Resubmissions

19-12-2024 08:32

241219-kfqvbsxmgl 10

19-12-2024 08:29

241219-kd1azswrh1 10

19-12-2024 08:22

241219-j9qkzsxkhl 10

19-12-2024 08:18

241219-j7clcaxkbl 6

19-12-2024 08:10

241219-j2wf9swmgz 7

19-12-2024 07:51

241219-jqbbyswnbq 8

19-12-2024 07:51

241219-jp8aaswnbm 3

19-12-2024 07:46

241219-jmcqlswmcm 3

19-12-2024 07:46

241219-jl6bjavrby 3

19-12-2024 07:46

241219-jlylpavray 3

Analysis

  • max time kernel
    997s
  • max time network
    997s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    08-03-2024 07:48

Errors

Reason
Machine shutdown

General

  • Target

    b28242123ed2cf6000f0aa036844bd29.dll

  • Size

    87KB

  • MD5

    b28242123ed2cf6000f0aa036844bd29

  • SHA1

    915f41a6c59ed743803ea0ddde08927ffd623586

  • SHA256

    fd563cf7c0c862ab910cf558b5a123354b616e84902d277edf09f378ff6f9786

  • SHA512

    08e5966ca90f08c18c582e6c67d71186a6f9c025fc9f78020e1ce202814de094171111b7f3623d81f7371acdf92206446f7c0425e08e8f5f5b6fd969007d9fca

  • SSDEEP

    1536:0A1KsVHBnVJ0T1rFTQHUPx+nVP7ZSRILMZoXyqqEbzPCAdt6rFTc:0A1rVIrFTOUsnVP7sRILgAPCvrFTc

