badrabbit | 4a00fa20b07e039adaecf78a1cad8c7e28851551345c882bead02acd25800029

Analysis

max time kernel
233s
max time network
234s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
26-04-2024 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

19KB
MD5

803404f348f33c401807e6822084ce6f
SHA1

4248d5fde683ed1c448c10ecef8fcf632c22a0bf
SHA256

4a00fa20b07e039adaecf78a1cad8c7e28851551345c882bead02acd25800029
SHA512

ffdd27d1882892f485575e66669fa30cf2f4ad2b02f5470842470ec5f013c9cf9d28611b394e46178cc8f0a6d48cffa329d4cfbb857b3781c94b0eb9d843a54a
SSDEEP

384:rqrzGDpmReVoOs49i9ylKeGMbU8Hhhbze0m7yS2LjMrSQ+AVJCBXQL:rezGBVoOs49myI1MjBhbaTWMrSeJQQL

Score

10^/10

badrabbit mimikatz ransomware upx

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x000800000001acb6-678.dat	mimikatz

Executes dropped EXE 1 IoCs

pid	Process
1748	E8B0.tmp

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1460-795-0x0000000000DB0000-0x0000000000DC5000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
80	raw.githubusercontent.com
81	raw.githubusercontent.com
82	raw.githubusercontent.com

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\E8B0.tmp	rundll32.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4460	schtasks.exe
4092	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133586297484213232"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
164	chrome.exe
164	chrome.exe
1464	chrome.exe
1464	chrome.exe
4000	rundll32.exe
4000	rundll32.exe
4000	rundll32.exe
4000	rundll32.exe
1748	E8B0.tmp
1748	E8B0.tmp
1748	E8B0.tmp
1748	E8B0.tmp
1748	E8B0.tmp
1748	E8B0.tmp

