Analysis

  • max time kernel
    328s
  • max time network
    333s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    19-04-2024 13:08

General

  • Target

    http://Google.exe

Malware Config

Signatures

  • BadRabbit

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

  • mimikatz is an open source tool to dump credentials on Windows 1 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Drops file in Windows directory 5 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 47 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://Google.exe
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4944
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff9f6229758,0x7ff9f6229768,0x7ff9f6229778
      2⤵
        PID:3260
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:2
        2⤵
          PID:1156
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1824 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:8
          2⤵
            PID:1464
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2096 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:8
            2⤵
              PID:1608
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2668 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:1
              2⤵
                PID:2736
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2676 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:1
                2⤵
                  PID:4384
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3872 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:1
                  2⤵
                    PID:1524
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4068 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:1
                    2⤵
                      PID:792
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4248 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:8
                      2⤵
                        PID:5116
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3912 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:8
                        2⤵
                          PID:888
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3980 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:1
                          2⤵
                            PID:4852
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3988 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:1
                            2⤵
                              PID:2412
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4464 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:1
                              2⤵
                                PID:2488
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5064 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:8
                                2⤵
                                  PID:4932
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3120 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:8
                                  2⤵
                                    PID:4512
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3032 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:1
                                    2⤵
                                      PID:804
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5204 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:1
                                      2⤵
                                        PID:4784
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5016 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:1
                                        2⤵
                                          PID:2072
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3000 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:8
                                          2⤵
                                            PID:2060
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=764 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:8
                                            2⤵
                                              PID:3524
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=836 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:8
                                              2⤵
                                                PID:1260
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3020 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:8
                                                2⤵
                                                  PID:4844
                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1668 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:2
                                                  2⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:3684
                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=828 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:8
                                                  2⤵
                                                    PID:4292
                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=828 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:8
                                                    2⤵
                                                      PID:4876
                                                  • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                                    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                                    1⤵
                                                      PID:4280
                                                    • C:\Windows\System32\rundll32.exe
                                                      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                      1⤵
                                                        PID:2180
                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\[email protected]
                                                        "C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\[email protected]"
                                                        1⤵
                                                        • Drops file in Windows directory
                                                        PID:5100
                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                          C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
                                                          2⤵
                                                          • Drops file in Windows directory
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          PID:1572
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            /c schtasks /Delete /F /TN rhaegal
                                                            3⤵
                                                              PID:448
                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                schtasks /Delete /F /TN rhaegal
                                                                4⤵
                                                                  PID:4936
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 326679300 && exit"
                                                                3⤵
                                                                  PID:2264
                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                    schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 326679300 && exit"
                                                                    4⤵
                                                                    • Creates scheduled task(s)
                                                                    PID:2096
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 13:28:00
                                                                  3⤵
                                                                    PID:1364
                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 13:28:00
                                                                      4⤵
                                                                      • Creates scheduled task(s)
                                                                      PID:616
                                                                  • C:\Windows\70B2.tmp
                                                                    "C:\Windows\70B2.tmp" \\.\pipe\{E12F890F-F3F8-4B7D-A30F-CAFEE3649020}
                                                                    3⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    PID:4288
                                                              • C:\Users\Admin\AppData\Local\Temp\Temp1_DeriaLock.zip\[email protected]
                                                                "C:\Users\Admin\AppData\Local\Temp\Temp1_DeriaLock.zip\[email protected]"
                                                                1⤵
                                                                • Drops startup file
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                PID:4816
                                                              • C:\Windows\explorer.exe
                                                                explorer.exe
                                                                1⤵
                                                                  PID:1324

                                                                Network

                                                                MITRE ATT&CK Enterprise v15

                                                                Replay Monitor

                                                                Loading Replay Monitor...