Malware Config

Signatures

  • BadRabbit

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

  • Deletes NTFS Change Journal 2 TTPs 1 IoCs

    The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

  • Clears Windows event logs 1 TTPs 4 IoCs
  • mimikatz is an open source tool to dump credentials on Windows 1 IoCs
  • Blocklisted process makes network request 19 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Drops file in Windows directory 5 IoCs
  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 2 IoCs
  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 45 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b28242123ed2cf6000f0aa036844bd29.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1528
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\b28242123ed2cf6000f0aa036844bd29.dll
      2⤵
        PID:4092
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 460
          3⤵
          • Program crash
          PID:1128
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4092 -ip 4092
      1⤵
        PID:1564
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
        1⤵
        • Enumerates system info in registry
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:3648
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe159e3cb8,0x7ffe159e3cc8,0x7ffe159e3cd8
          2⤵
            PID:2936
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
            2⤵
              PID:2884
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
              2⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:2128
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:8
              2⤵
                PID:5088
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
                2⤵
                  PID:4796
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
                  2⤵
                    PID:5044
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
                    2⤵
                      PID:336
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
                      2⤵
                        PID:1456
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 /prefetch:8
                        2⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:4948
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
                        2⤵
                          PID:2500
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
                          2⤵
                            PID:1392
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5028 /prefetch:8
                            2⤵
                              PID:4500
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4740 /prefetch:8
                              2⤵
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              PID:4908
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
                              2⤵
                                PID:1584
                              • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5696 /prefetch:8
                                2⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:5076
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
                                2⤵
                                  PID:4380
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
                                  2⤵
                                    PID:1432
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
                                    2⤵
                                      PID:984
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
                                      2⤵
                                        PID:4948
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
                                        2⤵
                                          PID:800
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1
                                          2⤵
                                            PID:3516
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
                                            2⤵
                                              PID:2540
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 /prefetch:8
                                              2⤵
                                              • NTFS ADS
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:4868
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
                                              2⤵
                                                PID:560
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6376 /prefetch:8
                                                2⤵
                                                • NTFS ADS
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:1828
                                            • C:\Windows\System32\CompPkgSrv.exe
                                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                                              1⤵
                                                PID:2068
                                              • C:\Windows\System32\CompPkgSrv.exe
                                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                1⤵
                                                  PID:1088
                                                • C:\Windows\System32\rundll32.exe
                                                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                  1⤵
                                                    PID:2084
                                                  • C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit Ransomware.zip\BadRabbit.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit Ransomware.zip\BadRabbit.exe"
                                                    1⤵
                                                    • Drops file in Windows directory
                                                    PID:984
                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                      C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
                                                      2⤵
                                                      • Blocklisted process makes network request
                                                      • Loads dropped DLL
                                                      • Drops file in Windows directory
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2796
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        /c schtasks /Delete /F /TN rhaegal
                                                        3⤵
                                                          PID:4512
                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                            schtasks /Delete /F /TN rhaegal
                                                            4⤵
                                                              PID:2400
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1822095468 && exit"
                                                            3⤵
                                                              PID:3872
                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1822095468 && exit"
                                                                4⤵
                                                                • Creates scheduled task(s)
                                                                PID:2092
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 08:08:00
                                                              3⤵
                                                                PID:2908
                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                  schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 08:08:00
                                                                  4⤵
                                                                  • Creates scheduled task(s)
                                                                  PID:1328
                                                              • C:\Windows\D01C.tmp
                                                                "C:\Windows\D01C.tmp" \\.\pipe\{D6F5E55F-D8D2-4157-8E3D-6B8A4A1DF035}
                                                                3⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:896
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
                                                                3⤵
                                                                  PID:2376
                                                                  • C:\Windows\SysWOW64\wevtutil.exe
                                                                    wevtutil cl Setup
                                                                    4⤵
                                                                    • Clears Windows event logs
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:4052
                                                                  • C:\Windows\SysWOW64\wevtutil.exe
                                                                    wevtutil cl System
                                                                    4⤵
                                                                    • Clears Windows event logs
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:4988
                                                                  • C:\Windows\SysWOW64\wevtutil.exe
                                                                    wevtutil cl Security
                                                                    4⤵
                                                                    • Clears Windows event logs
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:1448
                                                                  • C:\Windows\SysWOW64\wevtutil.exe
                                                                    wevtutil cl Application
                                                                    4⤵
                                                                    • Clears Windows event logs
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:1328
                                                                  • C:\Windows\SysWOW64\fsutil.exe
                                                                    fsutil usn deletejournal /D C:
                                                                    4⤵
                                                                    • Deletes NTFS Change Journal
                                                                    PID:5004
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  /c schtasks /Delete /F /TN drogon
                                                                  3⤵
                                                                    PID:4544
                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                      schtasks /Delete /F /TN drogon
                                                                      4⤵
                                                                        PID:2972
                                                                • C:\Windows\system32\LogonUI.exe
                                                                  "LogonUI.exe" /flags:0x4 /state0:0xa398a055 /state1:0x41c64e6d
                                                                  1⤵
                                                                  • Modifies data under HKEY_USERS
                                                                  • Suspicious use of SetWindowsHookEx
                                                                  PID:1132

                                                                Network

                                                                MITRE ATT&CK Enterprise v15

                                                                Replay Monitor

                                                                Loading Replay Monitor...

                                                                Downloads

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                  Filesize

                                                                  152B

                                                                  MD5

                                                                  ded21ddc295846e2b00e1fd766c807db

                                                                  SHA1

                                                                  497eb7c9c09cb2a247b4a3663ce808869872b410

                                                                  SHA256

                                                                  26025f86effef56caa2ee50a64e219c762944b1e50e465be3a6b454bc0ed7305

                                                                  SHA512

                                                                  ddfaa73032590de904bba398331fdbf188741d96a17116ada50298b42d6eb7b20d6e50b0cfae8b17e2f145997b8ebce6c8196e6f46fbe11f133d3d82ce3656db

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                  Filesize

                                                                  4KB

                                                                  MD5

                                                                  0b1afbb6d101e8b8e2c6c40d4293202e

                                                                  SHA1

                                                                  0be9916ac50ec4211954b29a7126c4210f535fdf

                                                                  SHA256

                                                                  66a9ac2b6d320c35f001302ff1798f48dce5a7a00f7a582978da5d8edce81e61

                                                                  SHA512

                                                                  adb52306e4028a3a80015ace977e0ae6dbf2fd097e38b909c2683c029aa51d8268616ca2012ccde41d8c3b8c44c88caf0023bc22146c5797528dc3b0fb0bb756

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                                  Filesize

                                                                  111B

                                                                  MD5

                                                                  285252a2f6327d41eab203dc2f402c67

                                                                  SHA1

                                                                  acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                                                                  SHA256

