Analysis
-
max time kernel
328s -
max time network
333s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
19-04-2024 13:08
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://Google.exe
Resource
win10-20240404-en
General
-
Target
http://Google.exe
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
resource yara_rule behavioral1/files/0x000700000001ac6e-487.dat mimikatz -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOGON.exe [email protected] -
Executes dropped EXE 1 IoCs
pid Process 4288 70B2.tmp -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 74 camo.githubusercontent.com 81 camo.githubusercontent.com 97 raw.githubusercontent.com 98 raw.githubusercontent.com -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\infpub.dat [email protected] File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe File opened for modification C:\Windows\70B2.tmp rundll32.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2096 schtasks.exe 616 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133580057158167661" chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings chrome.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4944 chrome.exe Token: SeCreatePagefilePrivilege 4944 chrome.exe Token: SeShutdownPrivilege 4944 chrome.exe Token: SeCreatePagefilePrivilege 4944 chrome.exe Token: SeShutdownPrivilege 4944 chrome.exe Token: SeCreatePagefilePrivilege 4944 chrome.exe Token: SeShutdownPrivilege 4944 chrome.exe Token: SeCreatePagefilePrivilege 4944 chrome.exe Token: SeShutdownPrivilege 4944 chrome.exe Token: SeCreatePagefilePrivilege 4944 chrome.exe Token: SeShutdownPrivilege 4944 chrome.exe Token: SeCreatePagefilePrivilege 4944 chrome.exe Token: SeShutdownPrivilege 4944 chrome.exe Token: SeCreatePagefilePrivilege 4944 chrome.exe Token: SeShutdownPrivilege 4944 chrome.exe Token: SeCreatePagefilePrivilege 4944 chrome.exe Token: SeShutdownPrivilege 4944 chrome.exe Token: SeCreatePagefilePrivilege 4944 chrome.exe Token: SeShutdownPrivilege 4944 chrome.exe Token: SeCreatePagefilePrivilege 4944 chrome.exe Token: SeShutdownPrivilege 4944 chrome.exe Token: SeCreatePagefilePrivilege 4944 chrome.exe Token: SeShutdownPrivilege 4944 chrome.exe Token: SeCreatePagefilePrivilege 4944 chrome.exe Token: SeShutdownPrivilege 4944 chrome.exe Token: SeCreatePagefilePrivilege 4944 chrome.exe Token: SeShutdownPrivilege 4944 chrome.exe Token: SeCreatePagefilePrivilege 4944 chrome.exe Token: SeShutdownPrivilege 4944 chrome.exe Token: SeCreatePagefilePrivilege 4944 chrome.exe Token: SeShutdownPrivilege 4944 chrome.exe Token: SeCreatePagefilePrivilege 4944 chrome.exe Token: SeShutdownPrivilege 4944 chrome.exe Token: SeCreatePagefilePrivilege 4944 chrome.exe Token: SeShutdownPrivilege 4944 chrome.exe Token: SeCreatePagefilePrivilege 4944 chrome.exe Token: SeShutdownPrivilege 4944 chrome.exe Token: SeCreatePagefilePrivilege 4944 chrome.exe Token: SeShutdownPrivilege 4944 chrome.exe Token: SeCreatePagefilePrivilege 4944 chrome.exe Token: SeShutdownPrivilege 4944 chrome.exe Token: SeCreatePagefilePrivilege 4944 chrome.exe Token: SeShutdownPrivilege 4944 chrome.exe Token: SeCreatePagefilePrivilege 4944 chrome.exe Token: SeShutdownPrivilege 4944 chrome.exe Token: SeCreatePagefilePrivilege 4944 chrome.exe Token: SeShutdownPrivilege 4944 chrome.exe Token: SeCreatePagefilePrivilege 4944 chrome.exe Token: SeShutdownPrivilege 4944 chrome.exe Token: SeCreatePagefilePrivilege 4944 chrome.exe Token: SeShutdownPrivilege 4944 chrome.exe Token: SeCreatePagefilePrivilege 4944 chrome.exe Token: SeShutdownPrivilege 4944 chrome.exe Token: SeCreatePagefilePrivilege 4944 chrome.exe Token: SeShutdownPrivilege 4944 chrome.exe Token: SeCreatePagefilePrivilege 4944 chrome.exe Token: SeShutdownPrivilege 4944 chrome.exe Token: SeCreatePagefilePrivilege 4944 chrome.exe Token: SeShutdownPrivilege 4944 chrome.exe Token: SeCreatePagefilePrivilege 4944 chrome.exe Token: SeShutdownPrivilege 4944 chrome.exe Token: SeCreatePagefilePrivilege 4944 chrome.exe Token: SeShutdownPrivilege 4944 chrome.exe Token: SeCreatePagefilePrivilege 4944 chrome.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
pid Process 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe 4944 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4944 wrote to memory of 3260 4944 chrome.exe 73 PID 4944 wrote to memory of 3260 4944 chrome.exe 73 PID 4944 wrote to memory of 1156 4944 chrome.exe 75 PID 4944 wrote to memory of 1156 4944 chrome.exe 75 PID 4944 wrote to memory of 1156 4944 chrome.exe 75 PID 4944 wrote to memory of 1156 4944 chrome.exe 75 PID 4944 wrote to memory of 1156 4944 chrome.exe 75 PID 4944 wrote to memory of 1156 4944 chrome.exe 75 PID 4944 wrote to memory of 1156 4944 chrome.exe 75 PID 4944 wrote to memory of 1156 4944 chrome.exe 75 PID 4944 wrote to memory of 1156 4944 chrome.exe 75 PID 4944 wrote to memory of 1156 4944 chrome.exe 75 PID 4944 wrote to memory of 1156 4944 chrome.exe 75 PID 4944 wrote to memory of 1156 4944 chrome.exe 75 PID 4944 wrote to memory of 1156 4944 chrome.exe 75 PID 4944 wrote to memory of 1156 4944 chrome.exe 75 PID 4944 wrote to memory of 1156 4944 chrome.exe 75 PID 4944 wrote to memory of 1156 4944 chrome.exe 75 PID 4944 wrote to memory of 1156 4944 chrome.exe 75 PID 4944 wrote to memory of 1156 4944 chrome.exe 75 PID 4944 wrote to memory of 1156 4944 chrome.exe 75 PID 4944 wrote to memory of 1156 4944 chrome.exe 75 PID 4944 wrote to memory of 1156 4944 chrome.exe 75 PID 4944 wrote to memory of 1156 4944 chrome.exe 75 PID 4944 wrote to memory of 1156 4944 chrome.exe 75 PID 4944 wrote to memory of 1156 4944 chrome.exe 75 PID 4944 wrote to memory of 1156 4944 chrome.exe 75 PID 4944 wrote to memory of 1156 4944 chrome.exe 75 PID 4944 wrote to memory of 1156 4944 chrome.exe 75 PID 4944 wrote to memory of 1156 4944 chrome.exe 75 PID 4944 wrote to memory of 1156 4944 chrome.exe 75 PID 4944 wrote to memory of 1156 4944 chrome.exe 75 PID 4944 wrote to memory of 1156 4944 chrome.exe 75 PID 4944 wrote to memory of 1156 4944 chrome.exe 75 PID 4944 wrote to memory of 1156 4944 chrome.exe 75 PID 4944 wrote to memory of 1156 4944 chrome.exe 75 PID 4944 wrote to memory of 1156 4944 chrome.exe 75 PID 4944 wrote to memory of 1156 4944 chrome.exe 75 PID 4944 wrote to memory of 1156 4944 chrome.exe 75 PID 4944 wrote to memory of 1156 4944 chrome.exe 75 PID 4944 wrote to memory of 1464 4944 chrome.exe 76 PID 4944 wrote to memory of 1464 4944 chrome.exe 76 PID 