badrabbit | hxxps://github[.]com/Endermanch/MalwareDatabase

Analysis

max time kernel
300s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

10^/10

badrabbit mimikatz discovery ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000023716-502.dat	mimikatz

Executes dropped EXE 1 IoCs

pid	Process
6132	B5A5.tmp

Loads dropped DLL 2 IoCs

pid	Process
1648	rundll32.exe
5676	rundll32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
141	raw.githubusercontent.com
142	raw.githubusercontent.com
248	raw.githubusercontent.com

Drops file in System32 directory 13 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\B5A5.tmp	rundll32.exe
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133684556993921010"	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	mspaint.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5700	schtasks.exe
5740	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4988	chrome.exe
4988	chrome.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
6132	B5A5.tmp
6132	B5A5.tmp
6132	B5A5.tmp
6132	B5A5.tmp
6132	B5A5.tmp
6132	B5A5.tmp
6132	B5A5.tmp
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe
3988	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3988	taskmgr.exe
5344	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5604	mspaint.exe
5344	OpenWith.exe
4444	mspaint.exe
6120	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 2192	4988	chrome.exe	91
PID 4988 wrote to memory of 2192	4988	chrome.exe	91
PID 4988 wrote to memory of 4116	4988	chrome.exe	92
PID 4988 wrote to memory of 4116	4988	chrome.exe	92
PID 4988 wrote to memory of 4116	4988	chrome.exe	92
PID 4988 wrote to memory of 4116	4988	chrome.exe	92
PID 4988 wrote to memory of 4116	4988	chrome.exe	92
PID 4988 wrote to memory of 4116	4988	chrome.exe	92
PID 4988 wrote to memory of 4116	4988	chrome.exe	92
PID 4988 wrote to memory of 4116	4988	chrome.exe	92
PID 4988 wrote to memory of 4116	4988	chrome.exe	92
PID 4988 wrote to memory of 4116	4988	chrome.exe	92
PID 4988 wrote to memory of 4116	4988	chrome.exe	92
PID 4988 wrote to memory of 4116	4988	chrome.exe	92
PID 4988 wrote to memory of 4116	4988	chrome.exe	92
PID 4988 wrote to memory of 4116	4988	chrome.exe	92
PID 4988 wrote to memory of 4116	4988	chrome.exe	92
PID 4988 wrote to memory of 4116	4988	chrome.exe	92
PID 4988 wrote to memory of 4116	4988	chrome.exe	92
PID 4988 wrote to memory of 4116	4988	chrome.exe	92
PID 4988 wrote to memory of 4116	4988	chrome.exe	92
PID 4988 wrote to memory of 4116	4988	chrome.exe	92
PID 4988 wrote to memory of 4116	4988	chrome.exe	92
PID 4988 wrote to memory of 4116	4988	chrome.exe	92
PID 4988 wrote to memory of 4116	4988	chrome.exe	92
PID 4988 wrote to memory of 4116	4988	chrome.exe	92
PID 4988 wrote to memory of 4116	4988	chrome.exe	92
PID 4988 wrote to memory of 4116	4988	chrome.exe	92
PID 4988 wrote to memory of 4116	4988	chrome.exe	92
PID 4988 wrote to memory of 4116	4988	chrome.exe	92
PID 4988 wrote to memory of 4116	4988	chrome.exe	92
PID 4988 wrote to memory of 4116	4988	chrome.exe	92
PID 4988 wrote to memory of 3476	4988	chrome.exe	93
PID 4988 wrote to memory of 3476	4988	chrome.exe	93
PID 4988 wrote to memory of 4228	4988	chrome.exe	94
PID 4988 wrote to memory of 4228	4988	chrome.exe	94
PID 4988 wrote to memory of 4228	4988	chrome.exe	94
PID 4988 wrote to memory of 4228	4988	chrome.exe	94
PID 4988 wrote to memory of 4228	4988	chrome.exe	94
PID 4988 wrote to memory of 4228	4988	chrome.exe	94
PID 4988 wrote to memory of 4228	4988	chrome.exe	94
PID 4988 wrote to memory of 4228	4988	chrome.exe	94
PID 4988 wrote to memory of 4228	4988	chrome.exe	94
PID 4988 wrote to memory of 4228	4988	chrome.exe	94
PID 4988 wrote to memory of 4228	4988	chrome.exe	94
PID 4988 wrote to memory of 4228	4988	chrome.exe	94
PID 4988 wrote to memory of 4228	4988	chrome.exe	94
PID 4988 wrote to memory of 4228	4988	chrome.exe	94
PID 4988 wrote to memory of 4228	4988	chrome.exe	94
PID 4988 wrote to memory of 4228	4988	chrome.exe	94
PID 4988 wrote to memory of 4228	4988	chrome.exe	94
PID 4988 wrote to memory of 4228	4988	chrome.exe	94
PID 4988 wrote to memory of 4228	4988	chrome.exe	94
PID 4988 wrote to memory of 4228	4988	chrome.exe	94
PID 4988 wrote to memory of 4228	4988	chrome.exe	94
PID 4988 wrote to memory of 4228	4988	chrome.exe	94
PID 4988 wrote to memory of 4228	4988	chrome.exe	94
PID 4988 wrote to memory of 4228	4988	chrome.exe	94
PID 4988 wrote to memory of 4228	4988	chrome.exe	94
PID 4988 wrote to memory of 4228	4988	chrome.exe	94
PID 4988 wrote to memory of 4228	4988	chrome.exe	94
PID 4988 wrote to memory of 4228	4988	chrome.exe	94
PID 4988 wrote to memory of 4228	4988	chrome.exe	94
PID 4988 wrote to memory of 4228	4988	chrome.exe	94