                                                                Downloads

                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                  Filesize

                                                                  2KB

                                                                  MD5

                                                                  cacd5623fda07f593873edad14a726a9

                                                                  SHA1

                                                                  2957c8581732f894a12b060994d9436f78122ef0

                                                                  SHA256

                                                                  d7276bad0408d56e1aaffc57ce662dfb51ee37baee7cde0ac542e1a12efa0ae7

                                                                  SHA512

                                                                  a2c84e42a05d37b7dbdac68076c8f40c2ac4f329f0854a80ad3038e23969ea822c6540fd971bc1d79c41f846943887eeae88afd682ec05997d1a38ea8d26abc4

                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\56ddf349-d9e7-4b35-9450-055b1c24a8b0.tmp

                                                                  Filesize

                                                                  1KB

                                                                  MD5

                                                                  ffa04240e08c463da3d277f110cd8e7a

                                                                  SHA1

                                                                  597d8c67c02a1d25af48f3a9137fa87e157b3cdf

                                                                  SHA256

                                                                  9cd519c12609897c1e8427f32ed087e2d84ca9d2ddbe2d554987146c17c78dd1

                                                                  SHA512

                                                                  a3bf9e0e9c5e9c649568f51946e9c51d6d8f90e34573c1f3a818bc509c0e9570190bb502bb2075927ab5f64a65829d5e1bb9ec429f43f95051be0854701b6d50

                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                                  Filesize

                                                                  3KB

                                                                  MD5

                                                                  ed44b4cbee7359fb3f2e9ab9186f8e80

                                                                  SHA1

                                                                  343713c39d6bf986d72323dcf3e391cc8d67522c

                                                                  SHA256

                                                                  293e94f74699984fbd812079487ed09a0ea9d5f8d112cb7b04fc981ed0b1ed6c

                                                                  SHA512

                                                                  d77a0426474c6dd5808862e74a364d3a1e5fe63733b4ff68e33948a7c8537e5bfb91dc3356db3394010aca9407c72cdeb2c6ecd588f736283f81e3733215451b

                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                                  Filesize

                                                                  4KB

                                                                  MD5

                                                                  15d96ea75035fbf7d13912834262b84a

                                                                  SHA1

                                                                  5de1e00fe17dd1020834a8f0b28ee8bf707630bd

                                                                  SHA256

                                                                  f6656508c843256bd1b8712a10204af42476d1c15e597b1a209eb190bf837ca3

                                                                  SHA512

                                                                  4f13e4dbca027a67daa674c73b33ec8018463b1d85b74e0039258655019769aca686e6fb78d4365050504853a181d85e0add143e95b4819a7e61cfb38270aef6

                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                                  Filesize

                                                                  4KB

                                                                  MD5

                                                                  33c8e2bd54ae111117df755713ad4624

                                                                  SHA1

                                                                  85f3cde6555d21316dec63dd959c8c5034d975db

                                                                  SHA256

                                                                  30e9e5c3b9cd81f2991abe55f294c5d8b93ad99b0cc9a9f152dbb7f347765618

                                                                  SHA512

                                                                  f5e727dd69df1559e648225bd6b25f9c27ec06df16b8b63159ecb4dcc195fbeb7da2d91c56303d9ca08b6585f6a4f797accad60815b6450b38c68f06217ecc10

                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                  Filesize

                                                                  371B

                                                                  MD5

                                                                  516ee4e28065b36e21b82cea9c4b61aa

                                                                  SHA1

                                                                  ace0b9ce9f238bc31f0aed6cc6ded3535148471e

                                                                  SHA256

                                                                  b2b2b45bcdd2373341b2824041bd89dff078e8414111b5b275b554f56184b3c9

                                                                  SHA512

                                                                  80763d06a83d3c5816faba5379f4785d082e2005c42cc24cb57f1ee559d2fc38bfa2a176ac4a8d215a9bee1f1f87ea49ba3b7bd919bc53a63efbc779773bdf2f

                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                  Filesize

                                                                  1KB

                                                                  MD5

                                                                  b0de1b9ea7b48992537643054976c310

                                                                  SHA1

                                                                  94ca616200267830ccb38201ced5d4d64d7f3679

                                                                  SHA256

                                                                  da2481ea902882dcfaefe0228efe856d015b8ab31ca06a8a77cf559ec65aa276

                                                                  SHA512

                                                                  e655ced9c7eda0b93068991c558ad8f7c9d1ac6db1da12f180c722c91049f9bcedb7e823a991018a6d93b931c0d866615b627e4526bd90a76410503535b33aed