4944 wrote to memory of 1608 4944 chrome.exe 77 PID 4944 wrote to memory of 1608 4944 chrome.exe 77 PID 4944 wrote to memory of 1608 4944 chrome.exe 77 PID 4944 wrote to memory of 1608 4944 chrome.exe 77 PID 4944 wrote to memory of 1608 4944 chrome.exe 77 PID 4944 wrote to memory of 1608 4944 chrome.exe 77 PID 4944 wrote to memory of 1608 4944 chrome.exe 77 PID 4944 wrote to memory of 1608 4944 chrome.exe 77 PID 4944 wrote to memory of 1608 4944 chrome.exe 77 PID 4944 wrote to memory of 1608 4944 chrome.exe 77 PID 4944 wrote to memory of 1608 4944 chrome.exe 77 PID 4944 wrote to memory of 1608 4944 chrome.exe 77 PID 4944 wrote to memory of 1608 4944 chrome.exe 77 PID 4944 wrote to memory of 1608 4944 chrome.exe 77 PID 4944 wrote to memory of 1608 4944 chrome.exe 77 PID 4944 wrote to memory of 1608 4944 chrome.exe 77 PID 4944 wrote to memory of 1608 4944 chrome.exe 77 PID 4944 wrote to memory of 1608 4944 chrome.exe 77 PID 4944 wrote to memory of 1608 4944 chrome.exe 77 PID 4944 wrote to memory of 1608 4944 chrome.exe 77 PID 4944 wrote to memory of 1608 4944 chrome.exe 77 PID 4944 wrote to memory of 1608 4944 chrome.exe 77
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://Google.exe1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff9f6229758,0x7ff9f6229768,0x7ff9f62297782⤵PID:3260
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:22⤵PID:1156
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1824 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:82⤵PID:1464
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2096 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:82⤵PID:1608
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2668 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:12⤵PID:2736
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2676 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:12⤵PID:4384
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3872 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:12⤵PID:1524
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4068 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:12⤵PID:792
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4248 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:82⤵PID:5116
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3912 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:82⤵PID:888
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3980 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:12⤵PID:4852
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3988 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:12⤵PID:2412
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4464 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:12⤵PID:2488
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5064 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:82⤵PID:4932
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3120 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:82⤵PID:4512
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3032 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:12⤵PID:804
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5204 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:12⤵PID:4784