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	164	chrome.exe
Token: SeCreatePagefilePrivilege	164	chrome.exe
Token: SeShutdownPrivilege	164	chrome.exe
Token: SeCreatePagefilePrivilege	164	chrome.exe
Token: SeShutdownPrivilege	164	chrome.exe
Token: SeCreatePagefilePrivilege	164	chrome.exe
Token: SeShutdownPrivilege	164	chrome.exe
Token: SeCreatePagefilePrivilege	164	chrome.exe
Token: SeShutdownPrivilege	164	chrome.exe
Token: SeCreatePagefilePrivilege	164	chrome.exe
Token: SeShutdownPrivilege	164	chrome.exe
Token: SeCreatePagefilePrivilege	164	chrome.exe
Token: SeShutdownPrivilege	164	chrome.exe
Token: SeCreatePagefilePrivilege	164	chrome.exe
Token: SeShutdownPrivilege	164	chrome.exe
Token: SeCreatePagefilePrivilege	164	chrome.exe
Token: SeShutdownPrivilege	164	chrome.exe
Token: SeCreatePagefilePrivilege	164	chrome.exe
Token: SeShutdownPrivilege	164	chrome.exe
Token: SeCreatePagefilePrivilege	164	chrome.exe
Token: SeShutdownPrivilege	164	chrome.exe
Token: SeCreatePagefilePrivilege	164	chrome.exe
Token: SeShutdownPrivilege	164	chrome.exe
Token: SeCreatePagefilePrivilege	164	chrome.exe
Token: SeShutdownPrivilege	164	chrome.exe
Token: SeCreatePagefilePrivilege	164	chrome.exe
Token: SeShutdownPrivilege	164	chrome.exe
Token: SeCreatePagefilePrivilege	164	chrome.exe
Token: SeShutdownPrivilege	164	chrome.exe
Token: SeCreatePagefilePrivilege	164	chrome.exe
Token: SeShutdownPrivilege	164	chrome.exe
Token: SeCreatePagefilePrivilege	164	chrome.exe
Token: SeShutdownPrivilege	164	chrome.exe
Token: SeCreatePagefilePrivilege	164	chrome.exe
Token: SeShutdownPrivilege	164	chrome.exe
Token: SeCreatePagefilePrivilege	164	chrome.exe
Token: SeShutdownPrivilege	164	chrome.exe
Token: SeCreatePagefilePrivilege	164	chrome.exe
Token: SeShutdownPrivilege	164	chrome.exe
Token: SeCreatePagefilePrivilege	164	chrome.exe
Token: SeShutdownPrivilege	164	chrome.exe
Token: SeCreatePagefilePrivilege	164	chrome.exe
Token: SeShutdownPrivilege	164	chrome.exe
Token: SeCreatePagefilePrivilege	164	chrome.exe
Token: SeShutdownPrivilege	164	chrome.exe
Token: SeCreatePagefilePrivilege	164	chrome.exe
Token: SeShutdownPrivilege	164	chrome.exe
Token: SeCreatePagefilePrivilege	164	chrome.exe
Token: SeShutdownPrivilege	164	chrome.exe
Token: SeCreatePagefilePrivilege	164	chrome.exe
Token: SeShutdownPrivilege	164	chrome.exe
Token: SeCreatePagefilePrivilege	164	chrome.exe
Token: SeShutdownPrivilege	164	chrome.exe
Token: SeCreatePagefilePrivilege	164	chrome.exe
Token: SeShutdownPrivilege	164	chrome.exe
Token: SeCreatePagefilePrivilege	164	chrome.exe
Token: SeShutdownPrivilege	164	chrome.exe
Token: SeCreatePagefilePrivilege	164	chrome.exe
Token: SeShutdownPrivilege	164	chrome.exe
Token: SeCreatePagefilePrivilege	164	chrome.exe
Token: SeShutdownPrivilege	164	chrome.exe
Token: SeCreatePagefilePrivilege	164	chrome.exe
Token: SeShutdownPrivilege	164	chrome.exe
Token: SeCreatePagefilePrivilege	164	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe
164	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 164 wrote to memory of 212	164	chrome.exe	73
PID 164 wrote to memory of 212	164	chrome.exe	73
PID 164 wrote to memory of 4308	164	chrome.exe	75
PID 164 wrote to memory of 4308	164	chrome.exe	75
PID 164 wrote to memory of 4308	164	chrome.exe	75
PID 164 wrote to memory of 4308	164	chrome.exe	75
PID 164 wrote to memory of 4308	164	chrome.exe	75
PID 164 wrote to memory of 4308	164	chrome.exe	75
PID 164 wrote to memory of 4308	164	chrome.exe	75
PID 164 wrote to memory of 4308	164	chrome.exe	75
PID 164 wrote to memory of 4308	164	chrome.exe	75
PID 164 wrote to memory of 4308	164	chrome.exe	75
PID 164 wrote to memory of 4308	164	chrome.exe	75
PID 164 wrote to memory of 4308	164	chrome.exe	75
PID 164 wrote to memory of 4308	164	chrome.exe	75
PID 164 wrote to memory of 4308	164	chrome.exe	75
PID 164 wrote to memory of 4308	164	chrome.exe	75
PID 164 wrote to memory of 4308	164	chrome.exe	75
PID 164 wrote to memory of 4308	164	chrome.exe	75
PID 164 wrote to memory of 4308	164	chrome.exe	75
PID 164 wrote to memory of 4308	164	chrome.exe	75
PID 164 wrote to memory of 4308	164	chrome.exe	75
PID 164 wrote to memory of 4308	164	chrome.exe	75
PID 164 wrote to memory of 4308	164	chrome.exe	75
PID 164 wrote to memory of 4308	164	chrome.exe	75
PID 164 wrote to memory of 4308	164	chrome.exe	75
PID 164 wrote to memory of 4308	164	chrome.exe	75
PID 164 wrote to memory of 4308	164	chrome.exe	75
PID 164 wrote to memory of 4308	164	chrome.exe	75
PID 164 wrote to memory of 4308	164	chrome.exe	75
PID 164 wrote to memory of 4308	164	chrome.exe	75
PID 164 wrote to memory of 4308	164	chrome.exe	75
PID 164 wrote to memory of 4308	164	chrome.exe	75