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Endermanch/MalwareDatabase
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbfd95cc40,0x7ffbfd95cc4c,0x7ffbfd95cc58
  2⤵
  PID:2192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1260,i,18054770156404803433,7662684554388178817,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1744 /prefetch:2
  2⤵
  PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2160,i,18054770156404803433,7662684554388178817,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  PID:3476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,18054770156404803433,7662684554388178817,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2444 /prefetch:8
  2⤵
  PID:4228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,18054770156404803433,7662684554388178817,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,18054770156404803433,7662684554388178817,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4452,i,18054770156404803433,7662684554388178817,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4728 /prefetch:8
  2⤵
  PID:4492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4556,i,18054770156404803433,7662684554388178817,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4724 /prefetch:1
  2⤵
  PID:5864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=5000,i,18054770156404803433,7662684554388178817,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4980 /prefetch:1
  2⤵
  PID:5880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5176,i,18054770156404803433,7662684554388178817,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:6104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4932,i,18054770156404803433,7662684554388178817,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:1400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5224,i,18054770156404803433,7662684554388178817,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5280,i,18054770156404803433,7662684554388178817,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  PID:1164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4760,i,18054770156404803433,7662684554388178817,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=724 /prefetch:8
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1460,i,18054770156404803433,7662684554388178817,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5356 /prefetch:8
  2⤵
  PID:4404

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3908,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=1048 /prefetch:8
1⤵
PID:2088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3036

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5584

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\[email protected]"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:984
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5556
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      PID:5400
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2868350874 && exit"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3100
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2868350874 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:5740
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 12:15:00
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6124
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 12:15:00
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:5700
- - C:\Windows\B5A5.tmp
    "C:\Windows\B5A5.tmp" \\.\pipe\{66ECEA55-6D74-42F8-BFB7-63973426939B}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:6132

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:3988

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\SendRestart.jpg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5604

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:2904

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5344

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\My Wallpaper.jpg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4444

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:6120

C:\Users\Admin\Downloads\BadRabbit (1)\[email protected]
"C:\Users\Admin\Downloads\BadRabbit (1)\[email protected]"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4412
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:5676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
4fd2e1e0ee89ab2efcf64b13813dfb57