                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                  Filesize

                                                                  1KB

                                                                  MD5

                                                                  750569a19eddcbe515f2f64df3675698

                                                                  SHA1

                                                                  71de1658db4a9a6c22ad85cf9215cff2f57356b3

                                                                  SHA256

                                                                  356ba48e9b592cb9dd7d641b9280d03a0106a6927ea7ddf30abafa6f7f0344e5

                                                                  SHA512

                                                                  db3ff8dec3c0f719502d99342ff4fd2a57e9aa39ab86c6b729f24504ceb10fd42ae6e99cd9a4d3d13f2bf0ca3e8573a1c3a5e4c58e8fb6c8b20099d1237083ce

                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                  Filesize

                                                                  1KB

                                                                  MD5

                                                                  00877d6214f30dc97d996360bf4df96a

                                                                  SHA1

                                                                  cf08736bd97971418af9caf180208b47bedb2fb0

                                                                  SHA256

                                                                  8cacb776d680fa0b05408496612aadfc471ab6ef30363a85578dcbaf88a46a93

                                                                  SHA512

                                                                  bf9f2c6dbcfb4e9a05c6d4b5fd2f742c87b31208d83ad08762f93bd9d41e5b08f915a4481917031069e29cca29c6a52d8bcc91920942e51a89de98680f55d203

                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                  Filesize

                                                                  1KB

                                                                  MD5

                                                                  f31c80d8a42d4d61b15846e6748a4fbe

                                                                  SHA1

                                                                  d374eb402712d6f48b59722c9af22351bc187097

                                                                  SHA256

                                                                  acb7fee39e5ebbc93eb18ed3be7370f8ec4d132b7a64015f382ef5edb143125d

                                                                  SHA512

                                                                  9e244770abc05c3f016a0263676ad4c89a04a57a464bc2de022cb8865140a370c712541c2ee84bfdf1c6c4752ac9c0f1201752a212ab6f13e1ef03a19cb14db5

                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                  Filesize

                                                                  1KB

                                                                  MD5

                                                                  1f8103f2703885228d2477c577687411

                                                                  SHA1

                                                                  d5f3f11a9bf2a1f43ac8f72a9f958bdd51b0fd81

                                                                  SHA256

                                                                  2a21ad5b419c2b3686f0bbef56dd604b7ad0678bf82d0082ad3e811ffa8123d8

                                                                  SHA512

                                                                  bcd06690a0712108f481789e25cc4d4610450b00148178fcef04777d559dff19c40a8ff7da3ef75746648a85a1f6d2013bb49dd03b6e3d013027104e2e08b0b0

                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                  Filesize

                                                                  1KB

                                                                  MD5

                                                                  2d8cf44c9b5de803641fda34b57e7d29

                                                                  SHA1

                                                                  baf0a058983baad794b55618710ed3d4cadfdae1

                                                                  SHA256

                                                                  39f99aeccead10e3ca71110412c4b3c8dce310c0ce0c92d4b434df97770c8f8f

                                                                  SHA512

                                                                  859ece1293638456c7da6480cdb0347557ce6cafa91c573e44bf3f08e6eef45b9d39e8e0ee51c646c41dc5036e47b7287aff86dd60b1963f82800281e0f69c04

                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                  Filesize

                                                                  1KB

                                                                  MD5

                                                                  b514f7d0f46816215170eb1b17007afb

                                                                  SHA1

                                                                  c93d76416f6c7b9d1a95d979839c04ce0072427d

                                                                  SHA256

                                                                  832d55313a172d105317a255c95ff22bf11bc566002fa497abccde9a807f483f

                                                                  SHA512

                                                                  776f6d4dbb6056b17dec3b0396c2763cd77651a69ccc7e727da12cd4faa2ce0721c781a1a8a24bdfec1250d01ed64bc97bc3b2cdc1b3ea20522f05d91ee4cc4a