                                                                  5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                                                                  SHA512

                                                                  11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                                  Filesize

                                                                  936B

                                                                  MD5

                                                                  9afa7b5062f48c0463fb130829932d77

                                                                  SHA1

                                                                  6b6fd29e61f248ce000e97cc4e283047c95ed145

                                                                  SHA256

                                                                  9cca0c0e3004779e4808b3e7653273c8b3d4f66a518b64e04a277c11e42ddf3d

                                                                  SHA512

                                                                  ef79c3c8b5541b6898567ca814f77ed1c82ef5d9c0ed6fa8ea0a44a5dc1cc065b051bb1f7d0875953b1f464f6b59c44c213ac0fbd6a185c9ebcb352aa5b62c3c

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                  Filesize

                                                                  5KB

                                                                  MD5

                                                                  401a2c306a33d30b76966e05de1f7cd3

                                                                  SHA1

                                                                  9c8bebdf5a5b5f0248d39d2cc47e55563f97aaac

                                                                  SHA256

                                                                  88325b9110391409d21d64f1e94615c6e5744aa67c62697b43a4e0808280279a

                                                                  SHA512

                                                                  2d4a3935e58c208d4bee1c80e0a6453af7a09daab7009ad405ea421084956417f377952d22d14089d07d0ea5d981078b495125696167d0b11c6f1aa19ce775d4

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                  Filesize

                                                                  7KB

                                                                  MD5

                                                                  64230201ef68cd2c39ce6b4a5592576a

                                                                  SHA1

                                                                  76844ccb91ae85a871d56d252059ccd6fa3e8135

                                                                  SHA256

                                                                  d44ca1c58679f4923b6e91b12c40376ed78e677624ec101442c3e357d5034983

                                                                  SHA512

                                                                  3cc86a9481dd67378868514c85f50b8d846d554bfb8580bb9704c67f69b8702c4518dce5c8904dbeb8926d43256b8107d9b4d10c285ff2418e69701abbb89208

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                  Filesize

                                                                  6KB

                                                                  MD5

                                                                  a89965a709e507547fe1e9be68aab4c6

                                                                  SHA1

                                                                  129e1f04252698f9a88f6dd040632e95e61d45d7

                                                                  SHA256

                                                                  85b27aaf5a2f23c8f9717701a786a44265f0c9b0f0cc505b6289f19f7749844d

                                                                  SHA512

                                                                  2ef0b72d61f6321a4ed9da04e6357f4302544f54fb8f67fd55820abe124999d114e5f3ad78ac0ac5c715114f8f0a40d3c79273056615a213b9a16095db24e1ac

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                  Filesize

                                                                  6KB

                                                                  MD5

                                                                  53734d0d1e77824e8de4dbaa13bd4040

                                                                  SHA1

                                                                  77d8483d81ad03dda49e7fe72135f7fcaa1e689c

                                                                  SHA256

                                                                  fe2aef3a97a7dabac7ea3ed283648c8d2ad9bc58b604e303156aeda2155ce4d9

                                                                  SHA512

                                                                  911eb4781508f31ab9174c5ded71d0c3b4411862455328678ceec0eb6f3e01fb20b3b4d425fdd422dff2c936270904a0753a1a15dde065e6beefb12770159a0e

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                  Filesize

                                                                  6KB

                                                                  MD5

                                                                  820dc9b7537979821316de56e0c2641a

                                                                  SHA1

                                                                  28364b0d31b8da7443d75978148d6c6264a0a1db

                                                                  SHA256

                                                                  d75f9f43409758b233e7a0668f39ee55d8626feaa6b12cea306838b8fc03c2bc

                                                                  SHA512

                                                                  cd4671aae387f9e1b2461ab3e6545380a6f08dabfd67c51946c4af437a4eec363cf2ccfe204c234c49d5337b05679e31a620142cd7876243b52ed0336b2c4ca3

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                  Filesize

                                                                  1KB

                                                                  MD5

                                                                  fb944b11525e33085da509ea16cb6c73

                                                                  SHA1

                                                                  4e46df91e563cb16d4629fa011f52b8f41ada988

                                                                  SHA256

                                                                  d160b1b527c7d3e6ba498f141c381a5422570b2abb09898269f06aae8044e088

                                                                  SHA512

                                                                  c5d85c0d43c0accd29d559d7723e27065ec5e150ff3af109ab5c50ea27a3699df90b95fbc8d3daadd26dae1d2a78c425e3b5131119952c2c0918ba7a8d1cabc5