SHA1
f1469469ac1884f002fbe3cba1d8be88cfdf39af

SHA256
b94064c9e6abef05638da45947d0760325acfec963626406aa73bdeb3f3e77a6

SHA512
f28e540f5e356191f33a7e5cb091d9e6fcafac73a94e87d6b96823ff9cd8d914ed319cb3ad1ea76a5e788b7637826b6b5fa6b3a6c96f24353c0c44f9ce0b00cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\314db9d0-6d16-468c-bf20-ef528366dda5.tmp

Filesize
11KB

MD5
599cfcc1d1d9b4257287367a3537dd97

SHA1
637cb876a25d9d3969024df330d7603ce38bbe91

SHA256
6cfc33973d177fd952c4c87ed252837a4cb04b4e5a8ff5bf9554e6345eb3d52c

SHA512
ea8933e6a3cd6b521f5120cc7d2e6310dc19a559fdac4776022ea344cbef10f4f62a8bf5a35f655a6786c046d236425d74ddb7e1796a7b02e052bd66876111a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
f034345636c5f29b3c374392c01a81e0

SHA1
bbabe5c836ad032d9dd8b949a015066450a09c10

SHA256
3283f61140659dd5b63e826e85ec6b08ee6c28189c07502a4690349e8a74da60

SHA512
cc6fff2fc358c66fccdbec954d15838e128f6ce1fa996d45a9224acea48ee87979c5c7442d9fd859c0b995ebe0af9802bc0bbb4ea5d4ac657b8a24f44acc4d21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
e18ff20d58ce455953f69af566d782ef

SHA1
dbf3a89fa8ffdd35b8048bd04d595396ae317e50

SHA256
777f309810fb1540b45d92bf7fb41f1c6e4306169e15af95e186c358db1eb668

SHA512
7cddf8e3171c6936937e2277af8d547d91ab5804581be02274222c9af316f9d8c6596c9ec58b5bc85add77b8f25b436ec28dfaf7832aea9c9207c59fb6cddd7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
8aeb761851b8f030f34e4e16ecbe5cc3

SHA1
1488b9835be752c18b7f78bcaa7e8d940bbeab07

SHA256
59fc935ab7f0aabda4108e1ebfb217e7998a2aeff0705edad12e98132b113532

SHA512
ac6f812a6596bb31af3d633c4946885f3e9fac6bbdd09d46fb0792cd067b23fa0f7e2c553dde1c7e37b3cdd462bcf559b46e8659e1819247982546618145745f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
f0b35da6e32ce9c80e1423ab266242e0

SHA1
47bd66fd4ba84242d16660eca8a77f743fc81ce1

SHA256
68d1cd095d74b58079da75073fe933a6254d0685dd23d390fbbed225fa764eda

SHA512
f8ddcecaa533feaf1c71745b528c860a95e3aed87d9d9859a36e4fd602311153a62cf701acc1aa0280215ef0cda6f20191524f3d59afd159eab9766eefd9e2b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
e73ebf597e5fb00409445e4c05a68edd

SHA1
8fa6ef35c67184d858a35653704ae2f12903d0cc

SHA256
729603acc8634d4891e5005825a21bb102980435a08c7cd33d17ea96262cec1a

SHA512
ed49e71785165ef75dc8b16e2462853de7c88a5fb7097df4ab09936e2ac9cd7c1335d5d3c413e5d7f6ba8c1c24184c93ac8bdf475199922938834833d3f8ee75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a67d748dbd2f8ba8e645620e8c7c4ec5

SHA1
f20fe8470f510625e760c0659c30c83becc6346d

SHA256
83397571bc33c8ae5fa085d5192f039a9d01123068571f57cda047fdad6ce38d

SHA512
241ac5eda3a076f145681554a0d0423dc9a4c8fa64c34101fe506cdc36d32c5c274d88748b46e3c4890abc9d70877ba52c58e5e1baec6ba7c1bcc073a5417310

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
919e75c49432bb92814e56ae1ad57d86