PID 164 wrote to memory of 4308	164	chrome.exe	75
PID 164 wrote to memory of 4308	164	chrome.exe	75
PID 164 wrote to memory of 4308	164	chrome.exe	75
PID 164 wrote to memory of 4308	164	chrome.exe	75
PID 164 wrote to memory of 4308	164	chrome.exe	75
PID 164 wrote to memory of 4308	164	chrome.exe	75
PID 164 wrote to memory of 4308	164	chrome.exe	75
PID 164 wrote to memory of 4744	164	chrome.exe	76
PID 164 wrote to memory of 4744	164	chrome.exe	76
PID 164 wrote to memory of 4868	164	chrome.exe	77
PID 164 wrote to memory of 4868	164	chrome.exe	77
PID 164 wrote to memory of 4868	164	chrome.exe	77
PID 164 wrote to memory of 4868	164	chrome.exe	77
PID 164 wrote to memory of 4868	164	chrome.exe	77
PID 164 wrote to memory of 4868	164	chrome.exe	77
PID 164 wrote to memory of 4868	164	chrome.exe	77
PID 164 wrote to memory of 4868	164	chrome.exe	77
PID 164 wrote to memory of 4868	164	chrome.exe	77
PID 164 wrote to memory of 4868	164	chrome.exe	77
PID 164 wrote to memory of 4868	164	chrome.exe	77
PID 164 wrote to memory of 4868	164	chrome.exe	77
PID 164 wrote to memory of 4868	164	chrome.exe	77
PID 164 wrote to memory of 4868	164	chrome.exe	77
PID 164 wrote to memory of 4868	164	chrome.exe	77
PID 164 wrote to memory of 4868	164	chrome.exe	77
PID 164 wrote to memory of 4868	164	chrome.exe	77
PID 164 wrote to memory of 4868	164	chrome.exe	77
PID 164 wrote to memory of 4868	164	chrome.exe	77
PID 164 wrote to memory of 4868	164	chrome.exe	77
PID 164 wrote to memory of 4868	164	chrome.exe	77
PID 164 wrote to memory of 4868	164	chrome.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff8ca719758,0x7ff8ca719768,0x7ff8ca719778
  2⤵
  PID:212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1516 --field-trial-handle=1748,i,15731616630649642168,9689367731396938350,131072 /prefetch:2
  2⤵
  PID:4308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1992 --field-trial-handle=1748,i,15731616630649642168,9689367731396938350,131072 /prefetch:8
  2⤵
  PID:4744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2036 --field-trial-handle=1748,i,15731616630649642168,9689367731396938350,131072 /prefetch:8
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2864 --field-trial-handle=1748,i,15731616630649642168,9689367731396938350,131072 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2872 --field-trial-handle=1748,i,15731616630649642168,9689367731396938350,131072 /prefetch:1
  2⤵
  PID:1628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4200 --field-trial-handle=1748,i,15731616630649642168,9689367731396938350,131072 /prefetch:8
  2⤵
  PID:4724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4324 --field-trial-handle=1748,i,15731616630649642168,9689367731396938350,131072 /prefetch:8
  2⤵
  PID:3696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4220 --field-trial-handle=1748,i,15731616630649642168,9689367731396938350,131072 /prefetch:1
  2⤵
  PID:4092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4340 --field-trial-handle=1748,i,15731616630649642168,9689367731396938350,131072 /prefetch:8
  2⤵
  PID:1804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4952 --field-trial-handle=1748,i,15731616630649642168,9689367731396938350,131072 /prefetch:1
  2⤵
  PID:3832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3088 --field-trial-handle=1748,i,15731616630649642168,9689367731396938350,131072 /prefetch:8
  2⤵
  PID:3016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3068 --field-trial-handle=1748,i,15731616630649642168,9689367731396938350,131072 /prefetch:8
  2⤵
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4308 --field-trial-handle=1748,i,15731616630649642168,9689367731396938350,131072 /prefetch:1
  2⤵
  PID:3320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 --field-trial-handle=1748,i,15731616630649642168,9689367731396938350,131072 /prefetch:8
  2⤵
  PID:1808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 --field-trial-handle=1748,i,15731616630649642168,9689367731396938350,131072 /prefetch:8
  2⤵
  PID:4380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5772 --field-trial-handle=1748,i,15731616630649642168,9689367731396938350,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5604 --field-trial-handle=1748,i,15731616630649642168,9689367731396938350,131072 /prefetch:8
  2⤵
  PID:1888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 --field-trial-handle=1748,i,15731616630649642168,9689367731396938350,131072 /prefetch:8
  2⤵
  PID:3628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 --field-trial-handle=1748,i,15731616630649642168,9689367731396938350,131072 /prefetch:8
  2⤵
  PID:4688

