Analysis Overview
SHA256
ea8ccb8b5ec36195af831001b3cc46caedfc61a6194e2568901e7685c57ceefa
Threat Level: Known bad
The file BadRabbit.zip was found to be: Known bad.
Malicious Activity Summary
BadRabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Scheduled Task/Job: Scheduled Task
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-13 07:12
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-13 07:12
Reported
2024-10-13 07:15
Platform
win7-20240708-en
Max time kernel
177s
Max time network
178s
Command Line
Signatures
BadRabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\[email protected] | N/A |
| N/A | N/A | C:\Windows\25D8.tmp | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\[email protected] | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\infpub.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\infpub.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\cscc.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\infpub.dat | C:\Users\Admin\Desktop\[email protected] | N/A |
| File created | C:\Windows\infpub.dat | C:\Users\Admin\Desktop\[email protected] | N/A |
| File opened for modification | C:\Windows\infpub.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\dispci.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\25D8.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\infpub.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\infpub.dat | C:\Users\Admin\Desktop\[email protected] | N/A |
| File opened for modification | C:\Windows\infpub.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\infpub.dat | C:\Users\Admin\Desktop\[email protected] | N/A |
| File created | C:\Windows\infpub.dat | C:\Users\Admin\Desktop\[email protected] | N/A |
| File opened for modification | C:\Windows\infpub.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\infpub.dat | C:\Users\Admin\Desktop\[email protected] | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\[email protected] | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\[email protected] | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\[email protected] | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\[email protected] | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\[email protected] | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\[email protected] | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\25D8.tmp | N/A |
| N/A | N/A | C:\Windows\25D8.tmp | N/A |
| N/A | N/A | C:\Windows\25D8.tmp | N/A |
| N/A | N/A | C:\Windows\25D8.tmp | N/A |
| N/A | N/A | C:\Windows\25D8.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\25D8.tmp | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\BadRabbit.zip"
C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
C:\Windows\SysWOW64\cmd.exe
/c schtasks /Delete /F /TN rhaegal
C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /F /TN rhaegal
C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1355648636 && exit"
C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1355648636 && exit"
C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 07:32:00
C:\Windows\25D8.tmp
"C:\Windows\25D8.tmp" \\.\pipe\{72655514-63B1-4D09-9F1D-B9FE754F094C}
C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 07:32:00
C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\RegisterConvert.7z
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\RegisterConvert.7z
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\RegisterConvert.7z"
C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.0.0:445 | tcp | |
| N/A | 10.127.0.0:139 | tcp | |
| N/A | 10.127.0.1:445 | tcp | |
| N/A | 10.127.0.1:139 | tcp | |
| N/A | 10.127.0.2:445 | tcp | |
| N/A | 10.127.0.2:139 | tcp | |
| N/A | 10.127.0.3:445 | tcp | |
| N/A | 10.127.0.3:139 | tcp | |
| N/A | 10.127.0.4:445 | tcp | |
| N/A | 10.127.0.4:139 | tcp | |
| N/A | 10.127.0.5:445 | tcp | |
| N/A | 10.127.0.5:139 | tcp | |
| N/A | 10.127.0.6:445 | tcp | |
| N/A | 10.127.0.6:139 | tcp | |
| N/A | 10.127.0.7:445 | tcp | |
| N/A | 10.127.0.7:139 | tcp | |
| N/A | 10.127.0.8:445 | tcp | |
| N/A | 10.127.0.8:139 | tcp | |
| N/A | 10.127.0.9:445 | tcp | |
| N/A | 10.127.0.9:139 | tcp | |
| N/A | 10.127.0.10:445 | tcp | |
| N/A | 10.127.0.10:139 | tcp | |
| N/A | 10.127.0.11:445 | tcp | |
| N/A | 10.127.0.11:139 | tcp | |
| N/A | 10.127.0.12:445 | tcp | |
| N/A | 10.127.0.12:139 | tcp | |
| N/A | 10.127.0.13:445 | tcp | |
| N/A | 10.127.0.13:139 | tcp | |
| N/A | 10.127.0.14:445 | tcp |
Files
C:\Users\Admin\Desktop\[email protected]
| MD5 | fbbdc39af1139aebba4da004475e8839 |
| SHA1 | de5c8d858e6e41da715dca1c019df0bfb92d32c0 |
| SHA256 | 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da |
| SHA512 | 74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87 |
C:\Windows\infpub.dat
| MD5 | 1d724f95c61f1055f0d02c2154bbccd3 |
| SHA1 | 79116fe99f2b421c52ef64097f0f39b815b20907 |
| SHA256 | 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648 |
| SHA512 | f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113 |
memory/376-15-0x0000000000270000-0x00000000002D8000-memory.dmp
memory/376-7-0x0000000000270000-0x00000000002D8000-memory.dmp
C:\Windows\25D8.tmp
| MD5 | 347ac3b6b791054de3e5720a7144a977 |
| SHA1 | 413eba3973a15c1a6429d9f170f3e8287f98c21c |
| SHA256 | 301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c |
| SHA512 | 9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787 |
memory/376-18-0x0000000000270000-0x00000000002D8000-memory.dmp
memory/2236-32-0x0000000000210000-0x0000000000278000-memory.dmp
memory/2236-40-0x0000000000210000-0x0000000000278000-memory.dmp
memory/2508-58-0x0000000000970000-0x00000000009D8000-memory.dmp
memory/2508-66-0x0000000000970000-0x00000000009D8000-memory.dmp
C:\Windows\infpub.dat
| MD5 | c29d6253d89ee9c0c872dd377a7a8454 |
| SHA1 | 46be3800684f6b208e0a8c7b120ef8614c22c4b0 |
| SHA256 | 03f4198a279ea4c36a62cd271d3b2d796547013548666006fbef45e20bb920cb |
| SHA512 | 50141de5e0a827688251161353932b677c85e0d6e6831293c9a0044543e541fe8bd4e62fa403abc06df9d220fd843aa58ff9cc37abf46be3e06ae14905c24a5e |
C:\Windows\infpub.dat
| MD5 | c4f26ed277b51ef45fa180be597d96e8 |
| SHA1 | e9efc622924fb965d4a14bdb6223834d9a9007e7 |
| SHA256 | 14d82a676b63ab046ae94fa5e41f9f69a65dc7946826cb3d74cea6c030c2f958 |
| SHA512 | afc2a8466f106e81d423065b07aed2529cbf690ab4c3e019334f1bedfb42dc0e0957be83d860a84b7285bd49285503bfe95a1cf571a678dbc9bdb07789da928e |
memory/1060-78-0x0000000000250000-0x00000000002B8000-memory.dmp
memory/1060-70-0x0000000000250000-0x00000000002B8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | c0dba47d378768fa7530ce242c928321 |
| SHA1 | 31e12170028fdd669f598193bcbb6bb86d600099 |
| SHA256 | fdc3f2e730955b89692cbd2d9b1707d5d4e8ad8f36e785355b3bffbcc763dc7d |
| SHA512 | 86ac007f021a2e1c90bb4cb0cf3a86deb791030c77813b1a956363bfc86bd87622ed6f7c5d1d649ba45dc8cd28ca278328d7488249cbb883242ac76747688baf |
memory/1820-106-0x00000000009F0000-0x0000000000A58000-memory.dmp
memory/1820-114-0x00000000009F0000-0x0000000000A58000-memory.dmp
memory/2736-118-0x0000000000270000-0x00000000002D8000-memory.dmp
memory/2736-126-0x0000000000270000-0x00000000002D8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-13 07:12
Reported
2024-10-13 07:14
Platform
win10v2004-20241007-en
Max time kernel
90s
Max time network
92s
Command Line
Signatures
BadRabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\infpub.dat | C:\Users\Admin\Desktop\[email protected] | N/A |
| File created | C:\Windows\infpub.dat | C:\Users\Admin\Desktop\[email protected] | N/A |
| File opened for modification | C:\Windows\infpub.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\infpub.dat | C:\Users\Admin\Desktop\[email protected] | N/A |
| File opened for modification | C:\Windows\infpub.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\dispci.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\infpub.dat | C:\Users\Admin\Desktop\[email protected] | N/A |
| File created | C:\Windows\infpub.dat | C:\Users\Admin\Desktop\[email protected] | N/A |
| File created | C:\Windows\infpub.dat | C:\Users\Admin\Desktop\[email protected] | N/A |
| File created | C:\Windows\infpub.dat | C:\Users\Admin\Desktop\[email protected] | N/A |
| File created | C:\Windows\cscc.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\infpub.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\infpub.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\infpub.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\infpub.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\infpub.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\infpub.dat | C:\Users\Admin\Desktop\[email protected] | N/A |
| File opened for modification | C:\Windows\infpub.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\infpub.dat | C:\Users\Admin\Desktop\[email protected] | N/A |
| File opened for modification | C:\Windows\infpub.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\infpub.dat | C:\Users\Admin\Desktop\[email protected] | N/A |
| File opened for modification | C:\Windows\infpub.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\infpub.dat | C:\Users\Admin\Desktop\[email protected] | N/A |
| File created | C:\Windows\infpub.dat | C:\Users\Admin\Desktop\[email protected] | N/A |
| File opened for modification | C:\Windows\infpub.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\infpub.dat | C:\Users\Admin\Desktop\[email protected] | N/A |
| File created | C:\Windows\infpub.dat | C:\Users\Admin\Desktop\[email protected] | N/A |
| File created | C:\Windows\infpub.dat | C:\Users\Admin\Desktop\[email protected] | N/A |
| File opened for modification | C:\Windows\infpub.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\infpub.dat | C:\Users\Admin\Desktop\[email protected] | N/A |
| File opened for modification | C:\Windows\infpub.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\infpub.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\C501.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\infpub.dat | C:\Users\Admin\Desktop\[email protected] | N/A |
| File opened for modification | C:\Windows\infpub.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\infpub.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\infpub.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\infpub.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\infpub.dat | C:\Users\Admin\Desktop\[email protected] | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\[email protected] | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\[email protected] | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\[email protected] | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\[email protected] | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\[email protected] | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\[email protected] | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\[email protected] | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\[email protected] | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\[email protected] | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\[email protected] | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\[email protected] | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\[email protected] | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\[email protected] | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\[email protected] | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\[email protected] | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\[email protected] | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\[email protected] | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\[email protected] | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Program Files\7-Zip\7zFM.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\C501.tmp | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\BadRabbit.zip"
C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
C:\Windows\SysWOW64\cmd.exe
/c schtasks /Delete /F /TN rhaegal
C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /F /TN rhaegal
C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 201752178 && exit"
C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 07:31:00
C:\Windows\C501.tmp
"C:\Windows\C501.tmp" \\.\pipe\{3F833809-A0E5-467C-8351-3DA716AB4079}
C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 201752178 && exit"
C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 07:31:00
C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 204.79.197.203:445 | api.msn.com | tcp |
| N/A | 10.127.0.1:445 | tcp | |
| GB | 2.23.210.83:445 | ctldl.windowsupdate.com | tcp |
| GB | 2.23.210.88:445 | ctldl.windowsupdate.com | tcp |
| FI | 37.27.61.182:445 | tcp | |
| N/A | 10.127.0.0:445 | tcp | |
| US | 204.79.197.203:139 | api.msn.com | tcp |
| N/A | 10.127.0.1:139 | tcp | |
| FI | 37.27.61.182:139 | tcp | |
| GB | 2.23.210.83:139 | ctldl.windowsupdate.com | tcp |
| GB | 2.23.210.88:139 | ctldl.windowsupdate.com | tcp |
| N/A | 10.127.0.0:139 | tcp | |
| N/A | 10.127.0.1:445 | tcp | |
| N/A | 10.127.0.1:139 | tcp | |
| N/A | 10.127.0.2:445 | tcp | |
| N/A | 10.127.0.2:139 | tcp | |
| N/A | 10.127.0.3:445 | tcp | |
| N/A | 10.127.0.3:139 | tcp | |
| N/A | 10.127.0.4:445 | tcp | |
| N/A | 10.127.0.4:139 | tcp | |
| N/A | 10.127.0.5:445 | tcp | |
| N/A | 10.127.0.5:139 | tcp | |
| N/A | 10.127.0.6:445 | tcp | |
| N/A | 10.127.0.6:139 | tcp |
Files
C:\Users\Admin\Desktop\[email protected]
| MD5 | fbbdc39af1139aebba4da004475e8839 |
| SHA1 | de5c8d858e6e41da715dca1c019df0bfb92d32c0 |
| SHA256 | 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da |
| SHA512 | 74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87 |
C:\Windows\infpub.dat
| MD5 | 1d724f95c61f1055f0d02c2154bbccd3 |
| SHA1 | 79116fe99f2b421c52ef64097f0f39b815b20907 |
| SHA256 | 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648 |
| SHA512 | f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113 |
memory/2612-7-0x0000000002DD0000-0x0000000002E38000-memory.dmp
memory/2612-15-0x0000000002DD0000-0x0000000002E38000-memory.dmp
memory/2612-18-0x0000000002DD0000-0x0000000002E38000-memory.dmp
C:\Windows\C501.tmp
| MD5 | 347ac3b6b791054de3e5720a7144a977 |
| SHA1 | 413eba3973a15c1a6429d9f170f3e8287f98c21c |
| SHA256 | 301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c |
| SHA512 | 9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787 |
memory/3420-47-0x00000000005C0000-0x0000000000628000-memory.dmp
memory/3420-55-0x00000000005C0000-0x0000000000628000-memory.dmp
C:\Windows\infpub.dat
| MD5 | c29d6253d89ee9c0c872dd377a7a8454 |
| SHA1 | 46be3800684f6b208e0a8c7b120ef8614c22c4b0 |
| SHA256 | 03f4198a279ea4c36a62cd271d3b2d796547013548666006fbef45e20bb920cb |
| SHA512 | 50141de5e0a827688251161353932b677c85e0d6e6831293c9a0044543e541fe8bd4e62fa403abc06df9d220fd843aa58ff9cc37abf46be3e06ae14905c24a5e |
C:\Windows\infpub.dat
| MD5 | 449546d6d9a953b1364147ed0755c3b3 |
| SHA1 | 8306721ab3735df6a5e743b289011b04fdb763bc |
| SHA256 | 50bbb61b89a635adcbef23b498cc5c83bc94d161f816131433eeff9143d830b5 |
| SHA512 | ed986c6d12deca8d3357d16c976bb1535455c668520f9229f08096c9108a26aa5cc45cfba967e326b3cb1ceb25c97174161800311bdb1a652baf4f0a7c2114c0 |
memory/1144-60-0x0000000002840000-0x00000000028A8000-memory.dmp
memory/1144-68-0x0000000002840000-0x00000000028A8000-memory.dmp
memory/3396-73-0x0000000002F40000-0x0000000002FA8000-memory.dmp
C:\Windows\infpub.dat
| MD5 | c4f26ed277b51ef45fa180be597d96e8 |
| SHA1 | e9efc622924fb965d4a14bdb6223834d9a9007e7 |
| SHA256 | 14d82a676b63ab046ae94fa5e41f9f69a65dc7946826cb3d74cea6c030c2f958 |
| SHA512 | afc2a8466f106e81d423065b07aed2529cbf690ab4c3e019334f1bedfb42dc0e0957be83d860a84b7285bd49285503bfe95a1cf571a678dbc9bdb07789da928e |
memory/3396-81-0x0000000002F40000-0x0000000002FA8000-memory.dmp
memory/1684-87-0x00000000025A0000-0x0000000002608000-memory.dmp
memory/1684-94-0x00000000025A0000-0x0000000002608000-memory.dmp
memory/5016-100-0x0000000002270000-0x00000000022D8000-memory.dmp
memory/5016-107-0x0000000002270000-0x00000000022D8000-memory.dmp
memory/552-112-0x0000000002CA0000-0x0000000002D08000-memory.dmp