

MD5
18c53a25c133a4fde9201bc746e5bf3e

SHA1
10b941dfb025a8eeaff43d6e3ce73aa3da0a9b06

SHA256
17e789f1b69aebb9d0923142df66e87b6846f69526dc480165241682ed0c74eb

SHA512
365eeb1a3f3cd494e470803edf00e2685de435266f47693042ed99678e1ed7c1bd35c24f781df2bcf1ed5c3753ac861653bb38827259eea26fc2b8ba8df66a90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG

Filesize
317B

MD5
ef4166c902ff6c3d532df640f525bb3a

SHA1
05f5b0a928237f5252400e06870911966ec6327e

SHA256
ff1a47f70b28852c37524e5b9a398dfaffadcc9345f2189953c0d3a3ec085a48

SHA512
b669d28c85b17ca62d6668f88fb20d6c9cfb2f190ca6d861bfab97cdfc48e3adcf6414c19cdd1e83706ee10b21a9b0c122a775fcc48e6b5c27bda156fd488c28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Tabs_13340279382872495

Filesize
8KB

MD5
ec02f8ab2acde4be1e5a15a1bf7e1a56

SHA1
b1091bde42e54dae81810064c6a611a3fee9e65b

SHA256
81a5593ecbd14cbe4a8980f8e698f6ac711a3fdae0174cb019f0cf6f36d01781

SHA512
9013356a724a2244e3a6e666802123da177a1258217abd0f30135db2f311a18a1b5e697c71a9480a21e60839b7ea7b9ba63c1da6b9769d90075387e957fd9113

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
2fa39c2b30d076c8dbe01bf92d86db57

SHA1
cc15f6395311107667e1a8297922d19bea2b2ae6

SHA256
8bcd133ee56345ddc86eb0e52c6dd134b217aaa867a46488e05194305be6d446

SHA512
94a5eb5ec6c6680c525656dc4782fe1a2387d57d6fb3a28f74b60467ca5f453fbdf8f4b095951d972d11d60662ab364c39da47867e3ab2d9789fced7d4ece7bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
345B

MD5
99cb6da92702a20cd1b16b1edb5a3632

SHA1
cf921ae54880a5793f07453b653e18d330807987

SHA256
be6cc06ca1e1ed8c0fb9a199d0d9c1e5756186efab25f0b86fc174fb792d3e88

SHA512
5a7d2d6bc9e6e7314cd29a839d9d3ec94b659ee59171547f68b70e8773af450af8d43442302196f7758a9a2fc62b07f674c3e797491f605a0599e5c6b89c9a38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log

Filesize
8KB

MD5
3104c17e7797797b2f9511078d69833d

SHA1
0bc837c1a21d1a3cfb0c7fc257e7339c80cef751

SHA256
0977d7e643b7a3d90c22a1037795f6009edc0065a1721c17ffe0b1ff09be956c

SHA512
07393d10840df71a2e5568592561e163d8206c28ab238d7ed2d13c8e9c731637af67c35750a8e6c0dd40c21a3142aac6d48f1621f590d22f875302a1ac63f975

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
321B

MD5
10790f0c26a9096de2d5569e2f0a0eb7

SHA1
0cf0594b439372ea44cca8f3250ec422b550a67b

SHA256
37004e8196d6b8f0f145b91e77abd488e318ce58ef0fa480f35aecd8e5b61d7d

SHA512
b1f2c8b46a52f38af9dc8731d388090e69997b2347c41ad6dfd27d7815a079d01ddcf4c120f1db7a95dc7e41934aa9c7e753c2d8f0701124732553f68cc48056

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Visited Links

Filesize
128KB

MD5
db3595daf35c73c05664cfa633e0b687

SHA1
a841293d7473721c23d7f77018ce46191bfe4116

SHA256
0130da99dff6a0220158211e987b6a58969df1c1ee8a8de57735d9ed56bafaef

SHA512
71bfaaea089b71dd5969036048876de8a62dc85a3da937847258bc93605e6cefa39cfb084fcbf3d2c15a9be4691816dd3bb61bb34cb18c169ca0890b4c0922b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log

Filesize
2KB

MD5
b70e2b1453613648a878df80f4b5a0fe

SHA1
76c959645067fb7babb102c83b49f1888d7ee244

SHA256
05bce572bfe570cb0be6fa2377be66f2de85df983716c4f03a82ba924d1b8fd1

SHA512
8ae7b3d3a8a5e140aa67439fa844d1c24180cefac9f637c9828e4576d1cdc17df3c050367c95eb33344b8dc0ca04b33d39cd579a1603634e98f2364b7a8508e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG

Filesize
320B

MD5
18ab5100b617f6b61443fad4f2c8355b

SHA1
6a39026279e8796f8c8f819e22a886258467194f

SHA256
311c78d76d5da47dede7b2ec272cfbeb293cba997d8edac0bded4a8dbd203f36

SHA512
02b24698563471b3aec776b66d752ccfbb09b6fb8cba8db453552275a7f29ff77fa48d76802507b785c28fc4b3152a49a367ccdbfd88d717cf701405b2a3c2ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
889B