SHA1
bd056f65243ce3d5447a0c60e15aa1b25424b17a

SHA256
c3ae5b4b820c9d310a727f88731a899d5dd4092e3b6f01ea9cb760823359e51c

SHA512
7ed83e251858207bc33e322dd9606472071ff7c52bbc9715b22a544ea3246812f3b1f3bb3538037f64322ab064bced32a399b093fa7074f7a172cd661526a3d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8df2362d6b0ff3caf3b99bcd637bd9fa

SHA1
fc2cf164c1d329796eda23fd46ed4af911f8d1ed

SHA256
205ad57dfcbb8f8151db22b41bea18e2b6558a78497e8f47d128bcd025ac4630

SHA512
4c30a768288ec45da68ed94968d5bbba1dba50fc90d7d6bdf65887c52cabfa8abb9a17525c2c78246ac08b6462a7a70124b239ddcd98e123d332868292ee5e3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
54d15fa314c016405dc0df757f70a147

SHA1
7cd644204dbfc3ba058c87c5a1605b0c1be71dfe

SHA256
b04afc889301e9ac951dd2f2148e49b24ffd1010fc189d6d3b7679ab4aef7f7a

SHA512
e6f546109b56dc124c9d50cbb8a4d884f38f938652d6db15a698e5c5de7073bfebd8b094f6428e4619cb2cf696969021881e36c9d904f7b16efa389581c8724b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9e0da5d06e67aa341cda75358171b56d

SHA1
912e199b9b834f526472eb3bc93acfd8824d60fd

SHA256
c5f281078fc2260290156dd34a7aff43275872cb68d5cef7712144779ed879ee

SHA512
9fa8bb3aa79b3da32a15e9d0f1715ff9a37fbaf05775841c08b9a4d41e9d2cb2f39815cac4929553788f15525e4e2e7a435a17d4ecd9e9905335f867c65b37ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2e29175a39fd1fc08620d9071c0eb3c5

SHA1
d509742f110e584fb42e43c785efbd69639b49bd

SHA256
6ca29087241f1bfc190f95f433203f25e64045ba08036c4448a3b661e8889eef

SHA512
dda9ee96e350be39bb4c7745927e99bbe0ea481a57ee131a9863e35305dc14e3abba88467e8464f9e7c4461d2e7806805c22d67131af94405a3c7c578178257e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
75719cab7fa7483cd7eb614b0216b4f0

SHA1
0995dd120d9c2734545689bd720a539da05f7645

SHA256
9e14fa49228fa554a1a4e62544270df10a9f0980fc87ff9a6297d11cbada5173

SHA512
991728dfa7bf6df2badf5d9ef3fec15619544abab6b9219cef96d45434bfaf08a80c472ba1e276b599ddb3662121250454aa6c9e4fe477f9f824350cedda86da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e3c8394237be5f7a7290f384ca74a1ac

SHA1
272248813c2888fd1f14a94d8cb543e2b209b322

SHA256
057d4ef65194ee7f8d15970a4949327331112afee880d1ca5b1e632b1c841632

SHA512
2db7f72a042e1b293026f01c12b3545e880f6eddf9835b71bb602ef0b9d636cdd67880f121f8eb56accb5924501cc894609fa99dd0182fec1bc896ecb38f125d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
55d6a606c2eca01615906c5e0af0e572

SHA1
9781f40cfce1743b75f894f12669d128e20552f4

SHA256
9f9cde27a4ed2bb891a2205caadbb08657032d54bbb1f9862fd4e8a6b582dfc8

SHA512
74929187a26b59b460c2be0aaae83a06bb9ac48dbf358da88a334e2f1a044012fe102f3642684881fe6fbabf88f55aa55014fffc45663665a6b7215ada72da21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
24bc87981ae14da491139147c9a65ff4