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4820

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:984

C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit Ransomware.zip\BadRabbit.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit Ransomware.zip\BadRabbit.exe"
1⤵
- Drops file in Windows directory
PID:1752
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4000
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    PID:4928
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      PID:3096
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3256295236 && exit"
    3⤵
    PID:2100
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3256295236 && exit"
      4⤵
      Creates scheduled task(s)
      PID:4460
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 18:49:00
    3⤵
    PID:2856
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 18:49:00
      4⤵
      Creates scheduled task(s)
      PID:4092
- - C:\Windows\E8B0.tmp
    "C:\Windows\E8B0.tmp" \\.\pipe\{E4FBE8E1-2809-4B0A-9421-E1446B447625}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1748

C:\Users\Admin\AppData\Local\Temp\Temp1_CIH (Win32).zip\CIH.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_CIH (Win32).zip\CIH.exe"
1⤵
PID:1460
- C:\Users\Admin\AppData\Local\Temp\Temp1_CIH (Win32).zip\CIH.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_CIH (Win32).zip\CIH.exe"
  2⤵
  PID:3800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
2KB

MD5
f334a1934fe84e0781c5c31ca48edb46

SHA1
f9cb256ef69ac435ee1ae620c6e5108d868b4ba6

SHA256
e79b727db01e9685db12972b0fc3db8f5cb223e15aab8562a2592ce3ffd7426d

SHA512
488e0247de7067a95bb6a86d977c9182fafa33633d149c2bf36a7f3807b4f449fa5f22af667f8951d49cdeea711cbf83ea467a67a8709bb8d0f52f66a2940240

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
28e61c88c4573f1f70a64d2c96c3f8ae

SHA1
7c602f984f5841af52721e68b24a18e75aab7b29

SHA256
748e063d67b61d4e85b916eb58e8aecd1cb787d8be8ceb0b421827ac2e2f6df3

SHA512
6934335b9ebf5b475b8cfb898df1e89d613d3a32da962bb7845742fb250d7920124f41070d8c00a9709ae494a35161973e10589dee85a50ff5e798501adf5e05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
da0931f1f29b641cecdaade69e4ff9e6

SHA1
85bfcb85189baf0b2b48941a5012a72cb27cea72

SHA256
0f4ab086ba01846bc9d1843bfeeb2af67e59df76f3638c7b6f56d3eda9c4329d

SHA512
e25c68faf1f03e9096e96441da4ec3ba9dd594b3a69fe93d06ee91c87fc55452dfd89bcda5f60e4e37853984af618fe21fae018c1c506360db3cdab1d5402428

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
afcf5d175749db7fb9dcc3e8e490d600