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                  Filesize

                                                                  1KB

                                                                  MD5

                                                                  f95998081fe41bd56088a38278702d86

                                                                  SHA1

                                                                  37c88ef2d3b7da86579f970773adc755a9a4813e

                                                                  SHA256

                                                                  913e59cc7989d3519543626f549f21bdab6e6027e0b486da460b14db84e94a0c

                                                                  SHA512

                                                                  b7ec1efeee8721e7dff5f74d0ca026ee22c9fc1d0811517a70ee8522bbbf57d60241c5686a63ab303688b1c085c6b26202582755bf93fd2a12d3bb6e908a63fd

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586a5d.TMP

                                                                  Filesize

                                                                  871B

                                                                  MD5

                                                                  10973cb567e3e2f3f41d8cc2b4ea4f7b

                                                                  SHA1

                                                                  6848a5bbcb05894cc29e67f48f3d4f06fa61c8f1

                                                                  SHA256

                                                                  386109715a0852b1f592549ad1f00d9fdcd99bed9d2acf58f9864a03e127c478

                                                                  SHA512

                                                                  128da3432a5acd866312e5746a8a7d88a4ea8b070b5cae51e7f70c9674376d80e7f9853476c7d3d3300e61f526bdf884fdc56cfd4b0b6a4aff1977f3925ee86b

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                                  Filesize

                                                                  16B

                                                                  MD5

                                                                  6752a1d65b201c13b62ea44016eb221f

                                                                  SHA1

                                                                  58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                  SHA256

                                                                  0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                  SHA512

                                                                  9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                  Filesize

                                                                  11KB

                                                                  MD5

                                                                  eb50b4934089a0b91f77edaebe4fb54c

                                                                  SHA1

                                                                  9d27bcf0b0bba2a5ea3c9dbb2d53a058baa69603

                                                                  SHA256

                                                                  ebb0333de596c6050c52166d454d29bf7ed986d4d80024d34957afc522ae2623

                                                                  SHA512

                                                                  0e54e4177bd6651125cd2dfa147f7005ee5612f189504658dbc29aebbef8bb31bb7b42a30f359a93e4cfdb1d7d2f1e70be7daa729a5fefe3b0fcf6729d4735bd

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                  Filesize

                                                                  12KB

                                                                  MD5

                                                                  e7a109333a50ca67e6b935507db39ddc

                                                                  SHA1

                                                                  92add9842f2c795d6e4d2af52c1282ec48a62421

                                                                  SHA256

                                                                  a3ad95f16044e3a60b1852653c73b6c9d3dcff08e784af94ec77c45cb4e18113

                                                                  SHA512

                                                                  6c38006fa5af96e0dc1d15aa2f2dfb5bebb68c1801bd2b1d02872ca62f01d6bb2e295c2fa7faa311ea0faed9a2519e60313e20d3728c144eea1ee7a349996f28

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                  Filesize

                                                                  12KB

                                                                  MD5

                                                                  d81bf07036788e79fd85042297805f38

                                                                  SHA1

                                                                  c6cab7411a401f9eadd0e7a8650bac8d0c5e4b27

                                                                  SHA256

                                                                  5a55bc63ccb86a5969c15e9e2384c510706a2ad3944715a4951dc77f4dcd581d

                                                                  SHA512

                                                                  090d241e99e04b069b47163a3d98cfa4933838e804aa376027250cdcf1c09d3d9c31f913a18574f9671ea447dbfa6f490f3e41b8b97cbabf832fbd88860df6d6

                                                                • C:\Users\Admin\Downloads\Annabelle Ransomware.zip

                                                                  Filesize

                                                                  15.6MB

                                                                  MD5

                                                                  12b368c03d5126e918127b27c7d16086

                                                                  SHA1

                                                                  93ccceec02435a7ac6a6a2d242278b80e2c67f7f

                                                                  SHA256

                                                                  6854b5f66a016c933c2978086d85cd4f207e5c35ee554422a3cdd9a88a5ffecd

                                                                  SHA512

                                                                  68ea8889c93196ff4f82ca8dbd1d7e79b4bffc42b878b969da4e80e9eec874706016c361299a5f9f717edc70854ee269ee17b39edbbc042af86889900c164aa5

