badrabbit | dc0826657a005009f43bdc3a0933d08352f8b22b2b9b961697a2db6e9913e871

Analysis

max time kernel
240s
max time network
240s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
09-09-2024 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VencordInstaller (1).exe
Size

9.9MB
MD5

1b8ee61ddcfd1d425821d76ea54ca829
SHA1

f8daf2bea3d4a6bfc99455d69c3754054de3baa5
SHA256

dc0826657a005009f43bdc3a0933d08352f8b22b2b9b961697a2db6e9913e871
SHA512

75ba16ddc75564e84f5d248326908065942ad50631ec30d7952069caee15b8c5411a8802d25d38e9d80e042f1dde97a0326f4ab4f1c90f8e4b81396ca69c229a
SSDEEP

98304:jmPUf5A91QP5oToUsbeRwcyHekFeSpc12EKw+KVktWHBLmpTN5huJd3kMerGpNTt:SqqQP5oKswpLi3gOW

Score

10^/10

badrabbit mimikatz discovery ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x0003000000025c55-997.dat	mimikatz

Executes dropped EXE 1 IoCs

pid	Process
2468	F9C3.tmp

Loads dropped DLL 3 IoCs

pid	Process
2672	rundll32.exe
3096	rundll32.exe
2472	rundll32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
56	raw.githubusercontent.com
62	raw.githubusercontent.com

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File opened for modification	C:\Windows\F9C3.tmp	rundll32.exe
File created	C:\Windows\infpub.dat	[email protected]
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3192	2656	WerFault.exe	104
2260	3644	WerFault.exe	108
1016	4352	WerFault.exe	111

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YouAreAnIdiot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YouAreAnIdiot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YouAreAnIdiot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133703726801012405"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	chrome.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\YouAreAnIdiot.zip:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\BadRabbit.zip:Zone.Identifier	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3764	schtasks.exe
416	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1528	chrome.exe
1528	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2468	F9C3.tmp
2468	F9C3.tmp
2468	F9C3.tmp
2468	F9C3.tmp
2468	F9C3.tmp
2468	F9C3.tmp
3096	rundll32.exe
3096	rundll32.exe
2472	rundll32.exe
2472	rundll32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4408	VencordInstaller (1).exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 776	1528	chrome.exe	82
PID 1528 wrote to memory of 776	1528	chrome.exe	82
PID 1528 wrote to memory of 404	1528	chrome.exe	83
PID 1528 wrote to memory of 404	1528	chrome.exe	83
PID 1528 wrote to memory of 404	1528	chrome.exe	83
PID 1528 wrote to memory of 404	1528	chrome.exe	83
PID 1528 wrote to memory of 404	1528	chrome.exe	83
PID 1528 wrote to memory of 404	1528	chrome.exe	83
PID 1528 wrote to memory of 404	1528	chrome.exe	83
PID 1528 wrote to memory of 404	1528	chrome.exe	83
PID 1528 wrote to memory of 404	1528	chrome.exe	83
PID 1528 wrote to memory of 404	1528	chrome.exe	83
PID 1528 wrote to memory of 404	1528	chrome.exe	83
PID 1528 wrote to memory of 404	1528	chrome.exe	83
PID 1528 wrote to memory of 404	1528	chrome.exe	83
PID 1528 wrote to memory of 404	1528	chrome.exe	83
PID 1528 wrote to memory of 404	1528	chrome.exe	83
PID 1528 wrote to memory of 404	1528	chrome.exe	83
PID 1528 wrote to memory of 404	1528	chrome.exe	83
PID 1528 wrote to memory of 404	1528	chrome.exe	83
PID 1528 wrote to memory of 404	1528	chrome.exe	83
PID 1528 wrote to memory of 404	1528	chrome.exe	83
PID 1528 wrote to memory of 404	1528	chrome.exe	83
PID 1528 wrote to memory of 404	1528	chrome.exe	83
PID 1528 wrote to memory of 404	1528	chrome.exe	83
PID 1528 wrote to memory of 404	1528	chrome.exe	83
PID 1528 wrote to memory of 404	1528	chrome.exe	83
PID 1528 wrote to memory of 404	1528	chrome.exe	83
PID 1528 wrote to memory of 404	1528	chrome.exe	83
PID 1528 wrote to memory of 404	1528	chrome.exe	83
PID 1528 wrote to memory of 404	1528	chrome.exe	83
PID 1528 wrote to memory of 404	1528	chrome.exe	83
PID 1528 wrote to memory of 3648	1528	chrome.exe	84
PID 1528 wrote to memory of 3648	1528	chrome.exe	84
PID 1528 wrote to memory of 456	1528	chrome.exe	85
PID 1528 wrote to memory of 456	1528	chrome.exe	85
PID 1528 wrote to memory of 456	1528	chrome.exe	85
PID 1528 wrote to memory of 456	1528	chrome.exe	85
PID 1528 wrote to memory of 456	1528	chrome.exe	85
PID 1528 wrote to memory of 456	1528	chrome.exe	85
PID 1528 wrote to memory of 456	1528	chrome.exe	85
PID 1528 wrote to memory of 456	1528	chrome.exe	85
PID 1528 wrote to memory of 456	1528	chrome.exe	85
PID 1528 wrote to memory of 456	1528	chrome.exe	85
PID 1528 wrote to memory of 456	1528	chrome.exe	85
PID 1528 wrote to memory of 456	1528	chrome.exe	85
PID 1528 wrote to memory of 456	1528	chrome.exe	85
PID 1528 wrote to memory of 456	1528	chrome.exe	85
PID 1528 wrote to memory of 456	1528	chrome.exe	85
PID 1528 wrote to memory of 456	1528	chrome.exe	85
PID 1528 wrote to memory of 456	1528	chrome.exe	85
PID 1528 wrote to memory of 456	1528	chrome.exe	85
PID 1528 wrote to memory of 456	1528	chrome.exe	85
PID 1528 wrote to memory of 456	1528	chrome.exe	85
PID 1528 wrote to memory of 456	1528	chrome.exe	85
PID 1528 wrote to memory of 456	1528	chrome.exe	85
PID 1528 wrote to memory of 456	1528	chrome.exe	85
PID 1528 wrote to memory of 456	1528	chrome.exe	85
PID 1528 wrote to memory of 456	1528	chrome.exe	85
PID 1528 wrote to memory of 456	1528	chrome.exe	85
PID 1528 wrote to memory of 456	1528	chrome.exe	85
PID 1528 wrote to memory of 456	1528	chrome.exe	85
PID 1528 wrote to memory of 456	1528	chrome.exe	85
PID 1528 wrote to memory of 456	1528	chrome.exe	85

C:\Users\Admin\AppData\Local\Temp\VencordInstaller (1).exe
"C:\Users\Admin\AppData\Local\Temp\VencordInstaller (1).exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffde819cc40,0x7ffde819cc4c,0x7ffde819cc58
  2⤵
  PID:776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1812,i,15404059850622594983,17821326233281076576,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1808 /prefetch:2
  2⤵
  PID:404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2108,i,15404059850622594983,17821326233281076576,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  PID:3648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2204,i,15404059850622594983,17821326233281076576,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2216 /prefetch:8
  2⤵
  PID:456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,15404059850622594983,17821326233281076576,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:2564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3256,i,15404059850622594983,17821326233281076576,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4488,i,15404059850622594983,17821326233281076576,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4484 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4672,i,15404059850622594983,17821326233281076576,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  PID:3268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4868,i,15404059850622594983,17821326233281076576,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5000 /prefetch:8
  2⤵
  PID:3584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5056,i,15404059850622594983,17821326233281076576,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5116 /prefetch:1
  2⤵
  PID:3300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5092,i,15404059850622594983,17821326233281076576,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4828 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3324,i,15404059850622594983,17821326233281076576,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5128 /prefetch:8
  2⤵
  - NTFS ADS
  PID:3564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5292,i,15404059850622594983,17821326233281076576,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3444,i,15404059850622594983,17821326233281076576,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5584,i,15404059850622594983,17821326233281076576,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4816,i,15404059850622594983,17821326233281076576,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5100 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4416,i,15404059850622594983,17821326233281076576,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4512 /prefetch:8
  2⤵
  - NTFS ADS
  PID:1088

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3792

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4724

C:\Users\Admin\Desktop\YouAreAnIdiot.exe
"C:\Users\Admin\Desktop\YouAreAnIdiot.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 1456
  2⤵
  - Program crash
  PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2656 -ip 2656
1⤵
PID:3216

C:\Users\Admin\Desktop\YouAreAnIdiot.exe
"C:\Users\Admin\Desktop\YouAreAnIdiot.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3644
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 1424
  2⤵
  - Program crash
  PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 3644 -ip 3644
1⤵
PID:1524

C:\Users\Admin\Desktop\YouAreAnIdiot.exe
"C:\Users\Admin\Desktop\YouAreAnIdiot.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4352
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 1428
  2⤵
  - Program crash
  PID:1016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4352 -ip 4352
1⤵
PID:2268

C:\Users\Admin\Desktop\BadRabbit\[email protected]
"C:\Users\Admin\Desktop\BadRabbit\[email protected]"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4356
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1944
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      PID:3476
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2149023074 && exit"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1904
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2149023074 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:416
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 16:46:00
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2148
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 16:46:00
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3764
- - C:\Windows\F9C3.tmp
    "C:\Windows\F9C3.tmp" \\.\pipe\{D0771A0D-38CD-4C3E-931B-B071FE2DC6E3}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2468

C:\Users\Admin\Desktop\BadRabbit\[email protected]
"C:\Users\Admin\Desktop\BadRabbit\[email protected]"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3792
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3096

C:\Users\Admin\Desktop\BadRabbit\[email protected]
"C:\Users\Admin\Desktop\BadRabbit\[email protected]"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:436
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
80292af9096e5cbabd225b30d71dfa53

SHA1
9e546359f9287a1897548027ee4dae717ea88fe6

SHA256
a6b0ef767b357c10717389cc2da42310c7e37c823053ee7c8fa6c0cbeff2416c

SHA512
daf6d5427e5691c259eb4852b0cdc70621a40f9a316d56046f88efc658ef0c6cebda1a820f5734fafbd42b886f37301725ede23b0ea35cc94b7ba318f90abacf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000015

Filesize
37KB

MD5
3973eef729615ffe9f12b0cad100e6b4

SHA1
ae897202c487c10de5c0e11e335ae2fd6d3b4640

SHA256
930521af373044db3aa04862d9f4068286096ed61b3da3dcf9a8a03c02daacff

SHA512
c5e33bcd9e4689bc7078f38e229d77e109d8419bbb2fad9c3f2ebafce688f55f8a636a23ca80fdd4714e19d0dcff23da01b9ed67ba1a9a52bcd0d500de1f9bb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000016

Filesize
37KB

MD5
306fca5a40310225aaeae1a7f6ec4ba5

SHA1
33c5ab9a579fbd264c8588500599d8f3fd21f950

SHA256
e091abb6ef48d6dd52e72d03c30658e3ccc22b498838e3bac0e1a4c91fe8e31a

SHA512
b6cdac942ed7e74baac93f7186267436bd98f1da88a8df78b52d179dc2853a33375a3d4d2d8f6e9eada0c34a8238ea27b06ad8414df5997b586506e897961cab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000017

Filesize
21KB

MD5
94a66764d0bd4c1d12019dcd9b7d2385

SHA1
922ba4ccf5e626923c1821d2df022a11a12183aa

SHA256
341c78787e5c199fa3d7c423854c597fd51a0fc495b9fd8fed010e15c0442548

SHA512
f27ba03356072970452307d81632c906e4b62c56c76b56dfe5c7f0ea898ac1af6be50f91c29f394a2644040929548d186e0fbcea0106e80d9a6a74035f533412

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001a

Filesize
18KB

MD5
2e23d6e099f830cf0b14356b3c3443ce

SHA1
027db4ff48118566db039d6b5f574a8ac73002bc

SHA256
7238196a5bf79e1b83cacb9ed4a82bf40b32cd789c30ef790e4eac0bbf438885

SHA512
165b1de091bfe0dd9deff0f8a3968268113d95edc9fd7a8081b525e0910f4442cfb3b4f5ac58ecfa41991d9dcabe5aa8b69f7f1c77e202cd17dd774931662717

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000023

Filesize
20KB

MD5
956cc5e50c0d4d49ebf655a8ec2d9c8c

SHA1
6da68a690ee7a6564a5eccb1e1166ed6cc2b1b81

SHA256
09d217f8d59e24d4071628ad28d3e27d130612ee64ffdc8593a20eb410e7701d

SHA512
81b15982d5388472eb98475f1a98033f6fc5610ffd45fc9da67469b298ba339aa4cf166a143cad33695d515d3a5aedc8fa9f90abbde162bdd600d63ea8d60bd1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002b

Filesize
393KB

MD5
61da9939db42e2c3007ece3f163e2d06

SHA1
4bd7e9098de61adecc1bdbd1a01490994d1905fb

SHA256
ea8ccb8b5ec36195af831001b3cc46caedfc61a6194e2568901e7685c57ceefa

SHA512
14d0bc14a10e5bd8022e7ab4a80f98600f84754c2c80e22a8e3d9f9555dde5bad056d925576b29fc1a37e73c6ebca693687b47317a469a7dfdc4ab0f3d97a63e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
a9b8b0acf97d904b54924aee1c1e0a2e

SHA1
1e89110a51d329196688cec0e123b357dc3c7f22

SHA256
5cc948d55bfa6f42dfcf6b50a592fd2db4363d407a5129bc05eba0a23ca03cbf

SHA512
0de8cdf148406d814aa48959334bcd4eb3ae73b6550935106cf92a6746089786166168e99fdbea7db27ba9c3ba10ece4ea4355cb34b6fe12160c39abd914002e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
d436f60690dc031ae590837750410d8f

SHA1
f2cc1ced6ae2ce93b1ef8f376279449e89a88e2b

SHA256
612ee80178e096cdddd6ff11a4f0692f970855981fed12d2b3f36524d0e86db5

SHA512
b00b3e1793d3f3483ab0ce70d62885c4760cf4b6270f2ac7fe822b0d68da3d56a2c34e69e964e700a9b2582e17f5bff182bb11cb53893a2a01c70bb920fa68d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
0afd28dbe8df7ae2a0afd37773208b8e

SHA1
bf00939c2804534c73aba11918885462dc8a1a23

SHA256
3c73b9d74d3bf54b362240b3410012a45961fbd8564f98d44d458663307823f3

SHA512
46aa095b7d0e0c0bb5e8b60c4f0de870502b46f2569cb62b8db9dfeddc9fbc7a00962f0ff75b5b3ec39b18655e8490cba2237d4a59d843b341029870264af150

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\9501d2b5-cc5c-476a-89c5-020ec2e273e0.tmp

Filesize
356B

MD5
a7dc2b3e83f84ca245ebc07066b9b6df

SHA1
3faa11ad9046513fc242e322d097aa893d937ada

SHA256
1d31b990a1760875a51af4996e6f1a96a3874ea9f53f3d23dfaabb7b404fc128

SHA512
50b7a9febe15b0abda3e9fcb47033945357b6b7fa45620cd4eb801b8a69935b4211bb4f42c667c3144967208b9be47db88a9e539e4e50cd7847a686907c05fb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
e4f34a40f73796639bf3e9ede025636a

SHA1
12781e4c07b816d3650e5534178656f2be749f31

SHA256
709c98e67b2bd4817428d391a7d7785283b6afbfe4ed0b293fccb083152b8087

SHA512
42ae1c0c01f52f42257e754220300e4d288aa325ae0abef776208ed2eccb3a611c7fc9ae0b8a41a253b59f034c1dd29fe431e1198a0e97baec697db8eb908a33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
2bdd59229661433bbf168b3380745650

SHA1
218b8f410560beff0b7ad990c0eab5613f969dd4

SHA256
57a694d24793868330af11074e0d803f252b0bf7da0c17604e61b37f81e12136

SHA512
2ea2650e37855966cb723ecb46b5b30da78ce7f5d04b4bbf335fee9d9f684d487f128cf213612b80cb9bb9ee518dee85450313623aaa0cf998314331b2b8ac07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
aedf35dc20392dc412b97ccfffc0bc47

SHA1
5541a2ed3ac7798da72b02e38cd734627555b850

SHA256
02eea1603fe58145287fd0342b6d809c039d150849500cfa3efddb5a2bba7295

SHA512
57db7b4f549faf5585b04a06e96037e294596c668a6c9ddce6282c295ba876dcfe3a4f5a19f4ca1bc43d5aa30a72f191c2e3b7a17521c341cc5f5a88fa0dceb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
34746afd200ada46bd7afe384949b719

SHA1
c14833f5b946f5f0bf27af15e39fd48ed76d8d5d

SHA256
5a8e28ee96d351a11fa89047c165b19b1336313b0dab460307b7891c53bfa407

SHA512
31b220f1b98870c81a8be8fbeebea8ed0d6d15dde826610de7702fcf7ec0cdc04a79bf8986c9341b58d546e8ea36f3c6e3256581000b613b26e1b9883de7c22b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b685f9bf930951e1601fe851711d195a

SHA1
aa9078b9b280c6aeb42b6703346d15f61f5a1ddd

SHA256
4095dd338cf15f22873dcef1fddf52d8700d65267f9604cb5e6f2ce316b1b8da

SHA512
604d3f5a4866e1b2664fbb1ea48122d19f16559b4edd926b15d3ceb47502c402a4e66074b3c06170c34e5b533918416d90a2d6b33303dae4937ecff79b587d5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f2a9c6e502d35fc4503824119b8b4361

SHA1
002b8d0ca91c65afaaf8486ea6131a453f892139

SHA256
77297b0fd5749bfa8431fe3f439e3718876572c131eaef03fad62ee44e337da5

SHA512
4755c0bccd3645a0c8963ad42eb7ae7f2544f760744af09ec577ecc1fa774b1fb9edfb3921cd8f09c715684df50948efb382ec1b39bdfa00f480ddb002ef8127

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
26f31b177b3b3d8065fc34c7f701194c

SHA1
863e64dd65176f3b516ed29d278e5a8c093159c1

SHA256
7c6e4ad3456e3056c6550a05d702531f7549f3db0f4f812cd06aee2a94d87147

SHA512
6f5a3ffda8a982f686aa2144983da2b0c1a00192d2a8f4d84d81557b08b87d4a72167248028b668c1186bcd0f2ae4502286f8fe1d3f525bff02b878a036b7ab8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ccfba524a5cb8778b3709f81806238be

SHA1
ee2e1d116f3c7055ac10aa3ec4b48cea3d826a81

SHA256
3befd4a3d2c8af5540ba167d2e0dc05968d06a5f460c9065f401f2fc6cccdc71

SHA512
c00f968dbf80c3995bcbfa652fc8ae8ef8fd0b5fa92f9f134b766a716d3e250d337d5c62db3c935036eb298b058ef928dbd40ca34a59ae1e0c9a641a0e711c67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ed0e94d72e8391e322bff4fb609d42a5

SHA1
9e1dcabfd5e8035c31baf2d3ea4a805d9fee81f2

SHA256
4dd0b068592af3dff77b3fceeb3bd26ec4a3762f986543e48ad4e34351a545c8

SHA512
c6552e259e503759b04eacb4dd96d25039052d8f47626cca31d3ec480c59c520446c872db45dfbace7321be58428c689027978743c5d77a6e0ad3357a7b66db4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
139f8be93cede0ced996ac32a6f07745

SHA1
e4e4c18a7a57a555759d065bc7337ac7afea4847

SHA256
8fd64aafc166d181fc541c8cf7bd1ba704e87d69882f8843f373dce1d7069a93

SHA512
8a238ad0eebe811180862763c28348f4057016a28c1e91e85e32dbe929168fb654f2fd38c67d81c8d55517bfa8bf12a18ae4653213645909e3a471a80f1ca6a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
58f146b64b678243430a547975f2d4b7

SHA1
fefa1a7e440cd60205c06c6f0cab3b1719147359

SHA256
fe17c03c1eb1829eb7a878c3329113640a2b263a40bb97ce67f849e07d26e339

SHA512
7fe2e95a76e2d53e571c2b6dc63bcfcd0a376b49f38d6f16539cb43fd6724aef7062e58a45ce34995729d5a70ac0a3e861d531a68bce347ebd9f0750b1e358cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
25bf8c3a6a8915827132568af843ee83

SHA1
7469d099ad4b165c1dccd5a0c340d284bc6e257d

SHA256
bdc50142486660a72b9540147f2131d735403b2c5c4b55779c0e8a17b1077055

SHA512
fac7eb08c71f061711b6915597ac7abc4045bda943ada7f3da231cbb9918a288f47c13e48e28e8b01142ae4e46947432a2558c7eac96601021955bbcf40f25e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a48586ce05721c751b40f14389fafbde

SHA1
391f7d9a752cda779715353f0d924ad652124119

SHA256
539552a6fd917c44ffc4452f4150e2e806f3f3bf2c900062fe303049bce01979

SHA512
c40d582b6f30ea0a59b7dd67b245e7ea2db6225158f4b325ba841660801f90581977b9cdbadeb88e7ae56fd827cb30c1a26c28e5c63ecc5fad3d747f402b52ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6e065265e729f9ce8a845f607ae90a7b

SHA1
1eb923f55e70d81ff1aef9e3d84715a96c49a817

SHA256
9c919a9ecb38989cd5cace48d76faf2e22f38bee0aad82e78b44559e6584f429

SHA512
466b1f207a28353818a1b4fdf0e1e9c534169a4fb2298e019d940498c5471767342b539cba4aeba1530e52a01f4a106d8bb6a195a80526700844d68d46759ef6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
56903404152c3492585d41beac6c4f27

SHA1
c3a7e32b31ce1f00031f00a8ee86a5bcb21d832d

SHA256
d4f848a25643489deab895eb062121aedc9e5caf328e8060ab233586b35d3daf

SHA512
d2c97f689319d9b8893775f3a78c5b760e20c9e7a83132f8bea0685785c656c21f8593f03f988b8b5cb556513bbeb945ed4dad4b483dba739b55eaa6412480b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0bc223ea70555a8d6f979ae9ee996dde

SHA1
1d4d2ee07a71046b12d301db6d1336e029043726

SHA256
3d72f3edd0ac89433b3ac8ea0e83a18a8da057e89e31880ab470a87bfe28cce9

SHA512
92eac766e6cfda0c3c6cbfd31df585c76792c4998d2d578147e57ac72d971a1c411304fe78bf0d20bca5d87b9f08b5b0e8ee564ba1d1424c92224b133ffc3386

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
419a18d0654de45e93600b3fe25ebc4b

SHA1
7e3fbb002e6036faec40c6e107de27f0f0ae51dc

SHA256
4534c08b8abbdaa5da3fd6f122ad8fc46651f54ddadbfb35098e0ef65031528a

SHA512
22eddf71f3d71cd0995ce42420169ae7e58942700c1bccf32126aaea51ba6997e7f7d345ee69bf28a507b1da6c4f81d035f0a809491e95c3d5d1fc00ea3eaa3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
528ecf1669a100c24c782984a2dca84d

SHA1
0a68f86e13c67b2ecd1e8eb8d864f737446c2420

SHA256
113688af9f0be09d7f9af1d2e7ab90d41540329b4fca6d4f7869f55629593355

SHA512
1037aa270ebb76978b478d19d5eb96f342b4ec9b5e26a5790ab640b7c8a684ddf53baade587f7fdb190754ac5d644eef3215cf7cde7e47c1e5458d6e88e9e0d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
7beb6dc2c5db95fc4cf2696cfd248408

SHA1
107d357a4bfa5beb8dc825ffa40ff4d582ae2444

SHA256
d774e6c359b30a15fdfe1d9a624fd5ab0b47a48712cdd0333ceb8f8234384942

SHA512
37a1711a0618a4edc0c22b4f22916f6316fad8541f4e9b9e70aefb6a26fbe76a3b56c1bbb405aa2e3f421b8b9437c478639405db38d5e995c4a8a2d5f8588d38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9c8d360e7a0792eaecbf1cdf68b34ef3

SHA1
5c4d803f6af4891a1b977a726e1c5a86ff430506

SHA256
2febe67871a0e2f374fe27bb9b9895a2fb86eb23618a4968a14ebd95bb72ab7f

SHA512
6732329f390a37f6c5646bb547b31b79cc1f1b14e4a0c61a7d8da71b3a6f59d8aad2fbc78b797195600305aca03985b22ba2901d9c1f0166c956c73b86ef0005

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
337d15002e0acba47b9e217f66ef8e47

SHA1
92261a0822ef4592e0e8cd79dcce1ae81902cd21

SHA256
16f87ca42f972f82a7adca5253ab0308ba262b13f78dd03ef1bfd4a0aa140f7b

SHA512
3c2918e0f49d073a33f1549c22d128e78722fc216782416b6921ae06e46d89a783f1d9647d32204aba76f46f9b584b09875d0281a878e249e24f9c24311b17e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
351ec875b6b31eb5d78b8c0498bc9101

SHA1
1cd11825ff7879e78c31e8f792c56adf6cc8b4c4

SHA256
56062e213bcb89dfcb30c916e83f097af481f8a382ab663018035ab433914878

SHA512
f851a58bf824207e5fd16e0dd40e2e700d2608c654c173265edacb9808e58e8cc728487cb4d6974970972a8780668c2717bb9601a76d3ff11110f6f36ab28a5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
2d77e5353c93734d7b58ea830b7de436

SHA1
2da80b8c353c4f1550cf6fb9b21356be4760c487

SHA256
37e65e5578626d1e859e4a53d7a24adc4effe25e2823fba0264281bf1049ec22

SHA512
9cb36785cb170d79ceba480b54ff17e2d02ab6fe33e84037db147a125653f3c1dabddf6498a7a77393dcfbb2d185679257bd216f9fe12e8e0ed8de187e680ca4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c9b35ab8bacb6830f979bedc5685a332

SHA1
a985413c0db7a9999c1e5253cb32cd0de31fb443

SHA256
c12f24a8b870d5ed2899a57adef195136bd9f6a6436c804bc7979544e08ca67d

SHA512
931ad28b91e3ec48496ce153e15d662d63609d8ad1a378f173e5e8283e8ce0b9b2decdbe689ad219848bfaac59df7358e82d92ec4110398942b94bb1312c6de9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
88a55ec8909a9456c3fd11f3604461b4

SHA1
77018b72a36bea33130c9f006e3f2a046f85175a

SHA256
a0f19b8472bbf46e1825241d7d8505fefff87a43a338b510f10d34fb71e1a6f0

SHA512
2fe4b82fecd641c8661efa738a7c5de0e574b815a60988106f1cee9ef429ddd2c12a31bc55c8144dc058646c7fba0228f85cd5eaf153798ff772284734e57f4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
33688c4ce40d40bead9a0b35f448a798

SHA1
e9d1ec517e99b665c65d26770faabab4cc21cb13

SHA256
5935ea6b265495fb99618b549be4217688d9c55d1d7d56ea1ecb9637b321efd5

SHA512
03b3c809f9b750a6b701a047cc89c19a9d6595f6028460843190855f9b4fbf14d1918c81fec8668e05c6b9a804401cf8914f8942d1e7eff0a07b23c4a0c5b019

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
9cf9f8e6eefd1abe629219cff284ce1f

SHA1
04d183560bdfe9d7118767a6726c7d482b5d0c6e

SHA256
c0211c2a23e7422738777fa27d2d02853737c3abc488e4e73e8058df94237e11

SHA512
b98850d5d82b1bdb376de2351782e01b2177db63ac7baca4993f51b3b7c394625aa2990c514b0dbe25ec26c56b055d7f22fd9da9b0ec1e6ed3fa3d1caeb1ae61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
25b607c0619abf07f02f54774817fb76

SHA1
4d49587d6a7a2349d127f7487c359eea95dd573e

SHA256
5483df65ab4a4360413a1143f5cd1386a4af9a318f012b69187488376bb5b777

SHA512
d2e7fcde86d2098f978407d81f709384f9e4779aedb2b1827b5205a7fe11d3db40eb7468afe4ea0086cec3b8a5047d60dc7983778f1881d7059c94ddcb4af22d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
ee9526be77b6df983339d331c3ff2f88

SHA1
5f92b7766a2bc39000ec5797a840412ad968e97e

SHA256
cc0b49a249a3ebfd20bb2bea5947b4499f91278e8e6277252440b95bb8780213

SHA512
06af9e8342ee89eab61871ddafb7bf9f472dbbad9780c28b0de9ad2d990515519e1403fec97677b26aa8937e32447a250d0f96d512a4f298b5dfeff45acdfffa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
9cbf0cd3d2b503ccbcbea9657da94752

SHA1
23516ad6ebabf39c85d8d70a00cfe76767a644fd

SHA256
5b3a26c40bd312af06781477189f08b7a0675da8d96ea4564aa401e9209a0d66

SHA512
7e14bfdd6c98bcfa2eb0a502dc28215af7c521f0c7b4e7e2d90cc126af2fc12718651261d468c3952c6fee06a516842518ce6387d99939715f2e58dc2a24ce8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
e31747fdd43bffc48f994e6dbf13c478

SHA1
d6aa863765d4dc3234a7ce3a872c0134b6b42d3c

SHA256
6df175f9958f98a7ef43efb60f5c10d0a05c68db9cce155a2b6da5ae878dc02c

SHA512
243c0c6a3d449067fc95ae61c753bb81bfd0da2fce08753b9abf4d7bd51cf7f7ffcaa8a0f9e65b8474d625b5de1ddb3f8b127d0aebf661229d2a7dd83b2861d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
206KB

MD5
dcf83eaa3c8dd979b4db1e42b0ecff5d

SHA1
15432e20babc16ead15ca552e75543e0703393fc

SHA256
f14ca57e6977c53c4a898f6a6e46d0b5df59b1b24ddd92c753d67f0c36c719a0

SHA512
274c5c1a48805babaaf47f46deaf454130777bf80bd011c976c06f1e7634494a8e7e0c3aeb1455264e85f4036ba62912a451c1ba642c9c5c23478ee3a0b5cbf4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
206KB

MD5
32211af415b1008c436c278df6ec482d

SHA1
6418431c8fb6700be1524c17d3a174eeb3ca11b8

SHA256
d6bcbcbdaa0ce04ab419027e7784f5d0367c88941232a608efca5f4936a21d90

SHA512
719d05db1605e9e4d65819a70ed66a3b6a6cc4feacad75da735dba3109c6f4cba59ed0bff622264136e75c95d477a674de7e7fa55b77e5795b8834fb94a94c49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
206KB

MD5
ce7dee8a0273f7c68f32d3e454597553

SHA1
d01b9c4546f3bb3d3b48ea64693e237253528581

SHA256
0eb2db485ab2ff3233f447710e31991f7717f2189c02740b9916b1016491a458

SHA512
9807f40e77f254ac8d2c747a2c90de17aa9a52d1fde94cb551c5a2c1605df57147779a3690b5c2c17075088781f2dc59faa422e5a181d6df8c7fbd3600664355

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip

Filesize
393KB

MD5
6b4072f308c67407e437089007b06ba7

SHA1
c93bc8effe063205b6808b3e55f0cd2f61132e29

SHA256
539a6bb6fcd5d288b9a952f80a3b0e8d4eb495395760ae43f4d3d7aa79561d7d

SHA512
2d774c836915a1c932c4425eedbbaf69360020225182d5071ac249f1d94db3d0e573b1401424fe5b8fa22c0a1217f5979bb6e4ac59fdc3ca92e4bb5ee50654dd

Download Submit
C:\Users\Admin\Downloads\YouAreAnIdiot.zip

Filesize
223KB

MD5
a7a51358ab9cdf1773b76bc2e25812d9

SHA1
9f3befe37f5fbe58bbb9476a811869c5410ee919

SHA256
817ae49d7329ea507f0a01bb8009b9698bbd2fbe5055c942536f73f4d1d2b612

SHA512
3adc88eec7f646e50be24d2322b146438350aad358b3939d6ec0cd700fa3e3c07f2b75c5cd5e0018721af8e2391b0f32138ab66369869aaaa055d9188b4aa38d

Download Submit
C:\Users\Admin\Downloads\YouAreAnIdiot.zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Windows\F9C3.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
2b2479fe80dde99dd497a1ca41d5aa23

SHA1
19116ce6ff6d859a91d5a9c7828b6b793c431479

SHA256
a96e54ac864ab635e4b05b29404555c56ec5bcd50183384de3a724c4c80334dd

SHA512
d6ad7e7216073181d36002c704a1ffbe9823ebf8fac85a21f8d98fe21d6d28f0de338fbf7d7e7f857056c04a14729b8406db77a47b3dbd26bc873dd2ff9f4b37

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
f6f7dfe324da976481c8730ffd5509c0

SHA1
240f9e6e3caecd8ba5b95a1e426f9d61655a56f1

SHA256
7d03ed6535d8c34bf9672eeccb16cd0eca0d50941b7e2e410b0a7be58545d686

SHA512
4b1b7a9daa0ee984c124f6059beefac7bb2d24599e435b00f1df6a10d752eef7d5575a69775924a3ed8fda20566f4e1cb07b02eda68b81662fdd128c807929ed

Download Submit
memory/2472-1042-0x0000000002A30000-0x0000000002A98000-memory.dmp

Filesize
416KB

Download
memory/2472-1050-0x0000000002A30000-0x0000000002A98000-memory.dmp

Filesize
416KB

Download
memory/2656-855-0x0000000005540000-0x0000000005596000-memory.dmp

Filesize
344KB

Download
memory/2656-850-0x0000000000720000-0x0000000000792000-memory.dmp

Filesize
456KB

Download
memory/2656-853-0x0000000005350000-0x00000000053E2000-memory.dmp

Filesize
584KB

Download
memory/2656-852-0x0000000005860000-0x0000000005E06000-memory.dmp

Filesize
5.6MB

Download
memory/2656-856-0x0000000005530000-0x000000000553A000-memory.dmp

Filesize
40KB

Download
memory/2656-851-0x0000000005210000-0x00000000052AC000-memory.dmp

Filesize
624KB

Download
memory/2656-854-0x00000000052F0000-0x00000000052FA000-memory.dmp

Filesize
40KB

Download
memory/2672-980-0x0000000002A10000-0x0000000002A78000-memory.dmp

Filesize
416KB

Download
memory/2672-988-0x0000000002A10000-0x0000000002A78000-memory.dmp

Filesize
416KB

Download
memory/2672-991-0x0000000002A10000-0x0000000002A78000-memory.dmp

Filesize
416KB

Download
memory/3096-1029-0x00000000023A0000-0x0000000002408000-memory.dmp

Filesize
416KB

Download
memory/3096-1021-0x00000000023A0000-0x0000000002408000-memory.dmp

Filesize
416KB

Download
memory/4408-0-0x00007FF67EE20000-0x00007FF680099000-memory.dmp

Filesize
18.5MB

Download