SHA1
9debfd2c57f4ea5a16eaa32904224c5f08801b7d

SHA256
4abc5cb92f93f4721d3386ee61229b586eac9dc85b68ac9072619514f7137c33

SHA512
c9b6422cf2c87f193d11c47625e719f2bc56676dca9782deafd9338467450d20c1ed0176795bafe8253a12e612705d2f6389649493ef66cc2682d694a738538e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
7b3142ca186d4b867140ae5c16bb2262

SHA1
13d45bc33202cec2c2862262a602e680e39336a1

SHA256
0d5757a74e019f429a04c622864c6a581479aa5ef712adc181571f821eb187b4

SHA512
0a8915afdc046e4d61e0c12ae60a9153bb2e9e071a5a38714cd9c20c7923c5e40182a6f242685d1c9e4b576e338e39c8f9729e79e91a7b8426f75390ca185b4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5550e394bcd4ce1d68cbc56b2ce3da8b

SHA1
20aa3956f3ce2b6f37f7a761c23b295bf3d5a165

SHA256
2f826f805e76efea9028af03d645a819e757f886adb1889aa1e98a8fa75a9fb8

SHA512
6e0e8149a21fffc1f4b3b05738d448e92d1a17b50b0e5aa7f7962721d75e309fcc018850f2263f61a3bdb265ce2d8bbad8fec71fec867e39e86707461622943b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
c530edeb65f6fd50ef7b2922db9e707e

SHA1
c40f5cec8e1855371905a475fb8cccfce888bff0

SHA256
aa748476abbc1ae13c707695e379236e2f1037f56c505dc7e211a834a8550315

SHA512
766cffd1081705dbbfb9f541918156c085244f6d9a6eff7aa15f03e3723b660214b542cb133ddc1bed6a05925077cf16ccbe0cd12200f2cbcf7d4c0595b9afad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
5c09634ab78931c714de60ce719b886f

SHA1
5d95826e85ada06fe38053b75126bbc6cd229b42

SHA256
97c9fe75055c1698b183f28d4a00126efeea7f557514285a1d3f5fcdc4c4c0ef

SHA512
2182e33976be2c404919550e7ecfa162d40a684a52591ff293208d93276c9ead189c38b96eead351198385ff98d829eb9b03eaebb8b39715a5d532c5e9e0f7a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a10c165371cca2643595b1003750e0bc

SHA1
165ad0a4cf360f03a4bc74b5d2d35b82cc5c0ae9

SHA256
3595a7dcecbe9fbc52f7c17f757df7e744879e7774fe9198908bc29664721f09

SHA512
02eaa8510404c9017df565a4051228bd7e55b1df166e4329c8ccac977ff4833063d1745bb28cfb2d053ead1a45ce5c65264156e31b0c9019196b4b2ac942c085

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
24b63146d39236b16def70be7d4a7090

SHA1
c1463259edd088f2e1f5a90382fc395f4b0b414a

SHA256
29b26017f4f1b4ff140dbc1da7b667e2c19bca796f5e88f9b479a8c9cf89ed7b

SHA512
2a9afb83d11a7ebdb9207ca3308548a9a3c58c77e57b146dfc0d3e81f2a84763e44bdca5ff113613e5cddbb2916a12139c42d17e7575c54713bef890d98cd455

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1a470821d1227a9b18c7ad93db7d1ba0

SHA1
13eb4b3acfd75ba1520fcfbd5fce554caedcc756

SHA256
8f4d66e371426de6363975ada9bad9a9f7a006cccd554cc4631dbb1d409032c2

SHA512
1fda3e7ed0dc709c37185625384f16999b9484bf244c3c568f1f02ae995d59026f25b995a08a6cddf2e7707b1dd68a396da5ba486d6691be1b6175457529cc64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
17787a6c90c9c764938ca2318e612203