SHA1
1fd7171d7673b432b580c398ced53164140d6267

SHA256
d2c1912a35e208e0d9ec281fbf312ccfbeea1800e8c6884fe5d479e79c0d0590

SHA512
9f3383df6fe593290b7293d3d30593cb82664707bcb505e47aaf26bcafaefd4176aafef96182849b084be3de4705e559c3d313427937acee3f68283c203531ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
88c2c5c632e85e24368068541d5dc97f

SHA1
4c7ff7c96f9936ac1ce88b18f1aacf1f23308638

SHA256
d08b086a79e0ebf7a897e585364404c3881192511702ffe6779d2e80faf4f3a3

SHA512
61708e65401b0a83b00e2d1122e0f81592a5cd538aec4000c51960a108240cd335f744ceb50204087c48f245397f3f57609467b27d89f257ef2f6fd59acd12a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
b0888a5e2b7fba0e11e75f3090f97b8e

SHA1
0e7dda821f8bd15739c9827e51a582f33756cfd1

SHA256
887abf5fa7635bd2f199646e8e805cca2476f1fcb3f35d072c905e25554287c0

SHA512
332aa8a5812d4da14f75c950f3f653629782359fc8617e0ebed35053fe738cf7ceb23789f6df987349fe01ae8d2dd7008dbded7bb95631f007bb54ce95e55e6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9f0c8f21eb7beb9d1470a3340f05c7fa

SHA1
939c7db82de2e34a992c41fc0355d91bfee1f951

SHA256
e3dfbd3743c848447ec9bbafd5c214f7da827df9317f54f69f1bd3b0e7613880

SHA512
f54b992c8022f3398edc9ea580a0d22a9b8d80e045c62397568cd532f4fda7e2a85a4707acaf3d67d9422ed6363c9ec48f67c1e979a0cb56a085b2b29c9187fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4a8d4ce533089354e8fba6bb9bae9084

SHA1
949efe2247c3f4cf5b811115f159224bf31e231a

SHA256
7b73ed61d82d08a58a5ae3a0048bd7fc50989b7036134c964157f18a56f88022

SHA512
f3023b7cf64ad6337cc4d55b4ff563b372ae39d16ce07a9b4ab818c7f917e69a8a4758dfb1f3e0370234957f7f659a157cde14e41401d1119d1f4e08805aba7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
12b01fc5dbee661b9a796e8a01f61b48

SHA1
c815a4bfa269cc5640bf0c018549b6b97c28ec76

SHA256
8efa6006118d61c69c015ba164c4e17d71ea7ec51d121e8f7101baf345e1342e

SHA512
f9a4439f7394b18af4b9c23dd477deb7df3506f47e55bbe5ab2af7c664cb6be828947900db738ca1c2ecd540ed92c3a065dcd027e0ee9739732c4cd270dee360

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
c230e37325c8f9531a9a8579c24669ca

SHA1
5ffc64cf052ec4ae958880bc81a63bd695cc7259

SHA256
7ab9bade1ed253619806587761f16e8c57a92a440034c8d9b5a006584e303952

SHA512
9c962340268d8b143102b2d58168657dbc4890c95e877e5b6977c5335ca69e7d7d9349eae1a4d7344e87ea08e9795431158dd936eb4e5bada9e56761a4d86c5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dbcad5c0a5514cce6ff75e4f4b8a0148

SHA1
0f16da9f29e489dbeba38488e9998a972381be2f

SHA256
15cfdd8ded52faf6c19cf91734ead8d2c878f2e84bb3527f686c17294072a470

SHA512
48a1b24af1d1a2908bf20f4ee5afdf0d7de281dfb03e65d12d33a7ab34862d05950eae57e81afdd44423aea79c04a3daed8558a5b21876b2ce2fbeaa1598392b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
fbbfd0a67b3459189952681386306ffd

SHA1
3eaeeb562440e60ddf358943278b23240e4c8962

SHA256
17ab5429e4f390f64266e7cef7cb28ff95a625db770fcd24643d254989ac4ea9

SHA512
fe54c2c65817d074f2af04b7edac244ee8dccd71d2b8d93053a4a1e2b822efacc4377b0a5395f9c6ea3cc1ed6b81c6d59af5062818e6e8c3f04b0dada8624304