                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                  Filesize

                                                                  1KB

                                                                  MD5

                                                                  6aba9dd19212fde63638f2c78aa09ac4

                                                                  SHA1

                                                                  5e9de9ab131619a101b7993f424f23aa310ed46b

                                                                  SHA256

                                                                  e7d18b23c24791515db1433841c2e8da9a3aaa98dfcd0f2084191b518ea97959

                                                                  SHA512

                                                                  52a70b4cc9a9e998a93f210e8130818f710cfe52c49123fa83d06a844a7c0318b11808cb0d679a58a07eea93c3cdd3c59bf4c093fff19d51d3c62c02a20386c0

                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                  Filesize

                                                                  1KB

                                                                  MD5

                                                                  a6daf53822e5bc097d03e89086d3fb0b

                                                                  SHA1

                                                                  c04e2cc5331ab00e6c3477f9e21ecdcb7eb193fc

                                                                  SHA256

                                                                  b7d4d37a88c3488c2800c267a5623911997e28d7fd3ea1a68e28fda0f0ed3265

                                                                  SHA512

                                                                  ba36ee143b111cfb6f7ab0791055bcbe2382fb37d98355d322f85474a7f2adca377044d3fe31275c48358a5636f73d531496fb8ecc4b32a36020aa6aa5b6974a

                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                  Filesize

                                                                  1KB

                                                                  MD5

                                                                  d13c89f56a91383d5730180f14337f9d

                                                                  SHA1

                                                                  32801c5fda0b978c9fecca0b879d20db1c441edb

                                                                  SHA256

                                                                  613e6c92a2139d6c042ae05db0c31d2b98a8019ad54586cea20175c2eb7d6766

                                                                  SHA512

                                                                  ad1274583d68a5fc72015feeafb75ee41859bcb7d79d1475adbf41c6bb9ae0c22bdb926096d9a5c70bd530c84a4d94d539705e41237d721181cf6a7b6253845c

                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                  Filesize

                                                                  5KB

                                                                  MD5

                                                                  94a7450345bf87227838c3fcfa839c25

                                                                  SHA1

                                                                  adf2039e85798138106a29b5113565cbe2302fa1

                                                                  SHA256

                                                                  85ecbdd908ae62ddcbcadb592fcfc7b3216688bf9271211e3589f718cc08ace5

                                                                  SHA512

                                                                  6fdfd036ac49d84da233c1af72103d48ae486a1b65a098bb29fec602cffeb6df9275b229477e05ab52ba8eb1c941bb0294f411449939acbe5985c6a06bc9c53a

                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                  Filesize

                                                                  5KB

                                                                  MD5

                                                                  c0d4788892a87ad3bc511a9c4b2cf735

                                                                  SHA1

                                                                  407689a2dfacfb83925c77e5d6fe5a8319890cbb

                                                                  SHA256

                                                                  e2c425cdffd776f544c963f676e59467227542348dea8bd065c4bc0279f98a9d

                                                                  SHA512

                                                                  902f93e8c5efd3aaf4fbff2ef3d1337aa617c605f67d5ed26c6dfc0f4f2baaf9dff1ce99f4178eda9afd3243de0b62e1cbb0c40da18d1533d86ee02f1267e71c

                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                  Filesize

                                                                  6KB

                                                                  MD5

                                                                  895821d9a1e8e7060210077b0987fc52

                                                                  SHA1

                                                                  28877d19362c346161e04d28a6bf3faf7392277f

                                                                  SHA256

                                                                  799f47bff97b2a1d76f6f65c1a4c3d056a6bd62a02624fa018d272a3542579d0

                                                                  SHA512

                                                                  eaa6258474e1f499360c0df358d56626b60c6fec67bae2cafcb6c57cb19b0ea10cc03c72afe26cf35645e82f440a22e1424a7e67e427d4371601732e1e37852f

                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                  Filesize

                                                                  6KB

                                                                  MD5

                                                                  41885965534c0a693f49ecc261fa4a64

                                                                  SHA1

                                                                  e9215cff75b663b70a6e6e1ea84abd4db197d1ce

                                                                  SHA256

                                                                  c4775ea4e377aaae8be5c34759230b20d05180ac48d66ab339f05e884f988004

                                                                  SHA512

                                                                  06c5962af8e10daea8517623f536aafeaa2d955ad9ccbbd853bc695b4db6c2b3796851dfbd2ee6c1f8f240f4437a4f22b3544b23d403beb831177e8fdd07de6c