SHA1
0800e65561ae2c5d06f77961a751b5e9260843f4

SHA256
0a0d7a631def091a5d600314a3567b2b9738479ec7c278aa651af8ce1dd52e66

SHA512
434123a5233becc1bb908660939521fa2d658983f9d01d28dc20101da20e55a95237b8dbf4db1fdf227e8252c7b76f846bd0b0ddf2f52681bb4816f5bd60f12f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0f4b8f685d61c6b7e770c20c8f87b132

SHA1
b84c2f6608792b37d2d5c2b601092fda3d7be757

SHA256
8d837196356becea387267271c04aaf69a52336ffba6d92f882d8d4315f452b1

SHA512
ce0bf0d4db2802ed9db9c08acd509f9fa84b0c9ac1231f4a722223e05de017abafd284361f6fe5b63d4592fd48cb1f34f64f6f9e63f03f7843f4705543e55e28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b93723260c5bbb964790d77749719db1

SHA1
7530a006ea6cd4a7b01600d62132d25c8475446e

SHA256
00da6d96cf3d3b30e0b09e14d9e167d92be6d455698b32f45400f9707e421937

SHA512
739766344eba5c90c6796c4a7535e016ca690e1b490bf8170ce334afc0a459c7499d48267f241a85c4ed7b5528927a256a88d2cdb674b15671d2679d18a4cbbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
af5b88ca92890949dc479306cdafab9b

SHA1
b0bf1920e27d6ff659969b1f4f56f6dc69a9152b

SHA256
c6820a82e2f53198c78ce06593f3efa79f3b5c3de8557f0bd809c53de4ff183d

SHA512
a0dcf541c0665921419b17dd4d9a6d37b0b468815af82058b7cb4d0c2d44d386a6a5102f14deee2699356ca13418d9b07fe37a7e477f3a9d8be39e0c0472693a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a12cc7d2e753ebce51cbdf4509b90eeb

SHA1
4af4c1876c3088b7a453ddb20ce0b40739becd81

SHA256
3ef49a312cd60a46e5aae07434b7e0c5b383ae2ef6d0843a82820d33eab37d5b

SHA512
b2020eea4db47b0522e2a07cac8e3b411b56c9edd12d8a828238354a324f6b85800d6f5bf6fef21f63e81f602a037ed7cf73ccf1afe45f1a2a166975444ae171

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5cc3925bff62a32c1dc76a9641a57dc1

SHA1
885da07fb3145c9ec84fac7561d24150dc53ceaf

SHA256
7a54a42bba8ebee2c748aefbad6f6980fb5af2005f66f4120b7ef88d07e975d4

SHA512
cffbe9387761f98d926e7f7f165b088fa4263203365243b46b4657e43f0d053b9e3eb596a48fa9029dd43176e631a43161c3abea899b46c4f86ff437e8402f11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e75f759d941b7d5fb30a18f9f0e6b02a

SHA1
4a2f4855444c45e43df18c727294606d3bea2a5e

SHA256
233ec6cb8388fa7fb505656a6613c8f48c847d20b8b2411dc9a6f546987017ae

SHA512
feed585298fd94fb620d4284aca967f4877f67224b2ccfe8048d4ce591ab4e8f56a80997b932bf93f1cd04d625da9c779a5e353990c4f26b3d36545653e3db55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cb7564c9f364edb050782d82803a8db0

SHA1
5068a299d9f6ca743a16a9312dc4c47a50df071a

SHA256
a053a2e7da9a60eae3dfca1e44270f965e647ccfa9e11cd4206843894a924712

SHA512
040e8b75dc431f3331bb287f7e0d5f38b0c55453c24e1f6b205a6490cd04fc2dcbf69f63c155f197e177ddb2cb9e3d0cb78c6ab240696e652f3140883c55affb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7136f68fc3fb55f43edf98a44e21c862

SHA1
cc7449ea2fdfd0c02dc707afd53174e1c93993fd

SHA256
d8bc5b6ca9951e867f278cd6b0724578a58da9db31aa965eb09cc440a4da9c7c

SHA512
4163a980a8c4c5f88afe745826140f22eccaade3b8186ac1fa0e42e28700e27392cc9e3c5bca252f01e5830046aaaa05efff1cc94e03ea3ca8e73e2ae43ddded