                                                                • C:\Users\Admin\Downloads\Annabelle Ransomware.zip

                                                                  Filesize

                                                                  15.6MB

                                                                  MD5

                                                                  f31606408d91b8c60a4fa4a0bd1224c5

                                                                  SHA1

                                                                  aa550207bad8158abbc9b0fe67c1db416a63c39e

                                                                  SHA256

                                                                  99b1ba6116cc1de4c7af8ff70447babc1db3f42ab21cad78bc25eca85caa73e1

                                                                  SHA512

                                                                  6ec9a9f7905c7c074f2840fc17c742813ef299bf08a8b46214815cf627172a2474379059822eb6a6dca53ff1090a6ebb989d02c95a3ecbf78ba5acb9d9e1e10a

                                                                • C:\Users\Admin\Downloads\Annabelle Ransomware.zip:Zone.Identifier

                                                                  Filesize

                                                                  26B

                                                                  MD5

                                                                  fbccf14d504b7b2dbcb5a5bda75bd93b

                                                                  SHA1

                                                                  d59fc84cdd5217c6cf74785703655f78da6b582b

                                                                  SHA256

                                                                  eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

                                                                  SHA512

                                                                  aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

                                                                • C:\Users\Admin\Downloads\BadRabbit Ransomware.zip

                                                                  Filesize

                                                                  395KB

                                                                  MD5

                                                                  b303526df291ef092a7650af3d4d63f8

                                                                  SHA1

                                                                  97c6532d1df35b3e5c352c29006985468eb7abc5

                                                                  SHA256

                                                                  7da4698bb24746aa5349e9e0b3645a7fab8a977308e06c90f5282dbb5ea7d00f

                                                                  SHA512

                                                                  603ff899d40df62203cb1d945bb625f10d6eeb439ae5588175fb04c9d850b07517f2b82d2a02f8b8f8a493660cc2a8b592875fcee2376bb6e7fd322398a0ce66

                                                                • C:\Users\Admin\Downloads\BadRabbit Ransomware.zip:Zone.Identifier

                                                                  Filesize

                                                                  280B

                                                                  MD5

                                                                  8e74dbfad0f70a6d0f352d98d54d7e66

                                                                  SHA1

                                                                  3a896bf3d55b2859fd27b428a88dc94360b53574

                                                                  SHA256

                                                                  a4c48a6b62993e84b1ee4d7e4f11703057a3e0de858eecf665909e1aaa05559f

                                                                  SHA512

                                                                  8c30e428dfb73ab49c3d9d59eba5fa6aa88ace651fcd81ebea857c8606211e4e0f88c63e0c010f511ac9e50b3c77d668ca3fea621a6b33acf3caa7ad8a4ca6f3

                                                                • C:\Windows\D01C.tmp

                                                                  Filesize

                                                                  60KB

                                                                  MD5

                                                                  347ac3b6b791054de3e5720a7144a977

                                                                  SHA1

                                                                  413eba3973a15c1a6429d9f170f3e8287f98c21c

                                                                  SHA256

                                                                  301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

                                                                  SHA512

                                                                  9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

                                                                • C:\Windows\infpub.dat

                                                                  Filesize

                                                                  401KB

                                                                  MD5

                                                                  1d724f95c61f1055f0d02c2154bbccd3

                                                                  SHA1

                                                                  79116fe99f2b421c52ef64097f0f39b815b20907

                                                                  SHA256

                                                                  579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

                                                                  SHA512

                                                                  f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

                                                                • memory/2796-525-0x0000000002C90000-0x0000000002CF8000-memory.dmp

                                                                  Filesize

                                                                  416KB

                                                                • memory/2796-519-0x0000000002C90000-0x0000000002CF8000-memory.dmp

                                                                  Filesize

                                                                  416KB

                                                                • memory/2796-511-0x0000000002C90000-0x0000000002CF8000-memory.dmp

                                                                  Filesize

                                                                  416KB

                                                                • memory/4092-0-0x0000000000400000-0x0000000000443000-memory.dmp

                                                                  Filesize

                                                                  268KB