                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                  Filesize

                                                                  6KB

                                                                  MD5

                                                                  7ca171a8bddea1a0856b06d954891028

                                                                  SHA1

                                                                  9748a100f71a196311a12ab5c1fad5123c5fd3e8

                                                                  SHA256

                                                                  1aad41258feb28c7864e166b89ce7b6e849bccd0dad73d08d6dd265c6e347db7

                                                                  SHA512

                                                                  1572ebf3900c19efc56cddea97326bf169b9e549b5d887e7ed2ad397bf708c30d7b3df2c98e5b9fcf3c60da824e00d56543d3ef6ef551c6457d9627f3419ba8f

                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                  Filesize

                                                                  6KB

                                                                  MD5

                                                                  2c2d4dae1ea43fa061b6b7577b3d649f

                                                                  SHA1

                                                                  5826fc03c77b8e183e446277bbdf22ded0d4f4ec

                                                                  SHA256

                                                                  d555fea69007ca0b6678ae3a2e1201db408063199b0865f159b6ed4f275903cc

                                                                  SHA512

                                                                  94be018f9c0e72198adeee5f401207211ce67dfb498ba3de355c2ebc0d71002554e5da8c38757af005071b34778750de7a650ab0273a9d36903c6c9ca26117b2

                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                  Filesize

                                                                  6KB

                                                                  MD5

                                                                  c19b3481a4962e6c076d65662d177b53

                                                                  SHA1

                                                                  cb55e16ba905b194a9ae6fc418dd4238ef139d4a

                                                                  SHA256

                                                                  652f5e7c0730a9378cd00118d1ea77669606ffea450a519b2324ec6f87fcd90a

                                                                  SHA512

                                                                  3313adfd01626e42edcca731e52a0cb2a942561373466611e141a9454f86ba4f3761fe1548fbd5c87814832a44188e4768fc6dc7f04c5ddb75d0e0405105bef4

                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

                                                                  Filesize

                                                                  56B

                                                                  MD5

                                                                  ae1bccd6831ebfe5ad03b482ee266e4f

                                                                  SHA1

                                                                  01f4179f48f1af383b275d7ee338dd160b6f558a

                                                                  SHA256

                                                                  1b11047e738f76c94c9d15ee981ec46b286a54def1a7852ca1ade7f908988649

                                                                  SHA512

                                                                  baf7ff6747f30e542c254f46a9678b9dbf42312933962c391b79eca6fcb615e4ba9283c00f554d6021e594f18c087899bc9b5362c41c0d6f862bba7fb9f83038

                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe583c58.TMP

                                                                  Filesize

                                                                  120B

                                                                  MD5

                                                                  df2128977650bac57436e10b1e5926f6

                                                                  SHA1

                                                                  75ff28dd914dbc2c2b28593d6c3e16001e045089

                                                                  SHA256

                                                                  d645cc2878f93cdd3f43e35869145467b6855c652f0159378fbd92eff79146fe

                                                                  SHA512

                                                                  60fc874250f479e8bc608068a4b18314762ec1afc7f88c67a68e240eed8993e8cd5c0f4f842c5f808f7ccf92ab30d50d792dc5f3cbd4542ba14f64ce84797bbe

                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                  Filesize

                                                                  136KB

                                                                  MD5

                                                                  ed94cb60b34b5925629fb0b14eea4eba

                                                                  SHA1

                                                                  e4c8675a26867044d1db9322cc3c368794408460

                                                                  SHA256

                                                                  30e299cd46d71ba800a21ca251958747700e1ceda9cb4cae1801f36995fc7fee

                                                                  SHA512

                                                                  956eb5f92efebd611d3cdc18e16fc5b4a10f1d6828a4c5879fce23057aa1a825babcd10af4309665287c6de2cf308368b43ff53ed45be98e19717edbf650a5e1