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
185fd83a89ead9809753401235d86fb6

SHA1
81ba6dce6ab92d463602a318d82c555ed1219f0a

SHA256
ea856efa2ce2763c76254a6628db32c3e6909666fb6d52cb5f4d51fbfe7e851a

SHA512
1f97982c4b881c10c23c29f6b325ff75b87e891d340f82f225365a3d5456c59f57d60e19969fe9328ec8599fe0af6f133386dbe50c2c67e20d5a22dc027922ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
349782dd49751c1557662aee21db610a

SHA1
46b591158bbae122d7005fb0f14b8564628a253e

SHA256
398ae0d7080440a15be47127e1463590eab6ff9b6211070a1985897ff6d0c675

SHA512
8f2f8a3a487b1688582cb09024f8165ca364524eddcd4266aa282e36cdfda68a6f704d1c49f0e151936cf936423aa418c258940f8e5e5bb5ec5bf6049c186b9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
109KB

MD5
85862ef0c4c998d0fd68fd0701cd71ba

SHA1
3eb0782d6664608aa381633beda50dc6099bd855

SHA256
9401e25718acaa8029af2e349c9da1b457378edf59baffc97338eb74f040bf98

SHA512
699916fada42d98894fb405cbb9188365808fda5aab094197e1abaafcff5f12ba3373256712f912e1d885a8306fbbae4e4f04da2681c3edb2605d4e6b7f54f79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
93KB

MD5
2cd77e96bcb039f922e177e4ee28984b

SHA1
344d9903a2033a5f9e701293060134dbd3231077

SHA256
d03a2eb2ec952c6a83cd74bf45bcfd6c4e1209236207955ee90c601b999688e9

SHA512
b4f9bb2e36b13091a81713d606be313177b97c9a19cce80e5667fe1892f96884cefcff41c7d44970153885e583c12d47716c57cddc43c076b9de0b2d0d41e9c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
105KB

MD5
64d7c3ec4f5db821f473a1e13075bb7a

SHA1
ce20ad97484f2a8320a898a923504cb362306247

SHA256
a69f6d6e807623abac08f5438e29f3c6cbed921b04ce26f4bbc6636f5b80a9fe

SHA512
0880b2b91bb14d940057a03ce824d8cb5e2a73d8692226e2c73b9560546a5e170586c09925b33fa4033c46ce5989abe425aaf1195a7e8e4387783b718b98e9f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
98KB

MD5
1a162f3aa503f0eec92e7f938ea4e948

SHA1
188df4662eeca4c845854dcc4fab530f73701bf2

SHA256
5d26556d91aa635c27cd26db285e68d25f39483da09f8ca131de45dbd7757a39

SHA512
fca8bae350e6452222a53b6ec4e845f924ea95d79ccd5f350d560dd0c5f45b91e1b2d2f3c588570c4e7e7a4838a718985df1e46a58d84883cad518cfe933de2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57d997.TMP

Filesize
91KB

MD5
4d3974ad664d3f9baa970abb76fd5f5a

SHA1
bc89f77ed5be17d17e540f460d6a104882337d2c

SHA256
a98b2e7862b5b2464aca3fd94d60848611d07958b58b61a0e6cda3baea3227dc

SHA512
ba90ebc951cd1271e458677745bcb5bf8ff7dff1f5763ef2b442345600c5d72de6b32b47757e6eca7c2f239df1743d459c879a354c5590315c869558f5108ded

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\42.zip

Filesize
41KB

MD5
1df9a18b18332f153918030b7b516615

SHA1
6c42c62696616b72bbfc88a4be4ead57aa7bc503

SHA256
bbd05de19aa2af1455c0494639215898a15286d9b05073b6c4817fe24b2c36fa

SHA512
6382ca9c307d66ab7566acf78b1afd44b18b24d766253e1dc1cb3a3c0be96ecf1f2042d6bd3332d49078ffee571cf98869c1284c1d3e5c1c7dc3e4c64f71af80