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5016 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:12⤵PID:2072
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3000 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:82⤵PID:2060
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=764 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:82⤵PID:3524
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=836 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:82⤵PID:1260
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3020 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:82⤵PID:4844
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1668 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3684
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=828 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:82⤵PID:4292
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=828 --field-trial-handle=1776,i,3948845266712929912,8970285566411340241,131072 /prefetch:82⤵PID:4876
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:4280
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2180
-
C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\[email protected]"1⤵
- Drops file in Windows directory
PID:5100 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1572 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵PID:448
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵PID:4936
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 326679300 && exit"3⤵PID:2264
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 326679300 && exit"4⤵
- Creates scheduled task(s)
PID:2096
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 13:28:003⤵PID:1364
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 13:28:004⤵
- Creates scheduled task(s)
PID:616
-
-
-
C:\Windows\70B2.tmp"C:\Windows\70B2.tmp" \\.\pipe\{E12F890F-F3F8-4B7D-A30F-CAFEE3649020}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4288
-
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_DeriaLock.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_DeriaLock.zip\[email protected]"1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
PID:4816
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1324
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5cacd5623fda07f593873edad14a726a9
SHA12957c8581732f894a12b060994d9436f78122ef0
SHA256d7276bad0408d56e1aaffc57ce662dfb51ee37baee7cde0ac542e1a12efa0ae7
SHA512a2c84e42a05d37b7dbdac68076c8f40c2ac4f329f0854a80ad3038e23969ea822c6540fd971bc1d79c41f846943887eeae88afd682ec05997d1a38ea8d26abc4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\56ddf349-d9e7-4b35-9450-055b1c24a8b0.tmp
Filesize1KB
MD5ffa04240e08c463da3d277f110cd8e7a
SHA1597d8c67c02a1d25af48f3a9137fa87e157b3cdf
SHA2569cd519c12609897c1e8427f32ed087e2d84ca9d2ddbe2d554987146c17c78dd1
SHA512a3bf9e0e9c5e9c649568f51946e9c51d6d8f90e34573c1f3a818bc509c0e9570190bb502bb2075927ab5f64a65829d5e1bb9ec429f43f95051be0854701b6d50
-
Filesize
3KB
MD5ed44b4cbee7359fb3f2e9ab9186f8e80
SHA1343713c39d6bf986d72323dcf3e391cc8d67522c
SHA256293e94f74699984fbd812079487ed09a0ea9d5f8d112cb7b04fc981ed0b1ed6c
SHA512d77a0426474c6dd5808862e74a364d3a1e5fe63733b4ff68e33948a7c8537e5bfb91dc3356db3394010aca9407c72cdeb2c6ecd588f736283f81e3733215451b