                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                  Filesize

                                                                  136KB

                                                                  MD5

                                                                  11a2dda470b425e766a5686c0ab148db

                                                                  SHA1

                                                                  089acc99e6f51c02a4a661d9b5376e097856a2f5

                                                                  SHA256

                                                                  a9d0b57de71344657e3a16a15d4fc363b1d185498ca2f3c001e2a93d357d533d

                                                                  SHA512

                                                                  93ee17d7b94d4508d73ba2df5d9f91cb8852ba4e978d696fe2851852de35d818bd568a2bbf1d70334e9123ffa0bff38c7ef9c297a149d7403c09224b7cefb148

                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

                                                                  Filesize

                                                                  93KB

                                                                  MD5

                                                                  42db2780fae5bd05c84674be1961adf9

                                                                  SHA1

                                                                  843e3895d671929a2dbdde8fdedb02ca62c20a68

                                                                  SHA256

                                                                  14270d65b02df13469979087d02f5c19ee9e612875fb91af7edd3df0716451e6

                                                                  SHA512

                                                                  18cc7722f5224461beb56b965bfe6b0008eb497d7170e7d3ad27aeb9e244103bf7ed1ec65962d32b301f284d30248eb66e072f6eefd8632dbc93dbe8df8ed4e0

                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

                                                                  Filesize

                                                                  109KB

                                                                  MD5

                                                                  e98ecdcc246ad48198fe1a58503bd30a

                                                                  SHA1

                                                                  204c53ada239baa13498c739404b406dc8bf4e50

                                                                  SHA256

                                                                  e8b0ceb31d705518e2ce1e30afb6dcfdee5f0062e6c92c9b562267fa74fb8d67

                                                                  SHA512

                                                                  342ee53aae64c9a5ccc3bd78cb3bda7b4dd6c2b1a818a8dc0572d9f1f409077ca51e9012f30067dada1d522df3327fc58359f35b96f5b0058e4d460717c5be16

                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

                                                                  Filesize

                                                                  98KB

                                                                  MD5

                                                                  5ead5cfe3e744bf61d6e230f16b3e7b4

                                                                  SHA1

                                                                  db12bd141b814f74e0f63594a1b9d6760fbc1849

                                                                  SHA256

                                                                  ec6ab357ce1c8c900e17d93801204fb4207098b6fabf8220323814ce38c2ca71

                                                                  SHA512

                                                                  2ba65861b0f114ee33e23edf3639ab5f9a534f37958ae101ab826d2c7dbbc9172903dfa7f934c5d2c340a2cd7c8fc2d3a6b19ada280f2e7195cf8b30ee58230a

                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe582ca9.TMP

                                                                  Filesize

                                                                  91KB

                                                                  MD5

                                                                  d37f26bf487b0ad35e1b9380388cba3b

                                                                  SHA1

                                                                  8ebb84782e4ad34c539c2be57176953cb1fea467

                                                                  SHA256

                                                                  0dc311b47bb635e66b61b0f0adc7e5c17493c4e1812a5325233c3357f2bee2ab

                                                                  SHA512

                                                                  d972d4c884ad227dd4362bd20c558a1d7d27bead17f4d854e71d32a8102d4899d1feca086cc8a60600b5302ded58a18276f0edb7c994e435595cd46ce31e7712

                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

                                                                  Filesize

                                                                  2B

                                                                  MD5

                                                                  99914b932bd37a50b983c5e7c90ae93b

                                                                  SHA1

                                                                  bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                                                                  SHA256

                                                                  44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                                                                  SHA512

                                                                  27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                                                                • C:\Users\Admin\Downloads\BadRabbit.zip

                                                                  Filesize

                                                                  393KB

                                                                  MD5

                                                                  61da9939db42e2c3007ece3f163e2d06

                                                                  SHA1

                                                                  4bd7e9098de61adecc1bdbd1a01490994d1905fb

                                                                  SHA256

                                                                  ea8ccb8b5ec36195af831001b3cc46caedfc61a6194e2568901e7685c57ceefa

                                                                  SHA512

                                                                  14d0bc14a10e5bd8022e7ab4a80f98600f84754c2c80e22a8e3d9f9555dde5bad056d925576b29fc1a37e73c6ebca693687b47317a469a7dfdc4ab0f3d97a63e