MD5
e3c1baf67856a6ec51cd965d810cadfb

SHA1
043f34aa28f06142f57145a61aeac50726cbe542

SHA256
cacc45f5068e0f4010c1a93dbf61f5b072a2b107fa8c394457071c9a7ccf2f1f

SHA512
7e9bd834e473bd1eaf1982b022acb72f28840ea00a07bd8796aea64677820ebed85e15bfe2d66aba048fd45b9d62b411cc84f8c119fd5aa6dccc8018e8458771

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

Filesize
338B

MD5
2726c6218e20edfb5ce7d55c7595c291

SHA1
86cb39f2a14e21820d482b392eae8e0607ea5735

SHA256
6fb08a4fc4510902f58e4bcca1dce3fd4089893ffebfab25a57076f7ec213d30

SHA512
1f03a23009d8f0f840de68e68bd827da407ee37e4b3842c768f2ca4b2bae1ae0ec8bdd5c42b9fa0e54c60c208d434be964eafb28a649cb6aa75d972fddf4b54a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

Filesize
44KB

MD5
86939165f5ceb43214016c7e358f7868

SHA1
40dbba6861c9c26814a40d11802d43c1f8d5663d

SHA256
88c393f78daa2abd7f931c5f147c7cd2be8dfd00e60a08156751b3264fa9e483

SHA512
3fadcc12d78eb69b2c7ee8932db7f1191d8d2bf930bdc0eaeb81690a3621974b0fae4f310d23cd06b3450d1b537d7e68d9daf98491cf21675d5635b079f0a73e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
805a4ce70b5e2065e44366117bf8e3d8

SHA1
8b5be5548634e018eddbf61b3c59424df39f72c8

SHA256
3bd894705f5e06fd03ffe196d8017219c4810c0ea815a5bbf51dd3b6bbc648f8

SHA512
3e87aba34f292a4582b3e678d79860323236bdf6885d7938d957141f9ce67d40b903fec7d118889d3a0e3c9e434d32bedc081c845634b645c2f690e4a4b03bf0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3

Filesize
4.0MB

MD5
8e75be4430db2f3a18113f02d58b39dc

SHA1
cb04a97e771b059794282593769c0e88d3cd5c5a

SHA256
12d0638374033c8b7996e29db4544160e5a32e7726683e707385a3131c2e1792

SHA512
96721405e175e3806dee482aec94516a2583921322fd8a3f8381bec75689aeb2eb99566a07fa5cc9dda798d02649959798ca4dddf5bbe7d09ff46f8dbe190dce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\f_000009

Filesize
18KB

MD5
0e2e5393044697e87aecb4e2abf288d3

SHA1
665d074b06f64e76384fa6c8c5134b3a8167fb75

SHA256
66ad5865edf4f5d766426804efb184cc9c72b2331d0075e49ce5090342c61bef

SHA512
f7f0533d5c56ee32fe5a66b1d35bb1a82aef5f6b5a5efaed01a69ee56ad031292e38bb65066a40bc0b9469f30ba31f56f54264ec2a92c5054f63a798a302da90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\f_00000a

Filesize
16KB

MD5
8257043e1b6a8ec4a61518c1539f10f0

SHA1
b74300a0c170428e9c20cbbdbc1d1f957adc7089

SHA256
3134234b93f92c12e368fdb69c555267e42989f807ad2972165ac2b21f6fbc30

SHA512
d0e4fd0c95da41456db1964e8f09cdf3096993f0f299ce0ee73b2b4559f9b022465d1aa6615d0b3dabfdfa1fd75352f3efcd944c029e2c1f1bbcfe4ef19627a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
9eae63c7a967fc314dd311d9f46a45b7

SHA1
caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf

SHA256
4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d

SHA512
bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
104KB

MD5
f0b8c4fdc5685384d0b40f2c4b10d381

SHA1
e3fb2da64828a09a5dda63a9f04d9e9db30a6029

SHA256
9bfcda44d3867470ef27773036b34dfdfb31d2e58c27ed8d4b965072e08758e9

SHA512
2043cede85020bad6c1317f68a30a6e25b228889ed95136a15d2d99674f22e1fecca976fbf0a0180bd9749b5d639e082867dd13608d101e5d77444ccf7887f6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
104KB

MD5
cb140cbe97605d8102f9f796911d6dea

SHA1
2baaff7ae320aa791c5e0f2c72a82ce5689253be

SHA256
4ecf142d2828eeb1afc044d3f25a8586984c6461659754928dd041fefea876fa

SHA512
a5ea0d4e52b01f9cbad423771f489135cace31e180785db0bcca9820bb37a3a5c70eba5c81fccb3eddfb5875c5addd9b039beb1d82399bea755179aad50be878

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
95bffec8c2707b5607375f25809d5ad0