Download Submit
C:\Users\Admin\Downloads\42.zip

Filesize
41KB

MD5
3e88e3ae3785f31d58c81a9aa34190c8

SHA1
410ccdd3fd2f0eeceac5c971ea12dc7e61988de3

SHA256
f56379651e34e9c6ce35480c647cf868c368a8d8013d6d9c9b31b07f7b17a616

SHA512
a5a6f45ba0e440986a4f7427336ea0f277e674c7db2d90dd1a88853cbd2c464c7cd3b110a5ac83be2c3abe2c2bbfac3af73cecfff5491dfb2abb7346bbc84050

Download Submit
C:\Users\Admin\Downloads\Annabelle-Ransomware-master.zip

Filesize
169.6MB

MD5
db4192243e3fb4bf6b7c26df8b58a6b7

SHA1
662d98e69dbed00bb7660ae16110ad1f8783fc2f

SHA256
eb1b7aaef1f11b669bbeea30dd6af248f05bbcb9de2e99a02a045eb7cb3620c7

SHA512
c9cd13a2daca7caf940b2d7f1130bd220740f025e06ae9257e5220903346002d535bcec34384b2199a3eb53ced8c98eafb62567f8aff5d6dcb55cc9fe234f6d3

Download Submit
C:\Users\Admin\Downloads\BadRabbit Ransomware.zip

Filesize
395KB

MD5
b303526df291ef092a7650af3d4d63f8

SHA1
97c6532d1df35b3e5c352c29006985468eb7abc5

SHA256
7da4698bb24746aa5349e9e0b3645a7fab8a977308e06c90f5282dbb5ea7d00f

SHA512
603ff899d40df62203cb1d945bb625f10d6eeb439ae5588175fb04c9d850b07517f2b82d2a02f8b8f8a493660cc2a8b592875fcee2376bb6e7fd322398a0ce66

Download Submit
C:\Users\Admin\Downloads\BadRabbit Ransomware.zip

Filesize
395KB

MD5
6f3bbe10ad7b14378db47e847f494f65

SHA1
e75b7c7bac62c77cd71bf3663756b07593000f0c

SHA256
716be1783707bd12d9ea235bf88abe96192a178ae67d9dfa545827b66e599a20

SHA512
5e01d4d5c90a24ff47df78840dd45cc3ebbe71b70955c5acf4851143f7408bafcfe44bf1c5083f4bd0e3fc7ec16fc3b8605a0ecfbd369afd0a1e425b0b156f36

Download Submit
C:\Users\Admin\Downloads\CIH (Win32).zip

Filesize
23KB

MD5
859975bdd4fdc8f4af050dc0ded34160

SHA1
d24c5b1c18be9bed4e18d8ad00cc8fe1a6d7d19c

SHA256
445cab9732a748e0d983339d925d9bf8907dd530a300d2d86e86a2df6f1f8749

SHA512
ecda0cc9c62b590cfa91d5c5b814d3d413a8de5ab84db117a6ae7bba0d237f37895f78f6eface71121e9e3691183412060a5369024432202a7cf2e79451864b8

Download Submit
C:\Windows\E8B0.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/1460-795-0x0000000000DB0000-0x0000000000DC5000-memory.dmp

Filesize
84KB

Download
memory/3800-796-0x0000000001000000-0x0000000001007000-memory.dmp

Filesize
28KB

Download
memory/4000-672-0x0000000000D40000-0x0000000000DA8000-memory.dmp

Filesize
416KB

Download
memory/4000-669-0x0000000000D40000-0x0000000000DA8000-memory.dmp

Filesize
416KB

Download
memory/4000-662-0x0000000000D40000-0x0000000000DA8000-memory.dmp

Filesize
416KB

Download