-
Filesize
4KB
MD515d96ea75035fbf7d13912834262b84a
SHA15de1e00fe17dd1020834a8f0b28ee8bf707630bd
SHA256f6656508c843256bd1b8712a10204af42476d1c15e597b1a209eb190bf837ca3
SHA5124f13e4dbca027a67daa674c73b33ec8018463b1d85b74e0039258655019769aca686e6fb78d4365050504853a181d85e0add143e95b4819a7e61cfb38270aef6
-
Filesize
4KB
MD533c8e2bd54ae111117df755713ad4624
SHA185f3cde6555d21316dec63dd959c8c5034d975db
SHA25630e9e5c3b9cd81f2991abe55f294c5d8b93ad99b0cc9a9f152dbb7f347765618
SHA512f5e727dd69df1559e648225bd6b25f9c27ec06df16b8b63159ecb4dcc195fbeb7da2d91c56303d9ca08b6585f6a4f797accad60815b6450b38c68f06217ecc10
-
Filesize
371B
MD5516ee4e28065b36e21b82cea9c4b61aa
SHA1ace0b9ce9f238bc31f0aed6cc6ded3535148471e
SHA256b2b2b45bcdd2373341b2824041bd89dff078e8414111b5b275b554f56184b3c9
SHA51280763d06a83d3c5816faba5379f4785d082e2005c42cc24cb57f1ee559d2fc38bfa2a176ac4a8d215a9bee1f1f87ea49ba3b7bd919bc53a63efbc779773bdf2f
-
Filesize
1KB
MD5b0de1b9ea7b48992537643054976c310
SHA194ca616200267830ccb38201ced5d4d64d7f3679
SHA256da2481ea902882dcfaefe0228efe856d015b8ab31ca06a8a77cf559ec65aa276
SHA512e655ced9c7eda0b93068991c558ad8f7c9d1ac6db1da12f180c722c91049f9bcedb7e823a991018a6d93b931c0d866615b627e4526bd90a76410503535b33aed
-
Filesize
1KB
MD5750569a19eddcbe515f2f64df3675698
SHA171de1658db4a9a6c22ad85cf9215cff2f57356b3
SHA256356ba48e9b592cb9dd7d641b9280d03a0106a6927ea7ddf30abafa6f7f0344e5
SHA512db3ff8dec3c0f719502d99342ff4fd2a57e9aa39ab86c6b729f24504ceb10fd42ae6e99cd9a4d3d13f2bf0ca3e8573a1c3a5e4c58e8fb6c8b20099d1237083ce
-
Filesize
1KB
MD500877d6214f30dc97d996360bf4df96a
SHA1cf08736bd97971418af9caf180208b47bedb2fb0
SHA2568cacb776d680fa0b05408496612aadfc471ab6ef30363a85578dcbaf88a46a93
SHA512bf9f2c6dbcfb4e9a05c6d4b5fd2f742c87b31208d83ad08762f93bd9d41e5b08f915a4481917031069e29cca29c6a52d8bcc91920942e51a89de98680f55d203
-
Filesize
1KB
MD5f31c80d8a42d4d61b15846e6748a4fbe
SHA1d374eb402712d6f48b59722c9af22351bc187097
SHA256acb7fee39e5ebbc93eb18ed3be7370f8ec4d132b7a64015f382ef5edb143125d
SHA5129e244770abc05c3f016a0263676ad4c89a04a57a464bc2de022cb8865140a370c712541c2ee84bfdf1c6c4752ac9c0f1201752a212ab6f13e1ef03a19cb14db5
-
Filesize
1KB
MD51f8103f2703885228d2477c577687411
SHA1d5f3f11a9bf2a1f43ac8f72a9f958bdd51b0fd81
SHA2562a21ad5b419c2b3686f0bbef56dd604b7ad0678bf82d0082ad3e811ffa8123d8
SHA512bcd06690a0712108f481789e25cc4d4610450b00148178fcef04777d559dff19c40a8ff7da3ef75746648a85a1f6d2013bb49dd03b6e3d013027104e2e08b0b0
-
Filesize
1KB
MD52d8cf44c9b5de803641fda34b57e7d29
SHA1baf0a058983baad794b55618710ed3d4cadfdae1
SHA25639f99aeccead10e3ca71110412c4b3c8dce310c0ce0c92d4b434df97770c8f8f
SHA512859ece1293638456c7da6480cdb0347557ce6cafa91c573e44bf3f08e6eef45b9d39e8e0ee51c646c41dc5036e47b7287aff86dd60b1963f82800281e0f69c04
-
Filesize
1KB
MD5b514f7d0f46816215170eb1b17007afb
SHA1c93d76416f6c7b9d1a95d979839c04ce0072427d
SHA256832d55313a172d105317a255c95ff22bf11bc566002fa497abccde9a807f483f
SHA512776f6d4dbb6056b17dec3b0396c2763cd77651a69ccc7e727da12cd4faa2ce0721c781a1a8a24bdfec1250d01ed64bc97bc3b2cdc1b3ea20522f05d91ee4cc4a
-
Filesize
1KB
MD56aba9dd19212fde63638f2c78aa09ac4
SHA15e9de9ab131619a101b7993f424f23aa310ed46b
SHA256e7d18b23c24791515db1433841c2e8da9a3aaa98dfcd0f2084191b518ea97959