                                                                • C:\Users\Admin\Downloads\BadRabbit.zip

                                                                  Filesize

                                                                  393KB

                                                                  MD5

                                                                  842a945b7b64553ecc50d8ce15d12eb5

                                                                  SHA1

                                                                  6a1a840b3f3943f193a4bb95941c31f237618a3b

                                                                  SHA256

                                                                  f8bed738023a497e25fbca3f1867201cde14518d7abb43cccd9238b62fbefade

                                                                  SHA512

                                                                  f3415e58981ece650cca7cecee2e0d6ba7884c431af147aaaeeaa3dc395cc909a8fc3e29c61a1b22a8a8c5c936aeaf8b7d6b49f385333cdfdb79a0a141eb7832

                                                                • C:\Users\Admin\Downloads\DeriaLock.zip

                                                                  Filesize

                                                                  210KB

                                                                  MD5

                                                                  016d1ca76d387ec75a64c6eb3dac9dd9

                                                                  SHA1

                                                                  b0a2b2d4d639c6bcc5b114b3fcbb56d7c7ddbcbe

                                                                  SHA256

                                                                  8037a333dfeca754a46e284b8c4b250127daef6d728834bf39497df03006e177

                                                                  SHA512

                                                                  f08653184d7caf48e971635699b17b9502addb33fb91cc6e0a563e6a000aeb57ac0a2edd5a9e21ef99a4770c0dbb65899150fa5842b0326976a299382f6be86e

                                                                • C:\Windows\70B2.tmp

                                                                  Filesize

                                                                  60KB

                                                                  MD5

                                                                  347ac3b6b791054de3e5720a7144a977

                                                                  SHA1

                                                                  413eba3973a15c1a6429d9f170f3e8287f98c21c

                                                                  SHA256

                                                                  301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

                                                                  SHA512

                                                                  9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

                                                                • C:\Windows\infpub.dat

                                                                  Filesize

                                                                  401KB

                                                                  MD5

                                                                  1d724f95c61f1055f0d02c2154bbccd3

                                                                  SHA1

                                                                  79116fe99f2b421c52ef64097f0f39b815b20907

                                                                  SHA256

                                                                  579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

                                                                  SHA512

                                                                  f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

                                                                • memory/1572-477-0x00000000030E0000-0x0000000003148000-memory.dmp

                                                                  Filesize

                                                                  416KB

                                                                • memory/1572-480-0x00000000030E0000-0x0000000003148000-memory.dmp

                                                                  Filesize

                                                                  416KB

                                                                • memory/1572-469-0x00000000030E0000-0x0000000003148000-memory.dmp

                                                                  Filesize

                                                                  416KB

                                                                • memory/4816-651-0x0000000005410000-0x000000000590E000-memory.dmp

                                                                  Filesize

                                                                  5.0MB

                                                                • memory/4816-648-0x00000000004A0000-0x0000000000522000-memory.dmp

                                                                  Filesize

                                                                  520KB

                                                                • memory/4816-652-0x0000000004FB0000-0x0000000005042000-memory.dmp

                                                                  Filesize

                                                                  584KB

                                                                • memory/4816-653-0x0000000004F80000-0x0000000004F90000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/4816-655-0x0000000005170000-0x00000000051C6000-memory.dmp

                                                                  Filesize

                                                                  344KB

                                                                • memory/4816-654-0x0000000004F40000-0x0000000004F4A000-memory.dmp

                                                                  Filesize

                                                                  40KB

                                                                • memory/4816-656-0x0000000004F80000-0x0000000004F90000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/4816-650-0x0000000004E70000-0x0000000004F0C000-memory.dmp

                                                                  Filesize

                                                                  624KB

                                                                • memory/4816-799-0x00000000731E0000-0x00000000738CE000-memory.dmp

                                                                  Filesize

                                                                  6.9MB

                                                                • memory/4816-800-0x0000000004F80000-0x0000000004F90000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/4816-649-0x00000000731E0000-0x00000000738CE000-memory.dmp

                                                                  Filesize

                                                                  6.9MB

                                                                • memory/4816-810-0x0000000004F80000-0x0000000004F90000-memory.dmp

                                                                  Filesize

                                                                  64KB