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
5376a22269e511780ed2467f03f02034

SHA1
308a0fc6a02de76f9909b45e4c167cba254f56de

SHA256
4ca3b6400d3ca80242c47d1d66bac9c9320a91d70d65f947344630e5267473e8

SHA512
2ba4b4a020f11c7f69e277a26d6a277cf07cb8a57791f7f4dafad2143b3172a5c4ae27643a3ea00a3c1aa81608b952ab062fa81507996a61458de2be47800429

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
cecb6f09f7b647c0a6740dae20b27a56

SHA1
e9bb27e558ee333589ac7b7aafbba4c58e5cccfa

SHA256
586f458f95227478cc13f92130fd5d43214d054f94e029690e6b16973ce66c9d

SHA512
bf2f20689ec66db153deb502a25637b64b54fc38989e70cc3f1f8b106fc9a42796a88b8ac8ea67cfc8ead481c50b746174d11b7cfa8292cbe418b5348f80be16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
149536faee3abcf4f7d87f85630d0282

SHA1
1c3319dfe5d27cdbc5fb304c3a6c88a2f0126370

SHA256
56e2b4f6950c1b50696047f7350f70b0c7b50ff6fb15916ee3dd751dfd719645

SHA512
61cd2a55dae57bee9b04520557011a07d2da9bae95bc1e19dc2a5c301209c121b907dd2223467d143f5144aabd12e9038c61c5daa7060fbd78616b862576201e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
d537fcf2a582b9394ae63dba02b08d58

SHA1
c9b36fa916dcbc267f3868b4ec938d0a505f515d

SHA256
465d4782fba4363acc80a2b4ec63e267e6304407b4100965473382ed35b90d6a

SHA512
8561a58614a6faf791a6e59a4509d1da6ce91fc606e0174456491c07e8ce6b9e43974fc9b83f0b30d34aeeebb41c49908d2962207792a02b273d42bdeb044abe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
dfe6479605eda43c32e96970bc6aa641

SHA1
a3986f16ce6ba05fb8e0a10f8ce3719580b3ec16

SHA256
d47f8af7cc485335a6f1d7088e471afacdbab80c34fc147ce73ddc90c5916ce7

SHA512
1c5ba763f389682d1a889059c3aa01ef09015eef65a3a4732ca1f12d4f8174472956a52cc31ec52b31729995acb1b3bbb90445db7b89230b687ac24a91c54bfc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
ea9afb762d8a867955ae2797264432a2

SHA1
d94c7574b3c34be6b7fdb28ac5c1b26da4dcb90a

SHA256
c013a60f67a29b815c3af130e9e5fabfbd790ac545732795cf583ae22c95a6a6

SHA512
7bd63a66d53f411d0bc1e09cccd3b791d72d961884a1935de3964a1c6cd792ce798ca2dbc314c97c8ec84e8344446f695bbf1214523cd21cc460cd8d8f570e19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
48fa5e725149736ae83c6f388d13c4b2

SHA1
c53d31bd50e0098d7de4048304fb74b848b41a6a

SHA256
c61827a9736bc4dff77e0bed62819a0b819363a152bf6c8e16a7fd3ef5757c17

SHA512
90ecae2e185abdf6fd538a7897f3ffda917488fcdc8adc64ce62daffe3892a293a63676768856e99852382f27262f0bc350a6d75f940e5857bac35e82efb19a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
a5e1ff339baac5716bf78b60be812f6a

SHA1
b402152494d59fde7ce73765feab1f888d16e954

SHA256
b1b4414fff6fab177a185d5b6b7229a802c8315911672752585a3878c196af41

SHA512
e8640ecf184bd58899d866a20dab0366e3ff6750c9b31bd966bae54482e0ed12483a0dee539c3f3beed25e12ba561908b81912b9ca62345c3fa6fb2ac0ecddef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
7386c02aba764283acecc93c83ad9803