SHA51252a70b4cc9a9e998a93f210e8130818f710cfe52c49123fa83d06a844a7c0318b11808cb0d679a58a07eea93c3cdd3c59bf4c093fff19d51d3c62c02a20386c0
-
Filesize
1KB
MD5a6daf53822e5bc097d03e89086d3fb0b
SHA1c04e2cc5331ab00e6c3477f9e21ecdcb7eb193fc
SHA256b7d4d37a88c3488c2800c267a5623911997e28d7fd3ea1a68e28fda0f0ed3265
SHA512ba36ee143b111cfb6f7ab0791055bcbe2382fb37d98355d322f85474a7f2adca377044d3fe31275c48358a5636f73d531496fb8ecc4b32a36020aa6aa5b6974a
-
Filesize
1KB
MD5d13c89f56a91383d5730180f14337f9d
SHA132801c5fda0b978c9fecca0b879d20db1c441edb
SHA256613e6c92a2139d6c042ae05db0c31d2b98a8019ad54586cea20175c2eb7d6766
SHA512ad1274583d68a5fc72015feeafb75ee41859bcb7d79d1475adbf41c6bb9ae0c22bdb926096d9a5c70bd530c84a4d94d539705e41237d721181cf6a7b6253845c
-
Filesize
5KB
MD594a7450345bf87227838c3fcfa839c25
SHA1adf2039e85798138106a29b5113565cbe2302fa1
SHA25685ecbdd908ae62ddcbcadb592fcfc7b3216688bf9271211e3589f718cc08ace5
SHA5126fdfd036ac49d84da233c1af72103d48ae486a1b65a098bb29fec602cffeb6df9275b229477e05ab52ba8eb1c941bb0294f411449939acbe5985c6a06bc9c53a
-
Filesize
5KB
MD5c0d4788892a87ad3bc511a9c4b2cf735
SHA1407689a2dfacfb83925c77e5d6fe5a8319890cbb
SHA256e2c425cdffd776f544c963f676e59467227542348dea8bd065c4bc0279f98a9d
SHA512902f93e8c5efd3aaf4fbff2ef3d1337aa617c605f67d5ed26c6dfc0f4f2baaf9dff1ce99f4178eda9afd3243de0b62e1cbb0c40da18d1533d86ee02f1267e71c
-
Filesize
6KB
MD5895821d9a1e8e7060210077b0987fc52
SHA128877d19362c346161e04d28a6bf3faf7392277f
SHA256799f47bff97b2a1d76f6f65c1a4c3d056a6bd62a02624fa018d272a3542579d0
SHA512eaa6258474e1f499360c0df358d56626b60c6fec67bae2cafcb6c57cb19b0ea10cc03c72afe26cf35645e82f440a22e1424a7e67e427d4371601732e1e37852f
-
Filesize
6KB
MD541885965534c0a693f49ecc261fa4a64
SHA1e9215cff75b663b70a6e6e1ea84abd4db197d1ce
SHA256c4775ea4e377aaae8be5c34759230b20d05180ac48d66ab339f05e884f988004
SHA51206c5962af8e10daea8517623f536aafeaa2d955ad9ccbbd853bc695b4db6c2b3796851dfbd2ee6c1f8f240f4437a4f22b3544b23d403beb831177e8fdd07de6c
-
Filesize
6KB
MD57ca171a8bddea1a0856b06d954891028
SHA19748a100f71a196311a12ab5c1fad5123c5fd3e8
SHA2561aad41258feb28c7864e166b89ce7b6e849bccd0dad73d08d6dd265c6e347db7
SHA5121572ebf3900c19efc56cddea97326bf169b9e549b5d887e7ed2ad397bf708c30d7b3df2c98e5b9fcf3c60da824e00d56543d3ef6ef551c6457d9627f3419ba8f
-
Filesize
6KB
MD52c2d4dae1ea43fa061b6b7577b3d649f
SHA15826fc03c77b8e183e446277bbdf22ded0d4f4ec
SHA256d555fea69007ca0b6678ae3a2e1201db408063199b0865f159b6ed4f275903cc
SHA51294be018f9c0e72198adeee5f401207211ce67dfb498ba3de355c2ebc0d71002554e5da8c38757af005071b34778750de7a650ab0273a9d36903c6c9ca26117b2
-
Filesize
6KB
MD5c19b3481a4962e6c076d65662d177b53
SHA1cb55e16ba905b194a9ae6fc418dd4238ef139d4a
SHA256652f5e7c0730a9378cd00118d1ea77669606ffea450a519b2324ec6f87fcd90a
SHA5123313adfd01626e42edcca731e52a0cb2a942561373466611e141a9454f86ba4f3761fe1548fbd5c87814832a44188e4768fc6dc7f04c5ddb75d0e0405105bef4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize56B
MD5ae1bccd6831ebfe5ad03b482ee266e4f
SHA101f4179f48f1af383b275d7ee338dd160b6f558a
SHA2561b11047e738f76c94c9d15ee981ec46b286a54def1a7852ca1ade7f908988649
SHA512baf7ff6747f30e542c254f46a9678b9dbf42312933962c391b79eca6fcb615e4ba9283c00f554d6021e594f18c087899bc9b5362c41c0d6f862bba7fb9f83038
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe583c58.TMP
Filesize120B
MD5df2128977650bac57436e10b1e5926f6
SHA175ff28dd914dbc2c2b28593d6c3e16001e045089
SHA256d645cc2878f93cdd3f43e35869145467b6855c652f0159378fbd92eff79146fe
SHA51260fc874250f479e8bc608068a4b18314762ec1afc7f88c67a68e240eed8993e8cd5c0f4f842c5f808f7ccf92ab30d50d792dc5f3cbd4542ba14f64ce84797bbe
-
Filesize
136KB
MD5ed94cb60b34b5925629fb0b14eea4eba
SHA1e4c8675a26867044d1db9322cc3c368794408460
SHA25630e299cd46d71ba800a21ca251958747700e1ceda9cb4cae1801f36995fc7fee
SHA512956eb5f92efebd611d3cdc18e16fc5b4a10f1d6828a4c5879fce23057aa1a825babcd10af4309665287c6de2cf308368b43ff53ed45be98e19717edbf650a5e1
-
Filesize
136KB
MD511a2dda470b425e766a5686c0ab148db
SHA1089acc99e6f51c02a4a661d9b5376e097856a2f5
SHA256a9d0b57de71344657e3a16a15d4fc363b1d185498ca2f3c001e2a93d357d533d
SHA51293ee17d7b94d4508d73ba2df5d9f91cb8852ba4e978d696fe2851852de35d818bd568a2bbf1d70334e9123ffa0bff38c7ef9c297a149d7403c09224b7cefb148
-
Filesize
93KB
MD542db2780fae5bd05c84674be1961adf9
SHA1843e3895d671929a2dbdde8fdedb02ca62c20a68
SHA25614270d65b02df13469979087d02f5c19ee9e612875fb91af7edd3df0716451e6
SHA51218cc7722f5224461beb56b965bfe6b0008eb497d7170e7d3ad27aeb9e244103bf7ed1ec65962d32b301f284d30248eb66e072f6eefd8632dbc93dbe8df8ed4e0
-
Filesize
109KB
MD5e98ecdcc246ad48198fe1a58503bd30a
SHA1204c53ada239baa13498c739404b406dc8bf4e50
SHA256e8b0ceb31d705518e2ce1e30afb6dcfdee5f0062e6c92c9b562267fa74fb8d67
SHA512342ee53aae64c9a5ccc3bd78cb3bda7b4dd6c2b1a818a8dc0572d9f1f409077ca51e9012f30067dada1d522df3327fc58359f35b96f5b0058e4d460717c5be16
-
Filesize
98KB
MD55ead5cfe3e744bf61d6e230f16b3e7b4
SHA1db12bd141b814f74e0f63594a1b9d6760fbc1849
SHA256ec6ab357ce1c8c900e17d93801204fb4207098b6fabf8220323814ce38c2ca71
SHA5122ba65861b0f114ee33e23edf3639ab5f9a534f37958ae101ab826d2c7dbbc9172903dfa7f934c5d2c340a2cd7c8fc2d3a6b19ada280f2e7195cf8b30ee58230a
-
Filesize
91KB
MD5d37f26bf487b0ad35e1b9380388cba3b
SHA18ebb84782e4ad34c539c2be57176953cb1fea467
SHA2560dc311b47bb635e66b61b0f0adc7e5c17493c4e1812a5325233c3357f2bee2ab
SHA512d972d4c884ad227dd4362bd20c558a1d7d27bead17f4d854e71d32a8102d4899d1feca086cc8a60600b5302ded58a18276f0edb7c994e435595cd46ce31e7712
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
393KB
MD561da9939db42e2c3007ece3f163e2d06
SHA14bd7e9098de61adecc1bdbd1a01490994d1905fb
SHA256ea8ccb8b5ec36195af831001b3cc46caedfc61a6194e2568901e7685c57ceefa
SHA51214d0bc14a10e5bd8022e7ab4a80f98600f84754c2c80e22a8e3d9f9555dde5bad056d925576b29fc1a37e73c6ebca693687b47317a469a7dfdc4ab0f3d97a63e
-
Filesize
393KB
MD5842a945b7b64553ecc50d8ce15d12eb5
SHA16a1a840b3f3943f193a4bb95941c31f237618a3b
SHA256f8bed738023a497e25fbca3f1867201cde14518d7abb43cccd9238b62fbefade
SHA512f3415e58981ece650cca7cecee2e0d6ba7884c431af147aaaeeaa3dc395cc909a8fc3e29c61a1b22a8a8c5c936aeaf8b7d6b49f385333cdfdb79a0a141eb7832
-
Filesize
210KB
MD5016d1ca76d387ec75a64c6eb3dac9dd9
SHA1b0a2b2d4d639c6bcc5b114b3fcbb56d7c7ddbcbe
SHA2568037a333dfeca754a46e284b8c4b250127daef6d728834bf39497df03006e177
SHA512f08653184d7caf48e971635699b17b9502addb33fb91cc6e0a563e6a000aeb57ac0a2edd5a9e21ef99a4770c0dbb65899150fa5842b0326976a299382f6be86e
-
Filesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113