badrabbit | hxxp://google[.]com

Analysis

max time kernel
434s
max time network
437s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-10-2024 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://google.com

Score

10^/10

badrabbit mimikatz discovery ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x001d000000023d45-580.dat	mimikatz

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

Processes:

EPIKHAX.exeEF16.tmpEPIKHAX.exe

pid	Process
4784	EPIKHAX.exe
1576	EF16.tmp
3936	EPIKHAX.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid	Process
3996	rundll32.exe
868	rundll32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
135	raw.githubusercontent.com
136	raw.githubusercontent.com

Drops file in Windows directory 7 IoCs

Processes:

EPIKHAX.exerundll32.exeEPIKHAX.exerundll32.exe

description	ioc	Process
File created	C:\Windows\infpub.dat	EPIKHAX.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\EF16.tmp	rundll32.exe
File created	C:\Windows\infpub.dat	EPIKHAX.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.execmd.exeschtasks.exeEPIKHAX.exeEPIKHAX.exerundll32.exeschtasks.execmd.exeschtasks.exerundll32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EPIKHAX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EPIKHAX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133741527646431520"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exe

pid	Process
812	schtasks.exe
4980	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

chrome.exechrome.exerundll32.exeEF16.tmprundll32.exe

pid	Process
1908	chrome.exe
1908	chrome.exe
3792	chrome.exe
3792	chrome.exe
3792	chrome.exe
3792	chrome.exe
3996	rundll32.exe
3996	rundll32.exe
3996	rundll32.exe
3996	rundll32.exe
1576	EF16.tmp
1576	EF16.tmp
1576	EF16.tmp
1576	EF16.tmp
1576	EF16.tmp
1576	EF16.tmp
868	rundll32.exe
868	rundll32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid	Process
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	Process
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	Process
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	Process	procid_target
PID 1908 wrote to memory of 3492	1908	chrome.exe	85
PID 1908 wrote to memory of 3492	1908	chrome.exe	85
PID 1908 wrote to memory of 3940	1908	chrome.exe	86
PID 1908 wrote to memory of 3940	1908	chrome.exe	86
PID 1908 wrote to memory of 3940	1908	chrome.exe	86
PID 1908 wrote to memory of 3940	1908	chrome.exe	86
PID 1908 wrote to memory of 3940	1908	chrome.exe	86
PID 1908 wrote to memory of 3940	1908	chrome.exe	86
PID 1908 wrote to memory of 3940	1908	chrome.exe	86
PID 1908 wrote to memory of 3940	1908	chrome.exe	86
PID 1908 wrote to memory of 3940	1908	chrome.exe	86
PID 1908 wrote to memory of 3940	1908	chrome.exe	86
PID 1908 wrote to memory of 3940	1908	chrome.exe	86
PID 1908 wrote to memory of 3940	1908	chrome.exe	86
PID 1908 wrote to memory of 3940	1908	chrome.exe	86
PID 1908 wrote to memory of 3940	1908	chrome.exe	86
PID 1908 wrote to memory of 3940	1908	chrome.exe	86
PID 1908 wrote to memory of 3940	1908	chrome.exe	86
PID 1908 wrote to memory of 3940	1908	chrome.exe	86
PID 1908 wrote to memory of 3940	1908	chrome.exe	86
PID 1908 wrote to memory of 3940	1908	chrome.exe	86
PID 1908 wrote to memory of 3940	1908	chrome.exe	86
PID 1908 wrote to memory of 3940	1908	chrome.exe	86
PID 1908 wrote to memory of 3940	1908	chrome.exe	86
PID 1908 wrote to memory of 3940	1908	chrome.exe	86
PID 1908 wrote to memory of 3940	1908	chrome.exe	86
PID 1908 wrote to memory of 3940	1908	chrome.exe	86
PID 1908 wrote to memory of 3940	1908	chrome.exe	86
PID 1908 wrote to memory of 3940	1908	chrome.exe	86
PID 1908 wrote to memory of 3940	1908	chrome.exe	86
PID 1908 wrote to memory of 3940	1908	chrome.exe	86
PID 1908 wrote to memory of 3940	1908	chrome.exe	86
PID 1908 wrote to memory of 3448	1908	chrome.exe	87
PID 1908 wrote to memory of 3448	1908	chrome.exe	87
PID 1908 wrote to memory of 2148	1908	chrome.exe	88
PID 1908 wrote to memory of 2148	1908	chrome.exe	88
PID 1908 wrote to memory of 2148	1908	chrome.exe	88
PID 1908 wrote to memory of 2148	1908	chrome.exe	88
PID 1908 wrote to memory of 2148	1908	chrome.exe	88
PID 1908 wrote to memory of 2148	1908	chrome.exe	88
PID 1908 wrote to memory of 2148	1908	chrome.exe	88
PID 1908 wrote to memory of 2148	1908	chrome.exe	88
PID 1908 wrote to memory of 2148	1908	chrome.exe	88
PID 1908 wrote to memory of 2148	1908	chrome.exe	88
PID 1908 wrote to memory of 2148	1908	chrome.exe	88
PID 1908 wrote to memory of 2148	1908	chrome.exe	88
PID 1908 wrote to memory of 2148	1908	chrome.exe	88
PID 1908 wrote to memory of 2148	1908	chrome.exe	88
PID 1908 wrote to memory of 2148	1908	chrome.exe	88
PID 1908 wrote to memory of 2148	1908	chrome.exe	88
PID 1908 wrote to memory of 2148	1908	chrome.exe	88
PID 1908 wrote to memory of 2148	1908	chrome.exe	88
PID 1908 wrote to memory of 2148	1908	chrome.exe	88
PID 1908 wrote to memory of 2148	1908	chrome.exe	88
PID 1908 wrote to memory of 2148	1908	chrome.exe	88
PID 1908 wrote to memory of 2148	1908	chrome.exe	88
PID 1908 wrote to memory of 2148	1908	chrome.exe	88
PID 1908 wrote to memory of 2148	1908	chrome.exe	88
PID 1908 wrote to memory of 2148	1908	chrome.exe	88
PID 1908 wrote to memory of 2148	1908	chrome.exe	88
PID 1908 wrote to memory of 2148	1908	chrome.exe	88
PID 1908 wrote to memory of 2148	1908	chrome.exe	88
PID 1908 wrote to memory of 2148	1908	chrome.exe	88
PID 1908 wrote to memory of 2148	1908	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://google.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcd9b0cc40,0x7ffcd9b0cc4c,0x7ffcd9b0cc58
  2⤵
  PID:3492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1808,i,6695438835852309525,4035701175149474233,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1804 /prefetch:2
  2⤵
  PID:3940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2136,i,6695438835852309525,4035701175149474233,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  PID:3448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,6695438835852309525,4035701175149474233,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2424 /prefetch:8
  2⤵
  PID:2148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3052,i,6695438835852309525,4035701175149474233,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3088 /prefetch:1
  2⤵
  PID:408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3056,i,6695438835852309525,4035701175149474233,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:4216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3872,i,6695438835852309525,4035701175149474233,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3880 /prefetch:1
  2⤵
  PID:2664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3364,i,6695438835852309525,4035701175149474233,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4468 /prefetch:8
  2⤵
  PID:2404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4468,i,6695438835852309525,4035701175149474233,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4812 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5212,i,6695438835852309525,4035701175149474233,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5280 /prefetch:8
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5244,i,6695438835852309525,4035701175149474233,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  PID:4448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5588,i,6695438835852309525,4035701175149474233,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5600 /prefetch:8
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4456,i,6695438835852309525,4035701175149474233,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5252 /prefetch:8
  2⤵
  PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4788,i,6695438835852309525,4035701175149474233,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3792

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3532

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2020

C:\Users\Admin\Downloads\EPIKHAX.exe
"C:\Users\Admin\Downloads\EPIKHAX.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4784
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3996
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5052
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      PID:3456
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1836169414 && exit"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3400
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1836169414 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4980
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 10:50:00
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4240
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 10:50:00
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:812
- - C:\Windows\EF16.tmp
    "C:\Windows\EF16.tmp" \\.\pipe\{8B155977-D903-4D40-A9E7-3F2E98B74376}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1576

C:\Users\Admin\Downloads\EPIKHAX.exe
"C:\Users\Admin\Downloads\EPIKHAX.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3936
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
cdec3b877a832c9259d4694b6fcd3c74

SHA1
441e270ed51ad0b4b818c499044dc027547f6ef1

SHA256
c7b4a24a0fd6280f6b7d2fc8fe36020cf60df19a08f665980197260ca23a94cb

SHA512
6fb1be415e3ef08b278b0aff66bb3eaa20d193e51e00fef26903cf110a814ea3969be164e02fd2b732df6e6eba368c82054770921abb9ecc7d537a89ee0c22fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
ab644205ec7608d3b406e8850491b89d

SHA1
330344d06d11df61e41ec02f3993e7adc5cf714d

SHA256
fe47691b01cd5d2a344f620b5f393ebb3b1caa15d51b3d0c8423e5cdc80cccc1

SHA512
9a7e2c7f4d8bc99baa40fbe486947367bff86e3ebd58c12915b4c819c76d6abd19d6b73c8d1fe88d91f03d3753ef4c15ac4fe6f42611eab0767fabc6c8405264

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
8858b7dcd3a23007fd360abde2e08e5b

SHA1
9de37b09976a773ddc9bd08f775b128bc36b681b

SHA256
b06c538a53fbc94fc5879566114f10c61872f5ddb6c2db5445ac60938929966a

SHA512
5f9bded6d9e02f4fb151a237b058fe0116e4af86670a693f1083849a4c850d1c75c4575805d5aa3e3c1092cdc8d76f986f0e928f8a75a18c1fa4b8645af84048

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
cdd90b42a31ecddeb26a5b1e8f5ee7da

SHA1
91860ffa09d2cd889b2e9b6e4278c67eaad8ab4d

SHA256
0df7490236d18433043bf9180c1e5bda3ba101fb8580b56c12ad95c19982d16d

SHA512
05e247153d8300cc4f3c4329448a8a84cd3f5452f1a1a6ef011f11aaf7d5f4ecef97485c7f77c5352a4a0bd995f6673f6926ca2057d6f6e46a7df5c74c8cf9ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
fc067afa37d278b193850aa72f4bbaae

SHA1
037a072e4d591593ece986495e1120969f217018

SHA256
45c5f14924fb6b692a7b27e894c9ed14d3a99578cb7b32458489846b833603cc

SHA512
8edd11f6f9c4bdba2aa5edd6f5c8076d1a4bdf2ac4b0f907eebc76261db32b3798f41363d72703475c1868f7710ceb9f07b06e69cdae7eb2f572afb3680af262

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
1c666d64f6fd9bdaa1becfc4bcf49ab5

SHA1
a7fa3ee0eccc14ffc354ab7184bea46efbdd3957

SHA256
cd90142c4de194d2132053c2c1ca9f93cba42096dbf3517a4ff380e8183f55e1

SHA512
321598d2a24cc4dc79864ece31bd97e3e9a7d2912fcf4f9335452df955c4519ab1f0751443b0b91379307d6f435391ea72137e329f1a121a3a80e2d462ef5896

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b495811b39698d5f0fa1362c0d255afe

SHA1
5bb544601a85945c0a92f35ceee57737e30c7497

SHA256
65d0fd64a3b5ca5cf8d76da06e965e486734781694f13e4d04d7808e56d1ba86

SHA512
713501c0f159ba9f6eb0793e8e7fe4c4f81a06a2b2b54bfc84464503250b722a22d9d7e7939c4c7802ecfdef0b307f93bfa72b5f5c36e45d7815439de996a2d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
158c120d36691c8030de379d35907c9b

SHA1
204e231fe46dec3427e9fa1f0586b0a1cb4f2efe

SHA256
c405586cd31684d5a56f4a01c10fd35ce58365cbaacea323d542108a88c3914c

SHA512
e9b7ba6e54d01abda1056a6a1070db38586c6261c30d84f1c3f588dcdc59ed7b68b9c7e2c749568a4e927d309af3570ebf26ca57120d7f2500fe12b159113f24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0863dcb3e3d294362d985e9c09fac754

SHA1
12028fd097cbdf6206dd1269ee708204f5365c5e

SHA256
a2b2ecdd349ebe33f0e61f7e1eff79e6efe119f18f8e84e881be1574e83781bf

SHA512
cbc1e840f0fa23a50053d5c92e7f43ce071ecfd4b51fa0ee429f259ca076dba4ce6c64cd43f4045abb79aa316cecceab6a5c48f4030bde52537a1d58d71b264b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a99174d2db65b861e0135184af7a9e67

SHA1
198385b054068056a1d8136e7657eaffc6be3e04

SHA256
943ff3306641c551b9a564c15d3ae2a25ad0fa54992fa81a16e7a6427f4cf3bb

SHA512
b8d5a4a4beed530d25f158285af3ae55463ed2fca2362462b8b34dab8d9ecef8b700a7a8fb19bec2f517321979d6761c6e137c5f947c392286eeb0fd1f641e37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
1c0ab97849b5007dc84802f259ae7a4a

SHA1
0ad6d2e77dda7175f8b80d5db10ea50e3247b403

SHA256
37c2f31d65e32a89f216419cfb73b94b2dae411c5e12cf1eda8f00a8a8f6ba27

SHA512
298d7daf438ea82836edd593002099e1f662662ca19d065b26b8fdc9e680d98826b40bd6db78a4beb73711b74cd38e31f0d0de2cbe4379b1cb265e5f352c76a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c570692cc308c472a4b9dc4cb6cea94c

SHA1
29de47f43a67d95815a4464e74de5a98a69f60c2

SHA256
6bf39086ca55d6f9c8c84531df1f51ebff8462c5f93c82f40545ef40b9c37646

SHA512
c7c3b63477f56a3f90fbfb447292926aa8d8fef25e2bb8142997b1d1eeec591d6d8ad02b60a17aef6c97cf3e50231b17024000f06e4be74a344b8abc5e4849b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fa221db4191ad41ba9707d1d53356867

SHA1
57f94e14abf8aaaf329ee6ec168f7b5307e81eae

SHA256
2c870fc5f9fd3c24499bd17fbd7c568e2f44dc62356cf759f01a59975d4d9f6f

SHA512
db764ed3dd0da7543d80eb18501776481c7b30d09f3551bc834f1000d274d4b1684f505e8aa031e7937287d7773ec861ac867d40c5d0ea925dd18195f5f55195

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d7853b766c570469be37fa62b90d0a82

SHA1
6c4d36fdd1582174a49237d79a71edb6ca7a8135

SHA256
c560a4772a464462b39a47f00fc6b3add84481b07b71ef64c17108952a340bb8

SHA512
8d58bd2a2ca5b94c4c1c073dfd5533cea88b0cb5af82b2bb7efb025e81137ef26290977f76a387949323aa6cc8409d11c01eb1c7b59fd218aebf3d794ee29db5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
035d1f81f2c7bfabce483d62c959217d

SHA1
638e977b2d7d1ac955990e1f1dbe386f5ab6cfec

SHA256
127424fa10a96da8d15bc7239cda4ca41bdc5e18af1972009d8d043547899667

SHA512
c139d208acf365a651844527c455bc768f5270b2efb795cafcae1b25c33084893122e66bfa0f4eb6101b1f5ad305f876e63625b0043afe3a7c1e4635fbaf5d3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
72e1761378ffff82d56822f4e87dc20d

SHA1
3b2d627236a25c71a57c943566545a48fa0b4f23

SHA256
f5165e051106482aa1f177ed870619b16cb7d6ccb313ee0706aefe4f1be6448a

SHA512
afb55850f4f2e58bf0dfe46e58efc6dd01e04bebc6ef077d630421bd1d6905c3eafe476796432afa8a1da03af7e62f72df7801a74c65c7e40dce938ad064ffec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5914e7c4c64f8bfd6921f0b2b16b6a94

SHA1
f69a34beb1c8e3ee00b4a93fec01f2f682959759

SHA256
15d7da93f515eb065f6198bc7c187ec0f32daccccd6d5878cd0e9da412a7ff59

SHA512
715ac451d70a20d60152f2979ca0159c3920a6ceff1841c01229be1c22855fe2f32b10fa8236cf2f2c55280dacba4806ba497619af5614dcc7163fb1f992f74b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b158a0070639ae8b15ddf75e1a7a6b3a

SHA1
3a2f7f4e9b37ccdb37ce748df83f47962759317d

SHA256
7891c5de43b48bb56cca14f3e2fa431c2653b97aa6e11bf4ae06e02796c2b516

SHA512
fe635f8407e0beca0a59ba8fc004c5ef39b19fc1ed53e77af173ee03127a42595b2ad5d73ae8e80f2bbd43469a56c2e5367c722b74e0a093e61b1b509c1b5670

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
abdc75af51ecfce25e0dff1e58dd5199

SHA1
8969a4fdc7cf4cd9551f70e42eb69cb13648721e

SHA256
0021a934befe20cb1a3e22942f2791229fba04e12780e7ade976fcffb2641d43

SHA512
1411b77f4b676cf61e94cc7ed19401af9cbefe342026f4e76e952f3d89fda3a45e9b86592027d8b52f26cd7f200640132582a8ffa258e4a7aa10c9b7d8b5251d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d900aa1e0f18898c6a06252c3a9ac5c3

SHA1
b0029e5d5ef18e38d9d6787e881bb787aa7f8357

SHA256
737d4093f2a2443a91573970826b4b3abfde974b9a8624ef3ee29e8a8d1cfe95

SHA512
05ad54e0f52ef5bc6781d5f12df140401672d6cc1d9f9a1efdeace79b815472443694d4ca880bbc6021349de9fba222faf146fd53240e8ab68373dedbd3c2ec0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1ba7de6ef41189d8b717f99fba90be94

SHA1
5c58e410ec9fd44ed7e5cf78ae6b712fee527683

SHA256
fd3bffd4ff6099c183e0cf632701f3e3024a0f5ba996533bd6878929973b1615

SHA512
ab7100b015102ee2b5e191003218495c84bd2c7039d8d706e3537b7fa7a47df2f5a47a68d717b92e019ebf780e869c43122bf8a22010031ffba993df6f28a482

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
591c654d4d707014d32a9a3e4d0a587b

SHA1
d05b5459c618929a4ce3b8eec7c2dc4266e68161

SHA256
3717a42d05cd4faf3cbe54aa35b95d9d6f9314629406b605b5e3451f9d731309

SHA512
8d215b32aed8bca5499128f8f562808bc608b61d88e66ea93d576f5ecba61f845ab34bb491fd3f74b21fcf4da7f8bde159850c34d86203a302d093a44b137289

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2499007928e827a5ee69081abc95877f

SHA1
881b3183093357ea7b44103652b0b0e414f47f17

SHA256
0ecdbb6d3899bfc2ce492f8a021684fa0862c9e096e73b66ab9cc2d9caa63161

SHA512
4b7a088f73f84e44a990658de9ab5651b444e9abd951c86a7dbf07b0906ad71a28e03605949460cab69e84542edd95ca18c51ab25ffd9d8e729d0268c5f4d5d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
171d4f42b805e50b8f9711b3f4b38e6c

SHA1
a69591b8e24d6ac16c15b24a2c9d3a1ce81ef97d

SHA256
a1a95cc566cf328fa4f99b48d25cba549dc027a29b38e7f2e5357879721b8e99

SHA512
46e6da29dc90257fe605efdccab4223273358b15065e103cc9a64c57c6827c01913b80485d60893998cb70a38e81262dbecd2e3cffd21b6c7050ad71b1e84d35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
99cbaf37eecb7facc68964b5f3c520f2

SHA1
09eef43fdf96072b07cb393b1e95c8cf8400e337

SHA256
d9a5d925e75c65065c9e436b111b3336f91d4877d18298a28f35da5c752c7380

SHA512
1980ada6a7789213e1931367042d25441f006b35058a88001b7e27bd2a817c4de06c0dca709efc8e0a7cbaad1cdf2097a51c023f2099b647314b5e9b4712e850

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8f04234556c4fc1478ee388ed578129a

SHA1
3168a94f428d4ad3d60494a83a79ee3f5d8bc938

SHA256
34534205eb311afaac75c79d938590d7d2bfc21ea761bda93992e4ff9f835eb0

SHA512
ae4af589a032155959fa90e1d6ba16757b8ca05ec35aa941c13fd0c5cbe351c7941c8f5b7fb3230f17b9b93ccef3e6fee137b632b6de925d7c99f2b0bb6da24b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
114d69a703b50e0d8e2d4acb729fba3e

SHA1
a14f1e50c38a8c77d4404630f5b09f87c70e8068

SHA256
ff6cc5cfdc13cca64e9c7096b666a08f324d4b0bdf3ed484d9278b132135a073

SHA512
3d4ea713de7e58ab6bc9988084e0799111b85827ef98617e6976ce7f5b9d6db24be9f2f99ed44375892d175a4e421db3c2ded3bada05027ce60970e5fef4fcaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2cb8231eb5812aa3b7c6137819bd9e7c

SHA1
9e531638cc194019deea6cb2cf1e9138e87295fa

SHA256
0b57b15679b9dbd0fdd1e9ba5f2f65bea0c14d486c1bfe4edd56eed0d6280745

SHA512
6dc4d5ca0850105d10a293c21878fac2dc468ca826d3ad04904d27fe5ae29a7e783269fe00a6099a0c9b3a0363bd4f67c0b2cff2ba1150c70aae7f900fcf9c86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
59720633eb49d1fc90b6f26934a338da

SHA1
6dcdc02be5e6f2ede1207484187ceb755143c813

SHA256
42b86beb2da8c64a5f3d831f1d54bb703340a2cb9371120424175e6d1ae47f3c

SHA512
abed11da523b04b2d995f37ba5457f5f3c151feba15d0ba79c726a3f2c78e923ba15bca2a5f71d794a5d495352b9856bb65283dfbac00e7800a3d9c0cfb09c7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f366264be244825d61f4dc9b5864e148

SHA1
fd7f7397016cbb94bd20acf80ec582f82240ede5

SHA256
cf1d5d641be831449886c0aa6b72334a650054dc1df9bb3b26d6f0bcaf8428ed

SHA512
a4be52a0dd56b42afba4894f9aa7fbea32287a70d294ab5c8993bb4bf271093319c55cd831d45aa2ece1029db244c377004b9ee4ed3238f434df6d2592852d34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
fc44215f539352999a5f44fb81840514

SHA1
db4114cbbb4854f561651c5bf70d948339d0315e

SHA256
8820a3d819bf70cfbcdbad1fd2d4c1446e8ba4661193369584364e2c4c68859e

SHA512
61667ae7ba01da9caff227853909908b089a417ca9487004891dff3a50d7f1f6165ae719bc5c0f823cf71f9c7fa77cf0c3eb039dd715d2efedf1082440c503c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2e7cb00dc89522a361cbc8cd2b52661b

SHA1
206269624c47bfc7f575634078fbe68807428f9f

SHA256
1b87fc85772bdeafe68226697079bfbdac64c140fa87413e0d638a984171d864

SHA512
1b34dceb020baf953ada1eb551f661740924f337dbc01e02a06778fed4171379034d2ed33636b2c87a9f43e1f87040692e25e6c29c8b7c0d82eac3c5e1e4ab4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c7f1427931d2434a078c802de4687462

SHA1
030b31282e76348ac91f3291f34dc3609c977d80

SHA256
14064605f937075e6efa3e5f25d9981cc915dabc4342d5c89ec521711eda2803

SHA512
55e5e0037384f8a8f1380063f941ce17c13888507e970738c96e1fdda991c7d88fbfa40f51dcae30a26fd2b3413a2fc73ce05e6f1d49f752d2554db2321d519f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f0c30a4beaf2868aa3b763b0ae9ae01b

SHA1
1c558d0bef1b8dcf90599db1a4c1b5fd2bdca9d3

SHA256
8f2b7555cc9ef27271c76c45ca8bda9ba5184ea4c83f27c2589c423467c8374b

SHA512
2c0a0f37bd5643f42c8abcf8a136936449ddc72af3c5d101feb490a41bda4ad220c0af0cccf2226d1de3d3e17ca930ecd95432ac2ba6705435ec4dc957edd8c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
16b4c9dd6281a1af50b7a40fd3b6ffdd

SHA1
3ceaac8b2ee7e2d117ad41dbe3710cb73e9f5ab4

SHA256
89d8d4793dcea724ac47e681abf52a57a0007bf2f88e576bb13be4769299f33f

SHA512
ee8ec8483daabd444e614a336031ae167809bac4e784e3ef4c6e0ec4e5ed2e21118abd6608dc41feec60d676cf52b244679e120d01b39d314a206f42047238df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3353c16c769e2360d6c3f3c6bdabfb6e

SHA1
a34ffd95686a9e26ffdd3448170e2eef45e73eb3

SHA256
a08b7af7f8a59d8c0395ef632193a1048923cf813fb36e73cd4f3cfaa972a87e

SHA512
a16c1cfa6388cf346a8b4f0fc7152ddcaf12f427d54832582887437dfa17ae9af2257214af34fc9aa2ce40d4486d17169bbaa47e8ce3247a91387038e44c2ce5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
bc8584f5061a94024226001dc5c36b1d

SHA1
145ee538cc43f7d643f92c6d9924664668fa8d09

SHA256
16e40358c7797b6e1d59ceedd94fbc308301e8d775a6936e10a773720ec1ead0

SHA512
5d65b8c842a5bf602ead9dd1c5e4acb2d346b4e2bab6bc9a3c59948ffac6980c81886ef453fcb7cf86270b4f29e3e89f7370e7eee687feee041c8bd098ee2eea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
ba45477becdde5d4c3fafa30c10034c8

SHA1
fc1c20187311d19efd53bc138b24a5f0eb885e01

SHA256
50e643b055ad3318fe80e9275255c1aef5f996da66ddd666fb189703240c04bc

SHA512
355859462fabb11517d945142308af7a04181ca20828701eb55ed7343648e79dfb2b33be349ab61331bc16bc5239ab384c7e7fc55cd7d0606a89bfebc8ed3f2d

Download Submit
C:\Users\Admin\Downloads\BadRabbit.exe

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Windows\EF16.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
\??\pipe\crashpad_1908_SMJYCVSPRSJMJKJU

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/868-612-0x0000000002A20000-0x0000000002A88000-memory.dmp

Filesize
416KB

Download
memory/868-620-0x0000000002A20000-0x0000000002A88000-memory.dmp

Filesize
416KB

Download
memory/3996-564-0x0000000002490000-0x00000000024F8000-memory.dmp

Filesize
416KB

Download
memory/3996-571-0x0000000002490000-0x00000000024F8000-memory.dmp

Filesize
416KB

Download
memory/3996-574-0x0000000002490000-0x00000000024F8000-memory.dmp

Filesize
416KB

Download