badrabbit | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Analysis

max time kernel
418s
max time network
419s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

badrabbit mimikatz discovery ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x000b0000000233a6-380.dat	mimikatz

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2888	BadRabbit.exe
1560	48E6.tmp

Loads dropped DLL 1 IoCs

pid	Process
1596	rundll32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
97	raw.githubusercontent.com
98	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\48E6.tmp	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133685867273079801"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1748	schtasks.exe
3116	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1068	chrome.exe
1068	chrome.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1560	48E6.tmp
1560	48E6.tmp
1560	48E6.tmp
1560	48E6.tmp
1560	48E6.tmp
1560	48E6.tmp
1560	48E6.tmp
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
368	msedge.exe
368	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1068	chrome.exe
1068	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeCreatePagefilePrivilege	1068	chrome.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 4368	1068	chrome.exe	84
PID 1068 wrote to memory of 4368	1068	chrome.exe	84
PID 1068 wrote to memory of 3944	1068	chrome.exe	85
PID 1068 wrote to memory of 3944	1068	chrome.exe	85
PID 1068 wrote to memory of 3944	1068	chrome.exe	85
PID 1068 wrote to memory of 3944	1068	chrome.exe	85
PID 1068 wrote to memory of 3944	1068	chrome.exe	85
PID 1068 wrote to memory of 3944	1068	chrome.exe	85
PID 1068 wrote to memory of 3944	1068	chrome.exe	85
PID 1068 wrote to memory of 3944	1068	chrome.exe	85
PID 1068 wrote to memory of 3944	1068	chrome.exe	85
PID 1068 wrote to memory of 3944	1068	chrome.exe	85
PID 1068 wrote to memory of 3944	1068	chrome.exe	85
PID 1068 wrote to memory of 3944	1068	chrome.exe	85
PID 1068 wrote to memory of 3944	1068	chrome.exe	85
PID 1068 wrote to memory of 3944	1068	chrome.exe	85
PID 1068 wrote to memory of 3944	1068	chrome.exe	85
PID 1068 wrote to memory of 3944	1068	chrome.exe	85
PID 1068 wrote to memory of 3944	1068	chrome.exe	85
PID 1068 wrote to memory of 3944	1068	chrome.exe	85
PID 1068 wrote to memory of 3944	1068	chrome.exe	85
PID 1068 wrote to memory of 3944	1068	chrome.exe	85
PID 1068 wrote to memory of 3944	1068	chrome.exe	85
PID 1068 wrote to memory of 3944	1068	chrome.exe	85
PID 1068 wrote to memory of 3944	1068	chrome.exe	85
PID 1068 wrote to memory of 3944	1068	chrome.exe	85
PID 1068 wrote to memory of 3944	1068	chrome.exe	85
PID 1068 wrote to memory of 3944	1068	chrome.exe	85
PID 1068 wrote to memory of 3944	1068	chrome.exe	85
PID 1068 wrote to memory of 3944	1068	chrome.exe	85
PID 1068 wrote to memory of 3944	1068	chrome.exe	85
PID 1068 wrote to memory of 3944	1068	chrome.exe	85
PID 1068 wrote to memory of 1488	1068	chrome.exe	86
PID 1068 wrote to memory of 1488	1068	chrome.exe	86
PID 1068 wrote to memory of 968	1068	chrome.exe	87
PID 1068 wrote to memory of 968	1068	chrome.exe	87
PID 1068 wrote to memory of 968	1068	chrome.exe	87
PID 1068 wrote to memory of 968	1068	chrome.exe	87
PID 1068 wrote to memory of 968	1068	chrome.exe	87
PID 1068 wrote to memory of 968	1068	chrome.exe	87
PID 1068 wrote to memory of 968	1068	chrome.exe	87
PID 1068 wrote to memory of 968	1068	chrome.exe	87
PID 1068 wrote to memory of 968	1068	chrome.exe	87
PID 1068 wrote to memory of 968	1068	chrome.exe	87
PID 1068 wrote to memory of 968	1068	chrome.exe	87
PID 1068 wrote to memory of 968	1068	chrome.exe	87
PID 1068 wrote to memory of 968	1068	chrome.exe	87
PID 1068 wrote to memory of 968	1068	chrome.exe	87
PID 1068 wrote to memory of 968	1068	chrome.exe	87
PID 1068 wrote to memory of 968	1068	chrome.exe	87
PID 1068 wrote to memory of 968	1068	chrome.exe	87
PID 1068 wrote to memory of 968	1068	chrome.exe	87
PID 1068 wrote to memory of 968	1068	chrome.exe	87
PID 1068 wrote to memory of 968	1068	chrome.exe	87
PID 1068 wrote to memory of 968	1068	chrome.exe	87
PID 1068 wrote to memory of 968	1068	chrome.exe	87
PID 1068 wrote to memory of 968	1068	chrome.exe	87
PID 1068 wrote to memory of 968	1068	chrome.exe	87
PID 1068 wrote to memory of 968	1068	chrome.exe	87
PID 1068 wrote to memory of 968	1068	chrome.exe	87
PID 1068 wrote to memory of 968	1068	chrome.exe	87
PID 1068 wrote to memory of 968	1068	chrome.exe	87
PID 1068 wrote to memory of 968	1068	chrome.exe	87
PID 1068 wrote to memory of 968	1068	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffffb5acc40,0x7ffffb5acc4c,0x7ffffb5acc58
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,4378516564263098708,9257426303866026739,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:3944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2140,i,4378516564263098708,9257426303866026739,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  PID:1488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,4378516564263098708,9257426303866026739,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2388 /prefetch:8
  2⤵
  PID:968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,4378516564263098708,9257426303866026739,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,4378516564263098708,9257426303866026739,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4852,i,4378516564263098708,9257426303866026739,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4684 /prefetch:8
  2⤵
  PID:3408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5052,i,4378516564263098708,9257426303866026739,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5072 /prefetch:8
  2⤵
  PID:4876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5056,i,4378516564263098708,9257426303866026739,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4580,i,4378516564263098708,9257426303866026739,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  PID:3544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5388,i,4378516564263098708,9257426303866026739,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  PID:2736
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2888
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1596
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      PID:4688
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /F /TN rhaegal
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3888
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 817262697 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1600
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 817262697 && exit"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3116
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 00:38:00
      4⤵
      System Location Discovery: System Language Discovery
      PID:812
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 00:38:00
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1748
  - - C:\Windows\48E6.tmp
      "C:\Windows\48E6.tmp" \\.\pipe\{02E3C769-72AA-4308-861A-147C88D664A5}
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5548,i,4378516564263098708,9257426303866026739,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2680

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4264

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulta6040b07hba43h4d69haf13h3b1bb335b283
1⤵
PID:4268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fffea3c46f8,0x7fffea3c4708,0x7fffea3c4718
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,3136534319293903174,14067752674672826805,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1996 /prefetch:2
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,3136534319293903174,14067752674672826805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1980,3136534319293903174,14067752674672826805,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
  2⤵
  PID:752

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3196

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\525a794c-aa15-49a7-9ab6-bbb17c471281.tmp

Filesize
10KB

MD5
bc42af36bec92f7b9b6dbde0a16d6775

SHA1
9cce53f23b184038fb5c266b60d83881ba4fcd54

SHA256
7e0ef4d20f3b7fd2488ae6240e21559ed8e031a08652895bdd331757365504e1

SHA512
3ac390e2a3651d7b2993b0df8aeba24271ef484b4595e153324c07b75ba4978b34547aba0fe27495320cf5a8a03dfd2b1ae4e1d9bd4c69f886fe15a499629cf0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
0ea940fd56232b72a1c9b094a54c5198

SHA1
3accb8b8129d5696c36d4b8896a558a0d2302cbc

SHA256
2a6624953e58bd004997a1844eb6670c7c0b320c9264fc820fe66e25c27ec2bc

SHA512
ca9bbd72679e8f622cde18b4ef89accf7b38a2385b0b68a2a12eb2b7b48cb18472b97337f89768e5ad2842a74e57e2500b27f566dfe5ae4e9ce806f57b0c6a3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
2KB

MD5
4c02a21ad930aadd29eaeb553bc56f22

SHA1
e1548f37f0fe3abfdf1914257ebaf9f3bc8039b2

SHA256
f7a45337653a10af51d602f12470ba146d8e0d2af14d8e540fe7108d70f730ae

SHA512
b734c3c0e400cb56beccd212276510b194eb5b9e8c657ae64d353b6e05a8242cf1731f2fc6abb9859b73f96954d665d424f9f7fd174dfe4582ef4acece758cf0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
248296a2f89f16151d5803e17e0f1d4c

SHA1
b8fe04b7fb04e28da04337234c7d5c7761ae4237

SHA256
f740cbffde0ac39f227fcade475495ae7d2cd091c150a4c05729fe752afe0487

SHA512
0a0ccb88dd20ea774b20b79814ef6460373e50c53cbb4d75d3949e267e8d31e2a3b8604cb153ec3722166f0f2fe96a7055231aa99cdff9efc8c56a82021e66f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
d90106a25f4c5ae8e3242c99323b0db5

SHA1
36e6c0313ccd53080841d75221eb3ac9684f5099

SHA256
c8a69800763881aca77192469aee5853d9f59580d2d41fcc9485f7c94e86ed07

SHA512
ffe500caf7bd779b61f022414a6d768c9bf03f95299343df3e1b81bcfb7e1eb91031aeb6b1a3a02ad410f7ff79b5bd5314114d7b04cc0982a4a4581f1527928f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3d3de8e586b41a5770f2a3c2237f2006

SHA1
56ec933c3b98d48dd1c89d82d2c0ed97e5c0160e

SHA256
c028fc501b6fa81d578b1a550d65f97f74fc95cb918eb785404b67c8c36ec69d

SHA512
5f938bc4f9cd70fd2e1d08843c2275cd6d538e92bad1775c351fd1d64f2ed67d12c9acca720a1567567f31fad3fa394254d6e9bbae47b61b9deb65a5f25c9991

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0b7257990d06342495ff008614580437

SHA1
12cb73084f6f1f0ddc6edb6042a3df610ad7ead5

SHA256
64525899a172884118ca184082d5fcc094bfdff9d954a9f4b5d52a2fcc691b14

SHA512
b76adf2c73331cd23b72a3fb8b01d598070f332a8d3b49182a20ccf019bab8a0f70eceab158d0c66daf8d4125430777ea8deb6a0b06abc245deb4ace0fb022e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2474ab659e4f685e3ef2ef607856feb1

SHA1
628a4eaec511e2c066887161f9b8f4a59805a374

SHA256
f25b25c66fdbeaf85da59fa148d9ab1dcff23dadf0679ccf500964b3d5d42d0c

SHA512
db8aefcfb6fd0326eb58d59ca7ad92cc5805376bc6b52b0911aa2c8a2c46b0086f69921c37459a6d3893326549b78809ed7277706948d7b4854e9435a26ae3cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
11a289c4ed2adf3b0481d6f60538ceef

SHA1
05c07d8a2bb64eaa2792f9f1524d1047ca76f5e7

SHA256
02fe8258181727a4375340001dacac2fd073b4e183757925cb98cdf4dbd2d526

SHA512
c27876f44b28e16b96f6996d285f6fa47f0c7b1a35c2ce421be986f2d0f25d0d491fd9fde7fd88c743e178b5eef6e1a1c7c7e80f14bbd4e51b615a0531e0ab14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
33c4bc6dabac9894103a4c679d296237

SHA1
aca5ff8527a8a9037186652c03094aa156fbcaa2

SHA256
7b24512c2c600debafd62efd88c9ee47db5bef653b6f49df3355827a413dea46

SHA512
b5d3fc7efd26280aba69dc2e53a4058e93ba35ddf492605c74f8ca81fceba7126bcf559b2ec8b8840fc040edfe62e20ec02ef605628a982649bd21082b0ffa84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1551c179b22e4c62b451f9fe29a3b8e9

SHA1
3f917d35555425a812895d3d8ea196253cc677b0

SHA256
7de1a173a8de888933fe93df5b27f935200809b8b90b40a0dcf08f9449ce0433

SHA512
9fba6748ee196cb7a72dddbb97fa26d6985ac670bc1b95d6b48dc488f200a35e305ea8b6befe71c4d9f474d4736641e062cb31e476705625870f1c2474d43b02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0b0d9eb69b610b4adcfbf2969549f7db

SHA1
396c726180ce8df64ef26c167e97487ce0a85816

SHA256
b6634e47109b157a4c823b83d9d01c5381e71df9c81423c688b4f3b61747fc94

SHA512
c49e00aa5bf43c1a1da3eceec7a544dffb4bd619c9d459c01b2fe46b59f2b4ae6f2307c5f0f96a1c6fb2262cbba35097ca2f72100cf2a9c4f08c2a9d8a886af4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b72b7d21e1448f2769c3502949dd1f70

SHA1
957a9169e67cea47b91f7a9e823baf21aa3db891

SHA256
a6c4c819ce0aea4f4b4e4d5c7f1f55e54d9d462d9f4269caff6f3753db208eaf

SHA512
2a0c9f350b208426fd3ca6253ce9b16f6cff73e8dab0df83e80d2fd251d29e6b6989674cd8e6df3f8cf70ed9d8c5b06b4cb3e2a7dff796c760c1454407fda5f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fb3432c96405bcfcd19122eba93925ec

SHA1
93426c30aea34db68010a7cb5a5feea653695c73

SHA256
9c1265f778563ce0058fa3e23e15fa48eb3108fd214e9bae04467fc7dd51cf82

SHA512
ea2b64701620741c266f935155451202b86f6044cba4b5d4bbb66f9cfa42393f850de055b42f28795b8359d6c3d582016fb2e350cfde6676b7c24e1d53bbee87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5dedc855619a7554eb4226a153183300

SHA1
64a4e936eaf7e85999cb0a698ac7fdeb5c24cd8f

SHA256
9159b2e25f541eb06c5fdf0a7e1994b505ecf3b4289cf72f168964fffccdf34f

SHA512
253b2d2bd4b034690e3444c9b35553aaad04656c017fd3782be0d44ae314f67f75b2735e487e2a9e5e9a90542c344818ce164aa5129f9a2055993fc7697130a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
455ed00a1f51f92a5bc9d9434c933bf0

SHA1
56b90339bcecdb2a5fc21255210cca481ab44e95

SHA256
6d43b2ce13bd0f77c093d1697dd7f0b4237836a94202ef056760c96c908f199e

SHA512
4d75b655d892593e22bb450bbe7e7b5f893582b2e78bdb0442c83f989e3efedb9c48e0a64057ab88fb0174442c75861896cb34fb20301e8ff9960c7aeffb07aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1daaebca848a9986afcc7d03a13b95d3

SHA1
9fe79081ee1b25cb1e21dfa9e2fe06cfac3f3f99

SHA256
279c3b9c1df1168d1c89a7e7d0fc58781905fab0b7ee36529500dd4de3d10fdf

SHA512
706926d98ccfd92da2ca1ae228fd94ca529949be9eedd4c80bfd76061635e915f3ab247960df9166b4a331ad098ad4ba10d4ff5634915608a949f151482092a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5a81e90be01a85a7ca660302c05bd71b

SHA1
42d7c9f265ac89b8787578254f57f315ae9c4ff7

SHA256
f63265db103c6c027c1f923ec16c6fd41902a20c1146c3023111960214d63619

SHA512
649bf0a5f1328d3a5f31f10298e17d3b3a8b8745dfe3643d689635e9c827271a7dc2cf0ddb677e04a2c5644f7828372395968ad35697319fc2a61c001747d4ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3321f955904d95dc4ec96d2a34532450

SHA1
4c4b5f429e82f57b5fe1b894bb75a0cae60b838a

SHA256
9794e4fdab2af1de8edde44c63fb2770256743230bc09e8697b40c47b011a3a4

SHA512
78bc7e1f2ef90b2524b3d474bb41ac2caeebbfc4b385a81665e5dcf3d5b0c9f7755f543072bfc6d465d0e981458f08ca3380e1f5a7cbc99ae57ee75659113f23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6161d344aa1d8bb6c2df35ab437dce37

SHA1
2e2f4a09db00873fd427723803d8bd952aa62c77

SHA256
37a6ba4c49a5f8e469cee245c89b90d35136884f4564912eab943de7a38ccdbc

SHA512
d743429007bd7191b687d6dd2404884e7dcb166c016ee5ad10d0d28d19d5cadc79cd5688dcfbc114d1b2960435933b0c749ce09b0091e7c8d26e3a8bddbf0fb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9531383e7c9f680246d1fe749b798f99

SHA1
e3b399ab3769ce4b905695e5927c6e6e999455d3

SHA256
c2582b95293fe9ca08b2c95dce63b393fe8e68bbd580ac8573e262a6e3b6fbbf

SHA512
a75c10a32fae6f5b39da2c03e8f049fe4d1a71eb367d15a5cb3881de80256775459dd7ff01a6af07aada7408f82cfee4f18d7fed1382293b4f8b74e07bf06e7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0eda9c7f59ea3019e0750d0d9b0c5d3f

SHA1
f4ed84826db377a380291f6085de81b63c11bf29

SHA256
c7eff6a4a2b467aa4aeeef97004e22e3afabe2f75bb341899d46a6bf072f8e06

SHA512
48835c792300ab61d52d34f1c153bdd58d37048c5918f2b957fa14463a0cfc0cf4265ef1606ecf8255495a09b7a9a0a540f73465df47b801275a25fb6901b557

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
fed0f257878e1192128f463ce742b2e5

SHA1
34e33209991dfdd6c95a915411ec0ffe7d4b854a

SHA256
0863a4e0df5174a9d84b2f4d4c0346221760ea2bfe8a277a10ed5be5bc3efd02

SHA512
6b38dc9390c368871285f67e894f7318dc04486d91f1647d0c38145bef30afa6eeb7a38462841c08a43deaed7fa3cb28ca0365da65e371db43a4fab8d13f38b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b61873c3f69b689eb00a73f4a435a2ce

SHA1
92ac806d8f71b0026d17acb469c14185a89e16aa

SHA256
fa235bd6cda55226c0c23e322565cf7a0b856ba0e15c2874ed0de0186c0373d2

SHA512
bb4b360d7b7e0940a9dc325e6d46e60e63e36e48c7c155aeb0da2442261478588f8461c5f4036cc07e896fba33c33004aed6aacb23ce04f9c8934e6eb8754f4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
641b840af07ef86563bb6cfd91b324b6

SHA1
5e55fe65b34f41703b6da0e4451ba227ef1304b5

SHA256
19b032c4ac64151d7c9ba0e5664ad3aa65f97864e837365e7994cce304fdca17

SHA512
e6386a6ef70749a57ef310ecccd0e6e947dcd096149b306a19957c3f06e9ade52e8b12a557757a75f6e449c69955d21d5c2df6bdd7cdd8cad25e82e068167fbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
82c543b9e626703d41a337e999abaa7e

SHA1
965adaff032a5b2a2bc644bacd5da32b60c226d5

SHA256
7b747d14d026859a0e6d20a63e9a84a35f79bed60e19a579fc204572ee9fb608

SHA512
3f4b727d3e579037a3611b25e3db1ba4aca7d9b10ad2b83be2beb51e48c08b250a59b2495b8e3b43d264b30ad95afb9fab357d82e9d198a262ea8d36133eac7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
12a0636fcbbd39ac3ec72f26cab135aa

SHA1
1966a14491d1c547e35047811d8cd02c28cca9a1

SHA256
69776ab5cad45012c469c5f05782ed8fe75fda29edd9cc8c3669a9d378a26b56

SHA512
8f6afb2332d6c5329aa644f6a5eb06be801b2182429542485af8b419bdb4913eecdee98a3895267ab27c0377aaecf85bc98d54fada5a50d723cf23c2319de751

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7bcd8882be62974fcb6b5d934f1a59d5

SHA1
ee3ebedc7a152c1ebd9ce04cb58e24d293b678a5

SHA256
906781d78fd39287a85e45398978494c6ea4362951cd170b2442fb86502758ce

SHA512
4edb11230e5eedca1e717bdde29010700e91f6e88c70aaa24035852b99d261337f1314580caffd9133bd84a63e7c2fcf9f6b76d37e3e66d12a06b8cff5f71e8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c3631cf505af97c99474e2a2d6c276cf

SHA1
b22b373fdb9fba35399bae370086f414e1d92c83

SHA256
1403c1c963c2eb758939593b6545ae3afeff896d784d7a857db7e98d73406e9e

SHA512
884bedc6685c93e3dacf185c462bd7389b0bafe5712b1ab1fe074930c8b72da7ae05c5bc7245c8c7ad604f0c164802870dea9b1d495dcdc9bfb9dd13589e2aa7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d7702675b1e472bc439ae64158a13d63

SHA1
c2c84fe1ae54f97f3030e6741891541ce1bd9939

SHA256
ec5a8e4ac7296a441cfd839c143dcefa1f973bdfb1c068337855b754ec2c58f9

SHA512
2d289b77f9ad4be2fc37a06d1b80639717b48042fca14aa4edd8e42941d853bd54b3d705a1a95579888a83c00faa2f1f2716d72e1f02b388f251fab8f63527c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b0652205bce5a275a1ff561bd26c8d05

SHA1
8fca0a59f75871e5879db34bd1c1ecc20d6feaeb

SHA256
dea4c5364e8cacf5ed045729beb482f2b1d857b541b33715547b275ed39267ca

SHA512
732fab7e62be0120298edb0c679d444840890196c754fa83c3bd014e2f2d370663c1943c2977616be9f124454fc7f60b511911211053d4e1dc39cf537be1d95c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
dfa5a6e9409464bbd5793194a95d6ffb

SHA1
32b0235a016380e23793f07e73ce612f87092a05

SHA256
371dd95ac331116e042fe95a30b1410d533423dd02b1c86cf56de098a16ef30f

SHA512
bb78be186fb430b33ee9d248048d20e5ee5855ae1842c6b97dcaa97ad674d62b2de5cae0b20a490c8be27e57e8f4cf787ebdeb3e458a501990d5b66342f9b3e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1a65e35eb20c160762ed32c499bacc23

SHA1
233ba9b250085de34971ba50f171465af0612853

SHA256
56a3c982af418a42b2a8e822818dd2c3bba661c763a510df3ba76505bd79c970

SHA512
4781f1c3fab2b386a943dae6ab6c4b3ab840a2ff91ff7e4033337c5d8acdf52e75c6bf0b022db16da5fd4a09c02e4195feed9cb35adf1388d46a7d6ae72687db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b000c811f67d5450610f0d380bdb0b75

SHA1
be35be8da82ada7ccaa2abc34eafbd41093179ba

SHA256
ea6bf4c8615800a9e25fb106b1e3f843a6f06dad5d7f204ee40f2037c0ad94f5

SHA512
a7bb4f82a2568342b28dca49f08b4811af4df4a80e52f275be37be6eec95ca91778366337a572eda27b7b8953b9ba5c883b9458cac053986ffc5429010885910

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8a82a036d676b55995d9ebc416f34e1e

SHA1
fe0070476bcb2e0e5c581ff01233e9cfc8d94d93

SHA256
02a023736af363728e38cf122125bf6e59bd7001310e896b7524397939bcb9ee

SHA512
2ed81ed7faac75f4be2f5ad98cd565c9b39ff6f592b987c51a5753bd90abd0f7b50eebbbc17e36bf289df99ffc2da7f1075944e6c50b6918543eeb4016ecc7cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
597e15087c87afbe5a3c620b73097166

SHA1
46c29eee6bf1b26517e273a83f96ae8c987f619f

SHA256
07a636a20d68f9c6066772dddc13d0f2433cc5d844b51c7af6cc1281d3b249b0

SHA512
8159090aa052c7b3a76939c0b89d4dbd345d825cb3a1bbf5d41f77e136177b670fb107950dda08325d44b0a33bdb41d44d43af4430734ddfe896e1c68163338c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
07b371b27ece9d79f8263e9752448cca

SHA1
09479a0cc092d1456faf64c92108a84e13d25aee

SHA256
8e9864a30aa99a0eef23b3e05751197e1550c863c1ced6891df43e9aa2389bb0

SHA512
f760cd7c9f92f0226e6e6b676bc5aa34934415f762ddd3e5852e53c6f463a7491db93b76593c8b7cdaba3f9b292ec8cac446d537e9a6fe40dbbe1a900699ee0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
96493bc1f45a20019c34364afaac6514

SHA1
a274ce3edb9cac900d0c09f47873b11493c5635b

SHA256
f64bcc80e89ac4f58ef63bc45e7325864fccb58e027f506d017a489cec210706

SHA512
8bc92ee1cec9d3afe40b87d30575aa3cf5bfe944c176854cddb75eac69e4172e728489f5cd991f1f48c15404eb02fc43191f585414cef0feaea47ba806887f6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
9c6ccfeacc285a6b456745de52974be7

SHA1
47374fefabbe165d48240dff87db0ed9d72bc488

SHA256
18622663998dd522d83524bac6d6f117fdf811b3985945efcf647afd2a6c2432

SHA512
9d047b2b020d143837d23527ac6ce0e0269d4c36ae4629041cddef8753bf61a8cc1e27a98f21b08cab6504aaafab208570c68ae45476acd25820d4f4aa7ccab1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
12e8d1fc6dcd3d3b81aab06a91f9f24c

SHA1
4400eede8b201309e5019846933e3dc91f3c8c47

SHA256
2db0f797931801b4fed91333f8393627465a5a6daad91ee8d71faa0139766a56

SHA512
400a988d785f16b6af68377aa4c60b29c5e34c7bbe835fed3ebde6336844182c176ba02145a8fe996feac213f00f7e1d921f39d5f55639ab1020118462955b04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
1971617f20c385eab83b1398d5086f64

SHA1
061596f16b4b67b88df33a7fc23ceda0e1a79110

SHA256
c3bfd92fd05142936b13735356100dbf21fff0befe1be3f4d64db56d4d2c2a7c

SHA512
c661999ffc3d73c5d6a1cc18974cd3ab4f9b3665abd8acc34a9c9d9c27a62b5fb3db437e993652171f1948e6f9fbf8a953a3b14f1c49c7819fa492e7f1e1ef15

Download Submit
C:\Users\Admin\Downloads\BadRabbit.exe

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Windows\48E6.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/1596-363-0x00000000027F0000-0x0000000002858000-memory.dmp

Filesize
416KB

Download
memory/1596-371-0x00000000027F0000-0x0000000002858000-memory.dmp

Filesize
416KB

Download
memory/1596-374-0x00000000027F0000-0x0000000002858000-memory.dmp

Filesize
416KB

Download