SHA1
a55e4eb07007c4c5bf3070d3291114e425c06e20

SHA256
b63363c398228ae3ab96ca88cbb13edbbe9564a554c257fda3dddf81cdaa8778

SHA512
4694818d22c6f1d97cbafbee22f758f4bfd9f3edfdbf81b08062c705dc914f566f2fa5738ddf7e9d2c956f6da596860166898f1da2402c12d120af4598714ab5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
5fa97d5e0102dd258da8858777b72659

SHA1
36f739f8fafcd1d2c41de8dab2794c3ec141ded9

SHA256
3bc6eb0611380c2d6d9464af5d048a673dc27dfb05b0c219e22929ef9109aef6

SHA512
1de1323166f4dfc23fa58a60715f63d29d860e5598f0ad14fd255b2fefea274490fdcdde31b161803173b6212ff2facfd6e9dbcc7bfb8d426ed85ab23c28923c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
6825b2ef41262d148775d55086663b34

SHA1
f6010e8828da0b1d9d6e7a4a8e1aab9baf4313be

SHA256
7ee6d0e561d4d59a88fe77576d0c02b5d4fc3ed3adfff19ea573af6064ac5285

SHA512
2bba754de18304208f1296acba7400c648d119732fdfafeea06ad851c2ffcb0d6ba38be7f042a111d496848309d4f642f54aa451aa4c63057ef4f27a6b8b1571

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
a7cfd919b25fffa8d9213db726a183d1

SHA1
db009f6646e5b7f42117b8ca38a08463571a148e

SHA256
b220d75d6461629814ebd02745d0b03fd55d133cdbd6c747f343f6f05e311abb

SHA512
a5f419b3a39dc1249b6b38a909b0895fd7fa6456517e949014ede9157007ec393499224793eb42519bb00bc8751cbd395c1518f2ddd2f926c642a098002225a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
53aad4c204e62b9d331755460dd2ea01

SHA1
752b0f290f3161c99e0ee213981e18266d705b89

SHA256
e0bf6a06f44ed0bcd687a3949ab59ef97d1dbc9ef0690655e0fcb54d4c4032cf

SHA512
6fc9bfd5f576a170621874fb14c1c1b67d67f901248fc6ace186f832cebb61639fa62de87ebf47fcd487d615d733fbc42529940de69a2ceb5476bf3679def553

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
19ee189b2579cf30acabfc5decbe8d60

SHA1
f89ac7d26c4e4c5960b10036c1298cc5a5eaf046

SHA256
4512f9262716aed6d2b1c66213bab2a60eee5681de49fa9068fdfa19c2806f3b

SHA512
c9520fdf03a39a1e4e2a5542e5c32a95afa8a9a176b37df6af3444c9ac7b8ca874bd7b501cf57ba18af918df117adc8850e019a66f392633d18d2f08ff4cfaab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
1e68ac3c86c5050f93be55732d09dc05

SHA1
a077e8800f7f1d7872a11262e033bdf07f4531fd

SHA256
cc203ad57a3279144b1a9737135e300216379821db58484b1dccb883398fa081

SHA512
65c3a0dbd64960f97652b3c8174a66ef83ac959d9da521fa264688670fd5a7107d92d8b440259b12012ccf012f1b4c1efb28ccc1178337d7f14d0b9afbccc29a

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip

Filesize
393KB

MD5
61da9939db42e2c3007ece3f163e2d06

SHA1
4bd7e9098de61adecc1bdbd1a01490994d1905fb

SHA256
ea8ccb8b5ec36195af831001b3cc46caedfc61a6194e2568901e7685c57ceefa

SHA512
14d0bc14a10e5bd8022e7ab4a80f98600f84754c2c80e22a8e3d9f9555dde5bad056d925576b29fc1a37e73c6ebca693687b47317a469a7dfdc4ab0f3d97a63e

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip

Filesize
393KB

MD5
cf682707254f1f2c1dc2fe54053d31c4

SHA1
0c42a43850f89e272048c4020e5cde7683ab70e1

SHA256
e0c5aba83bf705bcecb6563a312df18d5a01f72992d1350745d73bb3154c8841

SHA512
9caa0536239749fb35da9ddabb7649b3d49cd4426e3ab17cf9156d474ec6b00b099b2861328e058dd96dc8fed878728cd9c8b0406399733e54159b909935a44e

Download Submit
C:\Users\Admin\Downloads\Petya.A.zip

Filesize
128KB

MD5
1559522c34054e5144fe68ee98c29e61

SHA1
ff80eeb6bcf4498c9ff38c252be2726e65c10c34

SHA256
e99651aa5c5dcf9128adc8da685f1295b959f640a173098d07018b030d529509

SHA512
6dab1f391ab1bea12b799fcfb56d70cfbdbde05ad350b53fcb782418495fad1c275fe1a40f9edd238473c3d532b4d87948bddd140e5912f14aff4293be6e4b4c

Download Submit
C:\Windows\B5A5.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/1648-496-0x0000000002A50000-0x0000000002AB8000-memory.dmp

Filesize
416KB

Download
memory/1648-493-0x0000000002A50000-0x0000000002AB8000-memory.dmp

Filesize
416KB

Download
memory/1648-485-0x0000000002A50000-0x0000000002AB8000-memory.dmp

Filesize
416KB

Download
memory/2904-584-0x0000029E8D5A0000-0x0000029E8D5B0000-memory.dmp

Filesize
64KB

Download
memory/2904-588-0x0000029E8DF60000-0x0000029E8DF70000-memory.dmp

Filesize
64KB

Download
memory/3988-523-0x00000166C1E00000-0x00000166C1E01000-memory.dmp

Filesize
4KB

Download
memory/3988-522-0x00000166C1E00000-0x00000166C1E01000-memory.dmp

Filesize
4KB

Download
memory/3988-529-0x00000166C1E00000-0x00000166C1E01000-memory.dmp

Filesize
4KB

Download
memory/3988-530-0x00000166C1E00000-0x00000166C1E01000-memory.dmp

Filesize
4KB

Download
memory/3988-531-0x00000166C1E00000-0x00000166C1E01000-memory.dmp

Filesize
4KB

Download
memory/3988-532-0x00000166C1E00000-0x00000166C1E01000-memory.dmp

Filesize
4KB

Download
memory/3988-533-0x00000166C1E00000-0x00000166C1E01000-memory.dmp

Filesize
4KB

Download
memory/3988-534-0x00000166C1E00000-0x00000166C1E01000-memory.dmp

Filesize
4KB

Download
memory/3988-524-0x00000166C1E00000-0x00000166C1E01000-memory.dmp

Filesize
4KB

Download
memory/5584-331-0x000002060A8A0000-0x000002060A8A1000-memory.dmp

Filesize
4KB

Download
memory/5584-333-0x000002060A8A0000-0x000002060A8A1000-memory.dmp

Filesize
4KB

Download
memory/5584-334-0x000002060A8A0000-0x000002060A8A1000-memory.dmp

Filesize
4KB

Download
memory/5584-335-0x000002060A8A0000-0x000002060A8A1000-memory.dmp

Filesize
4KB

Download
memory/5584-336-0x000002060A8A0000-0x000002060A8A1000-memory.dmp

Filesize
4KB

Download
memory/5584-337-0x000002060A8A0000-0x000002060A8A1000-memory.dmp

Filesize
4KB

Download
memory/5584-332-0x000002060A8A0000-0x000002060A8A1000-memory.dmp

Filesize
4KB

Download
memory/5584-326-0x000002060A8A0000-0x000002060A8A1000-memory.dmp

Filesize
4KB

Download
memory/5584-327-0x000002060A8A0000-0x000002060A8A1000-memory.dmp

Filesize
4KB

Download
memory/5584-325-0x000002060A8A0000-0x000002060A8A1000-memory.dmp

Filesize
4KB

Download