SHA1
abc04ca4161fd810dc4562d7dc1deb630769916f

SHA256
41563a43ac71b12299ce8b261a0c049a197922f2e91266504d5cfe77d80272af

SHA512
e32c13e57efb0eeaaa454bfe330a9b03fc720578f5b1c05397edf2575f93efab933c1e26c7950de1e9b27e4f05b9786228f3d2d522acbba5e9ad4c0fcfaa0e13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
103KB

MD5
acde2c1f45b13496dfb0bf6afcc0ac5d

SHA1
ed3018a35e013747f58d8084383293325f52cf56

SHA256
e768bbe38b0e2c415f1b085f0b4419902dc973015968851879d099a9c18fd051

SHA512
aad6ff2f8393bb1cb6f9e9d7d1ed3e134571d785452853c9b0944c327e5390c9709cc157ddc8926df9b946b3188a0269e4e6ae3f512caa105886539b63fb912e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
3d67172e5b0bbd6b83e0372f1821df0b

SHA1
b8f0025697ee99aed8a9680947ee8a2d165a2ca9

SHA256
3da59442e0aeb738c8f869f528c303d6da91fd79db3c30c2fce22583f7a04ca3

SHA512
bbf9598c0f13f04790d811a56eb9e720aba8b42e4981d0cbc50dc2d9cb1e6535655ba495883cd0efe905900652966b51d1db832cefa13076cdba7dc33b55c2c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
104KB

MD5
f0b8c4fdc5685384d0b40f2c4b10d381

SHA1
e3fb2da64828a09a5dda63a9f04d9e9db30a6029

SHA256
9bfcda44d3867470ef27773036b34dfdfb31d2e58c27ed8d4b965072e08758e9

SHA512
2043cede85020bad6c1317f68a30a6e25b228889ed95136a15d2d99674f22e1fecca976fbf0a0180bd9749b5d639e082867dd13608d101e5d77444ccf7887f6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
93KB

MD5
a195be3ca61626419bdd71522c17e552

SHA1
18aec89e0a62e0303fc20f2c3da0ee52191250b4

SHA256
906cce11cbf4225ebae330f6ef02fc7f31e9e38a49d30b6198ce726c342b76d6

SHA512
80b481298d87216eb3b33af5de1c0158b46df1345b648034c569404f363c6397384d382106353fdb57a5949fd3b7f44226a2d81ffe9e70cd0363d098acb34947

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
6bb57a729d62c5c4ef62393163c3d79d

SHA1
4335dff71c0298ba65a6746bd9da2ac5bf3bce24

SHA256
237f4408e40366cdb27762c65d7da21b676d8f7f91125bb03a53ccd111ba5558

SHA512
94a46c53ba36b8ca841e85130ba91722764ef3f82008018611f643f4359476cee45678849d2d217ba93c92090cd25ad2579de8e3f4cf9994997c19e7bef68fc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip

Filesize
393KB

MD5
61da9939db42e2c3007ece3f163e2d06

SHA1
4bd7e9098de61adecc1bdbd1a01490994d1905fb

SHA256
ea8ccb8b5ec36195af831001b3cc46caedfc61a6194e2568901e7685c57ceefa

SHA512
14d0bc14a10e5bd8022e7ab4a80f98600f84754c2c80e22a8e3d9f9555dde5bad056d925576b29fc1a37e73c6ebca693687b47317a469a7dfdc4ab0f3d97a63e

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip

Filesize
393KB

MD5
59a2b2f2bb2b32c93aac958cadb6b71a

SHA1
5aa048bbb43733f0e76877860fbdb3ef3a65d696

SHA256
69878f3224c47c5bc0bb9e6f01c19cba0dd07fa0f474324d8c42f19cb451b4d6

SHA512
dacc0f0d5bb792ae6b602f19328a0984f86bfcf917287d2a15fea2ea51f18b5b4b09f88aedd38c7941dcc2ce45b8fe189f880eb7045cb5b4a4b09463d7f32827

Download Submit
C:\Users\Admin\Downloads\PowerPoint.zip

Filesize
66KB

MD5
196611c89b3b180d8a638d11d50926ed

SHA1
aa98b312dc0e9d7e59bef85b704ad87dc6c582d5

SHA256
4c10d3ddeba414775ebb5af4da5b7bb17ae52a92831fe09244f63c36b2c77f34

SHA512
19d60abf83b4a4fe5701e38e0c84f9492232ceb95b267ae5859c049cea12fee2328a5d26ffd850e38307fb10cb3955b7e5e49d916856c929442d45b87071d724

Download Submit
C:\Windows\BFA2.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\BFA2.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/1056-667-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download
memory/1056-671-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download
memory/2760-354-0x0000000004540000-0x00000000045A8000-memory.dmp

Filesize
416KB

Download
memory/2760-362-0x0000000004540000-0x00000000045A8000-memory.dmp

Filesize
416KB

Download
memory/4272-318-0x0000000004090000-0x00000000040F8000-memory.dmp

Filesize
416KB

Download
memory/4272-326-0x0000000004090000-0x00000000040F8000-memory.dmp

Filesize
416KB

Download
memory/4272-329-0x0000000004090000-0x00000000040F8000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads