badrabbit | e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734

Analysis

max time kernel
150s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
24-09-2024 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CryptoWall.exe
Size

132KB
MD5

919034c8efb9678f96b47a20fa6199f2
SHA1

747070c74d0400cffeb28fbea17b64297f14cfbd
SHA256

e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734
SHA512

745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4
SSDEEP

3072:naRQpzd/99wen3XgWorw8I3h8LkMvqCgQfBUnPy8L6kssU:nJdTwo30ri3h8LkMvqCgQfBUPy8L6ksP

Score

10^/10

badrabbit mimikatz defense_evasion discovery persistence ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000300000002ab74-449.dat	mimikatz

Downloads MZ/PE file

Drops startup file 1 IoCs

Processes:

explorer.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93b36425.exe	explorer.exe

Executes dropped EXE 4 IoCs

Processes:

BadRabbit.exe452D.tmpBadRabbit.exeBadRabbit.exe

pid	Process
428	BadRabbit.exe
1980	452D.tmp
4216	BadRabbit.exe
4168	BadRabbit.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid	Process
3024	rundll32.exe
1136	rundll32.exe
4092	rundll32.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\93b36425 = "C:\\Users\\Admin\\AppData\\Roaming\\93b36425.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*3b36425 = "C:\\Users\\Admin\\AppData\\Roaming\\93b36425.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\93b3642 = "C:\\93b36425\\93b36425.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*3b3642 = "C:\\93b36425\\93b36425.exe"	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
8	raw.githubusercontent.com
56	raw.githubusercontent.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
3	ip-addr.es
97	ip-addr.es
1	ip-addr.es

Drops file in Windows directory 10 IoCs

Processes:

chrome.exeBadRabbit.exerundll32.exeBadRabbit.exeBadRabbit.exerundll32.exerundll32.exe

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\452D.tmp	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

Processes:

chrome.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\BadRabbit.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exesvchost.exeBadRabbit.exeschtasks.execmd.exeschtasks.exerundll32.exeCryptoWall.exerundll32.exeBadRabbit.exeschtasks.exerundll32.execmd.exeBadRabbit.exeexplorer.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoWall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133716739552960662"	chrome.exe

NTFS ADS 1 IoCs

Processes:

chrome.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\BadRabbit.exe:Zone.Identifier	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exe

pid	Process
3936	schtasks.exe
4008	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

chrome.exerundll32.exe452D.tmprundll32.exerundll32.exe

pid	Process
2676	chrome.exe
2676	chrome.exe
3024	rundll32.exe
3024	rundll32.exe
3024	rundll32.exe
3024	rundll32.exe
1980	452D.tmp
1980	452D.tmp
1980	452D.tmp
1980	452D.tmp
1980	452D.tmp
1980	452D.tmp
1980	452D.tmp
2676	chrome.exe
2676	chrome.exe
1136	rundll32.exe
1136	rundll32.exe
4092	rundll32.exe
4092	rundll32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

CryptoWall.exeexplorer.exe

pid	Process
4876	CryptoWall.exe
2912	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid	Process
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	Process
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe

Suspicious use of FindShellTrayWindow 44 IoCs

Processes:

chrome.exe

pid	Process
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe

Suspicious use of SendNotifyMessage 18 IoCs

Processes:

chrome.exe

pid	Process
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

CryptoWall.exeexplorer.exechrome.exe

description	pid	Process	procid_target
PID 4876 wrote to memory of 2912	4876	CryptoWall.exe	78
PID 4876 wrote to memory of 2912	4876	CryptoWall.exe	78
PID 4876 wrote to memory of 2912	4876	CryptoWall.exe	78
PID 2912 wrote to memory of 2212	2912	explorer.exe	79
PID 2912 wrote to memory of 2212	2912	explorer.exe	79
PID 2912 wrote to memory of 2212	2912	explorer.exe	79
PID 2676 wrote to memory of 3712	2676	chrome.exe	85
PID 2676 wrote to memory of 3712	2676	chrome.exe	85
PID 2676 wrote to memory of 2288	2676	chrome.exe	86
PID 2676 wrote to memory of 2288	2676	chrome.exe	86
PID 2676 wrote to memory of 2288	2676	chrome.exe	86
PID 2676 wrote to memory of 2288	2676	chrome.exe	86
PID 2676 wrote to memory of 2288	2676	chrome.exe	86
PID 2676 wrote to memory of 2288	2676	chrome.exe	86
PID 2676 wrote to memory of 2288	2676	chrome.exe	86
PID 2676 wrote to memory of 2288	2676	chrome.exe	86
PID 2676 wrote to memory of 2288	2676	chrome.exe	86
PID 2676 wrote to memory of 2288	2676	chrome.exe	86
PID 2676 wrote to memory of 2288	2676	chrome.exe	86
PID 2676 wrote to memory of 2288	2676	chrome.exe	86
PID 2676 wrote to memory of 2288	2676	chrome.exe	86
PID 2676 wrote to memory of 2288	2676	chrome.exe	86
PID 2676 wrote to memory of 2288	2676	chrome.exe	86
PID 2676 wrote to memory of 2288	2676	chrome.exe	86
PID 2676 wrote to memory of 2288	2676	chrome.exe	86
PID 2676 wrote to memory of 2288	2676	chrome.exe	86
PID 2676 wrote to memory of 2288	2676	chrome.exe	86
PID 2676 wrote to memory of 2288	2676	chrome.exe	86
PID 2676 wrote to memory of 2288	2676	chrome.exe	86
PID 2676 wrote to memory of 2288	2676	chrome.exe	86
PID 2676 wrote to memory of 2288	2676	chrome.exe	86
PID 2676 wrote to memory of 2288	2676	chrome.exe	86
PID 2676 wrote to memory of 2288	2676	chrome.exe	86
PID 2676 wrote to memory of 2288	2676	chrome.exe	86
PID 2676 wrote to memory of 2288	2676	chrome.exe	86
PID 2676 wrote to memory of 2288	2676	chrome.exe	86
PID 2676 wrote to memory of 2288	2676	chrome.exe	86
PID 2676 wrote to memory of 2288	2676	chrome.exe	86
PID 2676 wrote to memory of 1544	2676	chrome.exe	87
PID 2676 wrote to memory of 1544	2676	chrome.exe	87
PID 2676 wrote to memory of 1280	2676	chrome.exe	88
PID 2676 wrote to memory of 1280	2676	chrome.exe	88
PID 2676 wrote to memory of 1280	2676	chrome.exe	88
PID 2676 wrote to memory of 1280	2676	chrome.exe	88
PID 2676 wrote to memory of 1280	2676	chrome.exe	88
PID 2676 wrote to memory of 1280	2676	chrome.exe	88
PID 2676 wrote to memory of 1280	2676	chrome.exe	88
PID 2676 wrote to memory of 1280	2676	chrome.exe	88
PID 2676 wrote to memory of 1280	2676	chrome.exe	88
PID 2676 wrote to memory of 1280	2676	chrome.exe	88
PID 2676 wrote to memory of 1280	2676	chrome.exe	88
PID 2676 wrote to memory of 1280	2676	chrome.exe	88
PID 2676 wrote to memory of 1280	2676	chrome.exe	88
PID 2676 wrote to memory of 1280	2676	chrome.exe	88
PID 2676 wrote to memory of 1280	2676	chrome.exe	88
PID 2676 wrote to memory of 1280	2676	chrome.exe	88
PID 2676 wrote to memory of 1280	2676	chrome.exe	88
PID 2676 wrote to memory of 1280	2676	chrome.exe	88
PID 2676 wrote to memory of 1280	2676	chrome.exe	88
PID 2676 wrote to memory of 1280	2676	chrome.exe	88
PID 2676 wrote to memory of 1280	2676	chrome.exe	88
PID 2676 wrote to memory of 1280	2676	chrome.exe	88
PID 2676 wrote to memory of 1280	2676	chrome.exe	88
PID 2676 wrote to memory of 1280	2676	chrome.exe	88

C:\Users\Admin\AppData\Local\Temp\CryptoWall.exe
"C:\Users\Admin\AppData\Local\Temp\CryptoWall.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\syswow64\explorer.exe"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SysWOW64\svchost.exe
    -k netsvcs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2212

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd49ddcc40,0x7ffd49ddcc4c,0x7ffd49ddcc58
  2⤵
  PID:3712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1840,i,13409543267740446457,17673555634515351700,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1836 /prefetch:2
  2⤵
  PID:2288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1404,i,13409543267740446457,17673555634515351700,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2132 /prefetch:3
  2⤵
  PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2192,i,13409543267740446457,17673555634515351700,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2216 /prefetch:8
  2⤵
  PID:1280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,13409543267740446457,17673555634515351700,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3080,i,13409543267740446457,17673555634515351700,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3564,i,13409543267740446457,17673555634515351700,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4456 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4628,i,13409543267740446457,17673555634515351700,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4620 /prefetch:8
  2⤵
  PID:3524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4700,i,13409543267740446457,17673555634515351700,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4712 /prefetch:8
  2⤵
  PID:2260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4776,i,13409543267740446457,17673555634515351700,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4896 /prefetch:8
  2⤵
  PID:756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4992,i,13409543267740446457,17673555634515351700,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4736 /prefetch:8
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5104,i,13409543267740446457,17673555634515351700,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4800 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3440,i,13409543267740446457,17673555634515351700,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:1400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3384,i,13409543267740446457,17673555634515351700,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5260,i,13409543267740446457,17673555634515351700,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  PID:2624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=212,i,13409543267740446457,17673555634515351700,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  PID:1832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5336,i,13409543267740446457,17673555634515351700,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5224,i,13409543267740446457,17673555634515351700,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5472 /prefetch:8
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5456,i,13409543267740446457,17673555634515351700,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5552 /prefetch:8
  2⤵
  PID:652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5480,i,13409543267740446457,17673555634515351700,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5804 /prefetch:8
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5404,i,13409543267740446457,17673555634515351700,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4616 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:756
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:428
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3024
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      PID:4152
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /F /TN rhaegal
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4716
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1459533667 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3468
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1459533667 && exit"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3936
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 18:11:00
      4⤵
      System Location Discovery: System Language Discovery
      PID:4732
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 18:11:00
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4008
  - - C:\Windows\452D.tmp
      "C:\Windows\452D.tmp" \\.\pipe\{F577BF65-40CE-4D12-B011-A55A62D25CB6}
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1980

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2912

C:\Users\Admin\Desktop\BadRabbit.exe
"C:\Users\Admin\Desktop\BadRabbit.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4216
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1136

C:\Users\Admin\Desktop\BadRabbit.exe
"C:\Users\Admin\Desktop\BadRabbit.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4168
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CDE89F9DCB25D8AC547E3CEFDA4FB6C2_EFB75332C2EEE29C462FC21A350076B8

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
910ea8dd0565d2358e1d79e6b8b91c89

SHA1
3d2b171d3aae68a6c8c01388839f93006270501e

SHA256
abdd0503061d1057dafac94d6410b4dc74e28e1a1319719f279b8cb304cc97eb

SHA512
6264008ec6671d50defb2c198999da55168ae4aeb10b8ae07b1678da78eec340f405dcd36b0704dfd684272e79a904a5062f48f6c2448019f2a58d38f0ba2c01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000004

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
d84915a981d74ff835e54e29f00d0810

SHA1
517aac6b63fe0e9a0eaea4e5e43315f1a738957d

SHA256
16f517c8539f7dddc6f17fc06ba90086dc9195e5b7f089c6ac9deebae79e8300

SHA512
536f27a18c26f5cd10d5798ba372da9db5970cfd1336179ed0f4b39abc9aa04454c9d44b3f1929ff4fc7c980f31d616ff005de407c21d0e5944537b9edc6806d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
1eed6958ae8f8ab24cdc928da1fae1cc

SHA1
c1b6eae9f2efce532e7efdd075b2e66328066c1f

SHA256
01cdde125e40f093d77ac7462211183e4f0c768b7e51b524c0c76c956e545b96

SHA512
5f9d4b185fb24385ed7c66ef6f0916c8fa7edfd0b5b1899160ec42ba0067f2343549d80808eaaee6931d5f4b169b295f070fc62f7ff953728f2090bcc37f0aa2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5a670a16ca290bb89147a66d0bc5b14b

SHA1
0cbfde7e8145c6a2177a07732223fa5a0819378d

SHA256
dc8c23b0775e6ece463e9b367e9ba5ff77191565a9007252b352bbc0de1810d0

SHA512
e9995e2fd2ef080ab7d5056d04c7d842bfff72a6c338cbc56998630d6777b3fe072382bfb1c304b24a4585caa10cef84d9abbbcd084ad3e50b13bc31a7b0f145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7b3609f53b241cf961d570fe409e4b9a

SHA1
5447d2f6cdcc95e39a4314c29ec54a17df085fe8

SHA256
b567e4b80ac4d1d50dac36027a208571c39d3e14a89115288dea33a3bad6ffc4

SHA512
cefb59efb63d47ca79fe2f8c0047511f0b5aaf4bccfa77e4f2132fc3aaa71195f33b31911724e2347a5eec78ec553ed6736d93f026d968c17bcb960efecba4f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
336abf8927cda91c2a4bcd6a06b9cd03

SHA1
2504a4456e12d05e83c96898ca748a2a3b395c84

SHA256
c9369a1e40cdff25691b86fa01bcde7a22d1ba4b8a49c744cb7304f8a724a7fb

SHA512
73340de848ac48364246ffae50fd1a2500571d79ebfa5258f28c83b2be5beabc31c57181786e53e86cbcfbda9c136493d20d215c3bb3de60cb0d48027138a37d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
153646f0639d4195addfde9758852bd8

SHA1
e2bd42ac1829e1451a1bee9728b4d9a23872410b

SHA256
e609fe3a65685a011eccac5f80db776f2d1db8aeac853fa5389ff1b59038dc4a

SHA512
c23d80f492a5fb2c5a71feeef54060d1d5bdb510b6990ba281b73580a83ece3a06f88b6210f4c33dae6f20af86b7821ddf4bb184259d7edd95240a4c788f7358

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5a0754395ee793eb98265d4227b7b460

SHA1
c693c8ea19fff2e4802fa9e82c52aaa82701c970

SHA256
ab76f97d511e3e4bcbb7a005c16ddc8ad9c3025e24225649e32b03b37dc6c394

SHA512
0cdec90ece79b577cb119e8d34e6d28cf68ead19234f5241d9205c2f44ca58d3be8a7c43e495d4abccb7b1450c0a0da2a0a9c20f832e69a4161333295d1046b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
60d4abf74ec4b2c1e1a700cb33ec87e7

SHA1
42c64e3f9fcf466d075e0d303a963d8484025a6d

SHA256
abd7a1c59a6b49f5c695ea333049f88ba7fe7287c34942f54b1eb775c4a5841c

SHA512
dccf3770e7322194a33f760e60f3f71ba98ab0b1b326eef132b7beb12ada426dcafb5aa188d2f9aa2063bc73ed51c4a942965b3ddef33d36e5a60d793e967c93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
09c342d585cf639614c11c9d54e03ed8

SHA1
c66a6ee238165eb596fda1d3667373e6e521143d

SHA256
99d40b6f585efd51bdb7bd78a9e45ba08a7e823b4fc4733809b354458befc991

SHA512
feaaa1d268bd317393eb3835a468def29e35cd00be844f517e55cc4fcd4887b741edc0b1f1378e9d6a68c357b96072bcdb62424511215d102e08011467f644fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f9001f128cb265d794a57e4b10d830d9

SHA1
685529d83ec69ee3295f34c49e84a977c55f3381

SHA256
31fbf96e6cfe4c7c50e474c1c3746e99628747c313fd85f1d2bdb650e31dee67

SHA512
bcbce9e48de6d3d574c65df92f8a19677e458107c17adeb131df4e1f433b01c6cc192361bdeed9af6a3413bb31e9402eadd65444b27e4e3bcdd0622cbf073850

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e756ef4a64d5953a0446f08d3ce3ff26

SHA1
2c3d0cb04f44c011781f4f191612a63c91f2412e

SHA256
e4bbfd76a99473deac91e67906bad6403f8ae8aad7b9ac1d838a98c1448c1511

SHA512
c09a3bd181a26594beb7928e6913be0ec95b17c54f76242baa03867f2e475c3b5601259ca37fe1eba9584b236b2e8f017b9b59175ac0fa0e8596135037d4bdbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
201915b6d4a4d73206206c1e43f0e66d

SHA1
3118ddc9cfb003853acc102d5e2d35d89cbf4e77

SHA256
6357d2e30a313cc14fe909732964dfccde5a2cc4e222f34df2eaefdbd76c9cf7

SHA512
91387c32a8041c62c0ac2822f80726cd7b4ad7444e8c9d01de6b333196252ff0df1ed7d4339bf4ed494c4118a7bd8eced1c797308fa70360e723ed6e37c23961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
dcf3895b08de31e6e1c272c066b17111

SHA1
5d952c04fcb835043c5990ced3cc236a5038415d

SHA256
6bd9e08240adb7a70b22ce01a4cad1bc52fbecc8ea13e3b984b53e822a34ea9c

SHA512
d92b735440c2f9b6b5dcf3c6987135f4079de98062cf24423f306c7abe0e9b378ac37f3429404f482cbc3f7e7b8d9e7646a6d8f132753b2e8812d78b516e001d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5e74bae3d5643be16f242565a5449898

SHA1
582aec235c9fb18b5b556ec67dee6a3c01071b06

SHA256
43c32d21931dde9237f046173be3c13147d3f20e346f759a5db901a219de0846

SHA512
58cc28963f30bd84503d7017eaffe282c25312c58560e8cf290aa4e8945b273152376c511981e1b8b1f583e649942e69e86c564103d1e09f269e2bcc939d3565

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b9c42e6f56badecf1354221b3dcfd1a1

SHA1
bb9d70dabe00772a1537e54d3f3243324d861865

SHA256
a69563518acc354f480d0e1adf060d53a2e3377140324b82ce4ba102e92221c7

SHA512
290da7798a3d300e7b635d92e18c2606f659c7b5b75be90594ae1515fde6cca3215138503240f855ac59121ba9ff9b39b4a9bb821523e873b7144d40eac98fcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
33823e8c65f2b378e39fa56fe1986c19

SHA1
1195f401a18cf44090f2c747be0a70f9675ec808

SHA256
cd226d3cf2eb9fa76ba54748f8241611ea899c94cad5c20dc53c44b1b6b2e563

SHA512
f5cb61a8667d93c6423fc6e1dad332a5b65b0dbc0f78e5dbd30e783f0e8bfd5528e6aea48f29f7d321c4f54ce35d42e01907b808b3ae1483491f21b0b9232a8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
094e79e457b38b5ff57434da7d7c01e4

SHA1
5626c5802b9ca8f276f381c9bfd0f819245b72dc

SHA256
50bcf2aa931cb636d92099c8df8a7fad05cda7418d5c34b8625d430eb27c1a5a

SHA512
e7952e17996a72718778f8b8aceb0b068305cef0a1731f98f3e5f6d1fd87edac768c07ebe77615048382c7e9776b1fbbd7ea6ba2b4ec094d25ae7311174b0738

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
196KB

MD5
0732835a3e41b769ced4d3adb1ab6f99

SHA1
203a6ab9b20f879a1bf76f62e5a1e5c7c06feafb

SHA256
c95d0c021971ee5dd1e61d0093c4591d03e477e683896267ecebd17fc8209ab6

SHA512
9db30f6bb69c2499d08080d5ffc652e380187f05a6f1528628aafa0ca894706ab787b51abb9bc7e62d6bb8ce1a0e45ab17f758daedec95edfdd8e95160f10fa2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
214KB

MD5
2e33ff1a6ff3bd0eff8d2b7410326993

SHA1
eabb671720ccecb08dbe9ec20ee7ae219fc62416

SHA256
0a3e798bf29e6ca619973f27dcc2e9e5c2a7e49782bc0ef889a074ee768b9536

SHA512
b5d6d38899cf71470d5be4dd30c743bb3bf5bde3984b770f6186a04765672dcb4e3be3e40ae632eb5c68abaee4dcfd3227d0a992db024a50b78ee6414b2d307a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
214KB

MD5
b964825f121a9f1982c22c171c25e57c

SHA1
f3b7632ed00a2830e1ec6d2c18c3c0128ec00c87

SHA256
6119e59fe020613cbc7617dfbc922b5f8ab61e91ba44cb757da9ae037165aad7

SHA512
e8feb2d0618049e798c575d6f9f9dcd5da7a8756dc29d21fbf299310f6cf434f60a1f6ca78ca750d6d0875be9b04e9112ac7740cf68191046fbd17a35741c39b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
214KB

MD5
643a6239989f3bb3e98fd443c2993cec

SHA1
5131be440139421cc49415a48950521598add6cc

SHA256
d3da8c0bd6e3966b6ea8e4010b791e0475b9a2bc6169b208c9de450a0e840df3

SHA512
11fbdf8575a053851baa91fd42cb20b38d5b86790bae81b21a1ce6be807e41eedc8177e9d798f370d355b4619d9b3e17c3fff30e45044a0ca6ec5b21c39d073f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
214KB

MD5
99f300f39bd0dd38b0ab136d804f00a0

SHA1
eb11d3bc1e739ec0a74e46c25a1fafcbb336758a

SHA256
c4bfa4b06588bb44fcb11f3716457368b7e73cebe5f0e301b9af0f66081d1f02

SHA512
8a55df4311567943899dd03473231d3d32b16d01d939cc46106b714aeb5b40820780f44f89b98207e48e99f74848f62f4ffeacce9dfb95be25dca416c0091d43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
243KB

MD5
910bb59dfec648074835115a1b3b2f4c

SHA1
4f0f298345ed864c10a10cefb425609b1184c61c

SHA256
bcbbf02c3841f6577b296a92723a20cfca136105df412413c07639be2a4ed7ce

SHA512
db81e75622023bb15f56b2b2f12d8139a44e7ad511c4ad8a787829349808c5e0803c7f71d5d8eef2230aa73f19e6f15dab23a31d4d754a58d3b00ea1a209e71c

Download Submit
C:\Users\Admin\Downloads\BadRabbit.exe

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\Downloads\BadRabbit.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Windows\452D.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
7f13c57aed1c74fb2273d3e30ecdb5ef

SHA1
b2a3054cdd6f5636e9d6386d3abdf9f6fbeb8333

SHA256
0812d9df3caf0071c8753c3d4abcb7b5650b21d4de23ad77fba406fcceae2348

SHA512
a55af49432e2730dbea7d54f6fe12993de3037a5d6b70c889407df672ed8ddf5d68309d2ad2a2a46fc3f5cf15a7812595aa57b588ec0a96459ec5001b1b9e263

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
4e46d3825c01ec53e22d2fe7c4a7a582

SHA1
6cce78e16ccc0178d3b9b3fce26b249103bd1e1e

SHA256
f662641eab0abd8750a6c629357bc8b67597f6858273cc2e114d03da44a29493

SHA512
8287d2feeb1be2df830c0973180d8752ea7d159a4ec42d900198e0a1c41c9fd1b2676a6e682cd8781d90d23bbd49e3c410ccff174133daa535301a0bed4a9d97

Download Submit
\??\pipe\crashpad_2676_QUDEDJRZXENVVAHI

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1136-553-0x0000000002300000-0x0000000002368000-memory.dmp

Filesize
416KB

Download
memory/1136-561-0x0000000002300000-0x0000000002368000-memory.dmp

Filesize
416KB

Download
memory/2212-14-0x0000000000FD0000-0x0000000000FF5000-memory.dmp

Filesize
148KB

Download
memory/2212-6-0x0000000000FD0000-0x0000000000FF5000-memory.dmp

Filesize
148KB

Download
memory/2212-5-0x0000000000FD0000-0x0000000000FF5000-memory.dmp

Filesize
148KB

Download
memory/2912-0-0x0000000000C40000-0x0000000000C65000-memory.dmp

Filesize
148KB

Download
memory/2912-1-0x0000000000C40000-0x0000000000C65000-memory.dmp

Filesize
148KB

Download
memory/2912-8-0x0000000000C40000-0x0000000000C65000-memory.dmp

Filesize
148KB

Download
memory/3024-426-0x0000000002290000-0x00000000022F8000-memory.dmp

Filesize
416KB

Download
memory/3024-419-0x0000000002290000-0x00000000022F8000-memory.dmp

Filesize
416KB

Download
memory/3024-443-0x0000000002290000-0x00000000022F8000-memory.dmp

Filesize
416KB

Download
memory/4092-576-0x0000000000B40000-0x0000000000BA8000-memory.dmp

Filesize
416KB

Download
memory/4092-583-0x0000000000B40000-0x0000000000BA8000-memory.dmp

Filesize
416KB

Download